davidb/jdnssec-tools
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 1 Wiki Activity

Use generic types when possible.

Browse Source 
git-svn-id: https://svn.verisignlabs.com/jdnssec/tools/trunk@246 4cbd57fe-54e5-0310-bd9a-f30fe5ea5e6e
This commit is contained in:
David Blacka 2011-02-12 21:25:42 +00:00
parent 91207aeed2
commit fb75a5419f
17 changed files with 427 additions and 520 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ChangeLog
View File

@ -1,5 +1,8 @@
2011-02-12 David Blacka <davidb@verisignlabs.com> 2011-02-12 David Blacka <davidb@verisignlabs.com>
* Use Java 1.5 generic types when possible. DNSJava itself still
doesn't use them, so we have to suppress warnings when we use
RRset.rrs(), etc.
* Update commons-cli to version 1.2. * Update commons-cli to version 1.2.
* Refactor all of the command line classes. A new command line * Refactor all of the command line classes. A new command line
base class has been created to eliminate much of the duplicated base class has been created to eliminate much of the duplicated

52
src/com/verisignlabs/dnssec/cl/SignKeyset.java
View File

@ -25,12 +25,12 @@ import java.util.Date;
import java.util.Iterator; import java.util.Iterator;
import java.util.List; import java.util.List;
import org.apache.commons.cli.CommandLine; import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.OptionBuilder; import org.apache.commons.cli.OptionBuilder;
import org.apache.commons.cli.Options; import org.apache.commons.cli.Options;
import org.xbill.DNS.DNSSEC; import org.xbill.DNS.DNSSEC;
import org.xbill.DNS.Name; import org.xbill.DNS.Name;
import org.xbill.DNS.RRSIGRecord;
import org.xbill.DNS.RRset; import org.xbill.DNS.RRset;
import org.xbill.DNS.Record; import org.xbill.DNS.Record;
import org.xbill.DNS.Type; import org.xbill.DNS.Type;
@ -99,7 +99,8 @@ public class SignKeyset extends CLBase
opts.addOption(OptionBuilder.create('f')); opts.addOption(OptionBuilder.create('f'));
} }
protected void processOptions(CommandLine cli) throws org.apache.commons.cli.ParseException protected void processOptions(CommandLine cli)
throws org.apache.commons.cli.ParseException
{ {
String optstr = null; String optstr = null;
@ -164,25 +165,24 @@ public class SignKeyset extends CLBase
* a list of keypairs used the sign the zone. * a list of keypairs used the sign the zone.
* @return true if all of the signatures validated. * @return true if all of the signatures validated.
*/ */
private static boolean verifySigs(Name zonename, List records, List keypairs) private static boolean verifySigs(Name zonename, List<Record> records,
List<DnsKeyPair> keypairs)
{ {
boolean secure = true; boolean secure = true;
DnsSecVerifier verifier = new DnsSecVerifier(); DnsSecVerifier verifier = new DnsSecVerifier();
for (Iterator i = keypairs.iterator(); i.hasNext();) for (DnsKeyPair pair : keypairs)
{ {
verifier.addTrustedKey((DnsKeyPair) i.next()); verifier.addTrustedKey(pair);
} }
verifier.setVerifyAllSigs(true); verifier.setVerifyAllSigs(true);
List rrsets = SignUtils.assembleIntoRRsets(records); List<RRset> rrsets = SignUtils.assembleIntoRRsets(records);
for (Iterator i = rrsets.iterator(); i.hasNext();) for (RRset rrset : rrsets)
{ {
RRset rrset = (RRset) i.next();
// skip unsigned rrsets. // skip unsigned rrsets.
if (!rrset.sigs().hasNext()) continue; if (!rrset.sigs().hasNext()) continue;
@ -211,15 +211,15 @@ public class SignKeyset extends CLBase
* the directory to look in (may be null). * the directory to look in (may be null).
* @return a list of keypair objects. * @return a list of keypair objects.
*/ */
private static List getKeys(String[] keyfiles, int start_index, File inDirectory) private static List<DnsKeyPair> getKeys(String[] keyfiles, int start_index,
throws IOException File inDirectory) throws IOException
{ {
if (keyfiles == null) return null; if (keyfiles == null) return null;
int len = keyfiles.length - start_index; int len = keyfiles.length - start_index;
if (len <= 0) return null; if (len <= 0) return null;
ArrayList keys = new ArrayList(len); ArrayList<DnsKeyPair> keys = new ArrayList<DnsKeyPair>(len);
for (int i = start_index; i < keyfiles.length; i++) for (int i = start_index; i < keyfiles.length; i++)
{ {
@ -248,7 +248,8 @@ public class SignKeyset extends CLBase
} }
} }
private static List findZoneKeys(File inDirectory, Name zonename) throws IOException private static List<DnsKeyPair> findZoneKeys(File inDirectory, Name zonename)
throws IOException
{ {
if (inDirectory == null) if (inDirectory == null)
{ {
@ -260,7 +261,7 @@ public class SignKeyset extends CLBase
File[] files = inDirectory.listFiles(filter); File[] files = inDirectory.listFiles(filter);
// read in all of the records // read in all of the records
ArrayList keys = new ArrayList(); ArrayList<DnsKeyPair> keys = new ArrayList<DnsKeyPair>();
for (int i = 0; i < files.length; i++) for (int i = 0; i < files.length; i++)
{ {
DnsKeyPair p = BINDKeyUtils.loadKeyPair(files[i].getName(), inDirectory); DnsKeyPair p = BINDKeyUtils.loadKeyPair(files[i].getName(), inDirectory);
@ -271,10 +272,11 @@ public class SignKeyset extends CLBase
return null; return null;
} }
@SuppressWarnings("unchecked")
public void execute() throws Exception public void execute() throws Exception
{ {
// Read in the zone // Read in the zone
List records = ZoneUtils.readZoneFile(state.inputfile, null); List<Record> records = ZoneUtils.readZoneFile(state.inputfile, null);
if (records == null || records.size() == 0) if (records == null || records.size() == 0)
{ {
System.err.println("error: empty keyset file"); System.err.println("error: empty keyset file");
@ -284,9 +286,9 @@ public class SignKeyset extends CLBase
// Make sure that all records are DNSKEYs with the same name. // Make sure that all records are DNSKEYs with the same name.
Name keysetName = null; Name keysetName = null;
RRset keyset = new RRset(); RRset keyset = new RRset();
for (Iterator i = records.iterator(); i.hasNext();)
for (Record r : records)
{ {
Record r = (Record) i.next();
if (r.getType() != Type.DNSKEY) if (r.getType() != Type.DNSKEY)
{ {
System.err.println("error: Non DNSKEY RR found in keyset: " + r); System.err.println("error: Non DNSKEY RR found in keyset: " + r);
@ -311,7 +313,7 @@ public class SignKeyset extends CLBase
} }
// Load the key pairs. // Load the key pairs.
List keypairs = getKeys(state.keyFiles, 0, state.keyDirectory); List<DnsKeyPair> keypairs = getKeys(state.keyFiles, 0, state.keyDirectory);
// If we *still* don't have any key pairs, look for keys the key // If we *still* don't have any key pairs, look for keys the key
// directory // directory
@ -343,26 +345,24 @@ public class SignKeyset extends CLBase
JCEDnsSecSigner signer = new JCEDnsSecSigner(); JCEDnsSecSigner signer = new JCEDnsSecSigner();
List sigs = signer.signRRset(keyset, keypairs, state.start, state.expire); List<RRSIGRecord> sigs = signer.signRRset(keyset, keypairs, state.start, state.expire);
for (Iterator i = sigs.iterator(); i.hasNext();) for (RRSIGRecord s : sigs)
{ {
keyset.addRR((Record) i.next()); keyset.addRR(s);
} }
// write out the signed RRset // write out the signed RRset
List signed_records = new ArrayList(); List<Record> signed_records = new ArrayList<Record>();
for (Iterator i = keyset.rrs(); i.hasNext();) for (Iterator<Record> i = keyset.rrs(); i.hasNext();)
{ {
signed_records.add(i.next()); signed_records.add(i.next());
} }
for (Iterator i = keyset.sigs(); i.hasNext();) for (Iterator<Record> i = keyset.sigs(); i.hasNext();)
{ {
signed_records.add(i.next()); signed_records.add(i.next());
} }
// write out the signed zone // write out the signed zone
// force multiline mode for now
org.xbill.DNS.Options.set("multiline");
ZoneUtils.writeZoneFile(signed_records, state.outputfile); ZoneUtils.writeZoneFile(signed_records, state.outputfile);
if (state.verifySigs) if (state.verifySigs)

33
src/com/verisignlabs/dnssec/cl/SignRRset.java
View File

@ -30,6 +30,7 @@ import org.apache.commons.cli.Options;
import org.xbill.DNS.DNSSEC; import org.xbill.DNS.DNSSEC;
import org.xbill.DNS.Name; import org.xbill.DNS.Name;
import org.xbill.DNS.RRSIGRecord;
import org.xbill.DNS.RRset; import org.xbill.DNS.RRset;
import org.xbill.DNS.Record; import org.xbill.DNS.Record;
import org.xbill.DNS.Type; import org.xbill.DNS.Type;
@ -164,25 +165,23 @@ public class SignRRset extends CLBase
* a list of keypairs used the sign the zone. * a list of keypairs used the sign the zone.
* @return true if all of the signatures validated. * @return true if all of the signatures validated.
*/ */
private static boolean verifySigs(Name zonename, List records, List keypairs) private static boolean verifySigs(Name zonename, List<Record> records, List<DnsKeyPair> keypairs)
{ {
boolean secure = true; boolean secure = true;
DnsSecVerifier verifier = new DnsSecVerifier(); DnsSecVerifier verifier = new DnsSecVerifier();
for (Iterator i = keypairs.iterator(); i.hasNext();) for (DnsKeyPair pair : keypairs)
{ {
verifier.addTrustedKey((DnsKeyPair) i.next()); verifier.addTrustedKey(pair);
} }
verifier.setVerifyAllSigs(true); verifier.setVerifyAllSigs(true);
List rrsets = SignUtils.assembleIntoRRsets(records); List<RRset> rrsets = SignUtils.assembleIntoRRsets(records);
for (Iterator i = rrsets.iterator(); i.hasNext();) for (RRset rrset : rrsets)
{ {
RRset rrset = (RRset) i.next();
// skip unsigned rrsets. // skip unsigned rrsets.
if (!rrset.sigs().hasNext()) continue; if (!rrset.sigs().hasNext()) continue;
@ -230,10 +229,11 @@ public class SignRRset extends CLBase
return keys; return keys;
} }
@SuppressWarnings("unchecked")
public void execute() throws Exception public void execute() throws Exception
{ {
// Read in the zone // Read in the zone
List records = ZoneUtils.readZoneFile(state.inputfile, null); List<Record> records = ZoneUtils.readZoneFile(state.inputfile, null);
if (records == null || records.size() == 0) if (records == null || records.size() == 0)
{ {
System.err.println("error: empty RRset file"); System.err.println("error: empty RRset file");
@ -242,10 +242,9 @@ public class SignRRset extends CLBase
// Construct the RRset. Complain if the records in the input file // Construct the RRset. Complain if the records in the input file
// consist of more than one RRset. // consist of more than one RRset.
RRset rrset = null; RRset rrset = null;
for (Iterator i = records.iterator(); i.hasNext();)
{
Record r = (Record) i.next();
for (Record r : records)
{
// skip RRSIGs // skip RRSIGs
if (r.getType() == Type.RRSIG || r.getType() == Type.SIG) if (r.getType() == Type.RRSIG || r.getType() == Type.SIG)
{ {
@ -314,19 +313,19 @@ public class SignRRset extends CLBase
JCEDnsSecSigner signer = new JCEDnsSecSigner(); JCEDnsSecSigner signer = new JCEDnsSecSigner();
List sigs = signer.signRRset(rrset, keypairs, state.start, state.expire); List<RRSIGRecord> sigs = signer.signRRset(rrset, keypairs, state.start, state.expire);
for (Iterator i = sigs.iterator(); i.hasNext();) for (RRSIGRecord s : sigs)
{ {
rrset.addRR((Record) i.next()); rrset.addRR(s);
} }
// write out the signed RRset // write out the signed RRset
List signed_records = new ArrayList(); List<Record> signed_records = new ArrayList<Record>();
for (Iterator i = rrset.rrs(); i.hasNext();) for (Iterator<Record> i = rrset.rrs(); i.hasNext();)
{ {
signed_records.add(i.next()); signed_records.add(i.next());
} }
for (Iterator i = rrset.sigs(); i.hasNext();) for (Iterator<Record> i = rrset.sigs(); i.hasNext();)
{ {
signed_records.add(i.next()); signed_records.add(i.next());
} }

86
src/com/verisignlabs/dnssec/cl/SignZone.java
View File

@ -75,7 +75,7 @@ public class SignZone extends CLBase
public boolean verifySigs = false; public boolean verifySigs = false;
public boolean useOptOut = false; public boolean useOptOut = false;
public boolean fullySignKeyset = false; public boolean fullySignKeyset = false;
public List includeNames = null; public List<Name> includeNames = null;
public boolean useNsec3 = false; public boolean useNsec3 = false;
public byte[] salt = null; public byte[] salt = null;
public int iterations = 0; public int iterations = 0;
@ -176,8 +176,7 @@ public class SignZone extends CLBase
protected void processOptions(CommandLine cli) throws ParseException protected void processOptions(CommandLine cli) throws ParseException
{ {
String optstr; String optstr = null;
String[] optstrs;
if (cli.hasOption('a')) verifySigs = true; if (cli.hasOption('a')) verifySigs = true;
if (cli.hasOption('3')) useNsec3 = true; if (cli.hasOption('3')) useNsec3 = true;
@ -323,25 +322,24 @@ public class SignZone extends CLBase
* a list of keypairs used the sign the zone. * a list of keypairs used the sign the zone.
* @return true if all of the signatures validated. * @return true if all of the signatures validated.
*/ */
private static boolean verifyZoneSigs(Name zonename, List records, List keypairs) private static boolean verifyZoneSigs(Name zonename, List<Record> records,
List<DnsKeyPair> keypairs)
{ {
boolean secure = true; boolean secure = true;
DnsSecVerifier verifier = new DnsSecVerifier(); DnsSecVerifier verifier = new DnsSecVerifier();
for (Iterator i = keypairs.iterator(); i.hasNext();) for (DnsKeyPair pair : keypairs)
{ {
verifier.addTrustedKey((DnsKeyPair) i.next()); verifier.addTrustedKey(pair);
} }
verifier.setVerifyAllSigs(true); verifier.setVerifyAllSigs(true);
List rrsets = SignUtils.assembleIntoRRsets(records); List<RRset> rrsets = SignUtils.assembleIntoRRsets(records);
for (Iterator i = rrsets.iterator(); i.hasNext();) for (RRset rrset : rrsets)
{ {
RRset rrset = (RRset) i.next();
// skip unsigned rrsets. // skip unsigned rrsets.
if (!rrset.sigs().hasNext()) continue; if (!rrset.sigs().hasNext()) continue;
@ -371,15 +369,15 @@ public class SignZone extends CLBase
* the directory to look in (may be null). * the directory to look in (may be null).
* @return a list of keypair objects. * @return a list of keypair objects.
*/ */
private static List getKeys(String[] keyfiles, int start_index, File inDirectory) private static List<DnsKeyPair> getKeys(String[] keyfiles, int start_index,
throws IOException File inDirectory) throws IOException
{ {
if (keyfiles == null) return null; if (keyfiles == null) return null;
int len = keyfiles.length - start_index; int len = keyfiles.length - start_index;
if (len <= 0) return null; if (len <= 0) return null;
ArrayList keys = new ArrayList(len); ArrayList<DnsKeyPair> keys = new ArrayList<DnsKeyPair>(len);
for (int i = start_index; i < keyfiles.length; i++) for (int i = start_index; i < keyfiles.length; i++)
{ {
@ -390,14 +388,17 @@ public class SignZone extends CLBase
return keys; return keys;
} }
private static List getKeys(List dnskeyrrs, File inDirectory) throws IOException private static List<DnsKeyPair> getKeys(List<Record> dnskeyrrs, File inDirectory)
throws IOException
{ {
List res = new ArrayList(); List<DnsKeyPair> res = new ArrayList<DnsKeyPair>();
for (Iterator i = dnskeyrrs.iterator(); i.hasNext();) for (Record r : dnskeyrrs)
{ {
if (r.getType() != Type.DNSKEY) continue;
// Construct a public-key-only DnsKeyPair just so we can calculate the // Construct a public-key-only DnsKeyPair just so we can calculate the
// base name. // base name.
DnsKeyPair pub = new DnsKeyPair((DNSKEYRecord) i.next()); DnsKeyPair pub = new DnsKeyPair((DNSKEYRecord) r);
DnsKeyPair pair = BINDKeyUtils.loadKeyPair(BINDKeyUtils.keyFileBase(pub), DnsKeyPair pair = BINDKeyUtils.loadKeyPair(BINDKeyUtils.keyFileBase(pub),
inDirectory); inDirectory);
if (pair != null) if (pair != null)
@ -428,7 +429,8 @@ public class SignZone extends CLBase
} }
} }
private static List findZoneKeys(File inDirectory, Name zonename) throws IOException private static List<DnsKeyPair> findZoneKeys(File inDirectory, Name zonename)
throws IOException
{ {
if (inDirectory == null) if (inDirectory == null)
{ {
@ -440,7 +442,7 @@ public class SignZone extends CLBase
File[] files = inDirectory.listFiles(filter); File[] files = inDirectory.listFiles(filter);
// read in all of the records // read in all of the records
ArrayList keys = new ArrayList(); ArrayList<DnsKeyPair> keys = new ArrayList<DnsKeyPair>();
for (int i = 0; i < files.length; i++) for (int i = 0; i < files.length; i++)
{ {
DnsKeyPair p = BINDKeyUtils.loadKeyPair(files[i].getName(), inDirectory); DnsKeyPair p = BINDKeyUtils.loadKeyPair(files[i].getName(), inDirectory);
@ -480,7 +482,8 @@ public class SignZone extends CLBase
* @return a list of {@link org.xbill.DNS.Record}s found in the keyset * @return a list of {@link org.xbill.DNS.Record}s found in the keyset
* files. * files.
*/ */
private static List getKeysets(File inDirectory, Name zonename) throws IOException private static List<Record> getKeysets(File inDirectory, Name zonename)
throws IOException
{ {
if (inDirectory == null) if (inDirectory == null)
{ {
@ -492,17 +495,17 @@ public class SignZone extends CLBase
File[] files = inDirectory.listFiles(filter); File[] files = inDirectory.listFiles(filter);
// read in all of the records // read in all of the records
ArrayList keysetRecords = new ArrayList(); ArrayList<Record> keysetRecords = new ArrayList<Record>();
for (int i = 0; i < files.length; i++) for (int i = 0; i < files.length; i++)
{ {
List l = ZoneUtils.readZoneFile(files[i].getAbsolutePath(), zonename); List<Record> l = ZoneUtils.readZoneFile(files[i].getAbsolutePath(), zonename);
keysetRecords.addAll(l); keysetRecords.addAll(l);
} }
// discard records that do not belong to the zone in question. // discard records that do not belong to the zone in question.
for (Iterator i = keysetRecords.iterator(); i.hasNext();) for (Iterator<Record> i = keysetRecords.iterator(); i.hasNext();)
{ {
Record r = (Record) i.next(); Record r = i.next();
if (!r.getName().subdomain(zonename)) if (!r.getName().subdomain(zonename))
{ {
i.remove(); i.remove();
@ -519,10 +522,10 @@ public class SignZone extends CLBase
* the path of a file containing a bare list of DNS names. * the path of a file containing a bare list of DNS names.
* @return a list of {@link org.xbill.DNS.Name} objects. * @return a list of {@link org.xbill.DNS.Name} objects.
*/ */
private static List getNameList(File nameListFile) throws IOException private static List<Name> getNameList(File nameListFile) throws IOException
{ {
BufferedReader br = new BufferedReader(new FileReader(nameListFile)); BufferedReader br = new BufferedReader(new FileReader(nameListFile));
List res = new ArrayList(); List<Name> res = new ArrayList<Name>();
String line = null; String line = null;
while ((line = br.readLine()) != null) while ((line = br.readLine()) != null)
@ -559,13 +562,12 @@ public class SignZone extends CLBase
* zone. * zone.
* @return true if the keypairs valid. * @return true if the keypairs valid.
*/ */
private static boolean keyPairsValidForZone(Name zonename, List keypairs) private static boolean keyPairsValidForZone(Name zonename, List<DnsKeyPair> keypairs)
{ {
if (keypairs == null) return true; // technically true, I guess. if (keypairs == null) return true; // technically true, I guess.
for (Iterator i = keypairs.iterator(); i.hasNext();) for (DnsKeyPair kp : keypairs)
{ {
DnsKeyPair kp = (DnsKeyPair) i.next();
Name keyname = kp.getDNSKEYRecord().getName(); Name keyname = kp.getDNSKEYRecord().getName();
if (!keyname.equals(zonename)) if (!keyname.equals(zonename))
{ {
@ -579,7 +581,7 @@ public class SignZone extends CLBase
public void execute() throws Exception public void execute() throws Exception
{ {
// Read in the zone // Read in the zone
List records = ZoneUtils.readZoneFile(state.zonefile, null); List<Record> records = ZoneUtils.readZoneFile(state.zonefile, null);
if (records == null || records.size() == 0) if (records == null || records.size() == 0)
{ {
System.err.println("error: empty zone file"); System.err.println("error: empty zone file");
@ -596,14 +598,14 @@ public class SignZone extends CLBase
// Load the key pairs. // Load the key pairs.
List keypairs = getKeys(state.keyFiles, 0, state.keyDirectory); List<DnsKeyPair> keypairs = getKeys(state.keyFiles, 0, state.keyDirectory);
List kskpairs = getKeys(state.kskFiles, 0, state.keyDirectory); List<DnsKeyPair> kskpairs = getKeys(state.kskFiles, 0, state.keyDirectory);
// If we didn't get any keys on the command line, look at the zone apex for // If we didn't get any keys on the command line, look at the zone apex for
// any public keys. // any public keys.
if (keypairs == null && kskpairs == null) if (keypairs == null && kskpairs == null)
{ {
List dnskeys = ZoneUtils.findRRs(records, zonename, Type.DNSKEY); List<Record> dnskeys = ZoneUtils.findRRs(records, zonename, Type.DNSKEY);
keypairs = getKeys(dnskeys, state.keyDirectory); keypairs = getKeys(dnskeys, state.keyDirectory);
} }
@ -621,13 +623,13 @@ public class SignZone extends CLBase
if ((kskpairs == null || kskpairs.size() == 0) && keypairs != null if ((kskpairs == null || kskpairs.size() == 0) && keypairs != null
&& keypairs.size() > 1) && keypairs.size() > 1)
{ {
for (Iterator i = keypairs.iterator(); i.hasNext();) for (Iterator<DnsKeyPair> i = keypairs.iterator(); i.hasNext();)
{ {
DnsKeyPair pair = (DnsKeyPair) i.next(); DnsKeyPair pair = i.next();
DNSKEYRecord kr = pair.getDNSKEYRecord(); DNSKEYRecord kr = pair.getDNSKEYRecord();
if ((kr.getFlags() & DNSKEYRecord.Flags.SEP_KEY) != 0) if ((kr.getFlags() & DNSKEYRecord.Flags.SEP_KEY) != 0)
{ {
if (kskpairs == null) kskpairs = new ArrayList(); if (kskpairs == null) kskpairs = new ArrayList<DnsKeyPair>();
kskpairs.add(pair); kskpairs.add(pair);
i.remove(); i.remove();
} }
@ -674,21 +676,21 @@ public class SignZone extends CLBase
// removes duplicate records. // removes duplicate records.
if (kskpairs != null) if (kskpairs != null)
{ {
for (Iterator i = kskpairs.iterator(); i.hasNext();) for (DnsKeyPair pair : kskpairs)
{ {
records.add(((DnsKeyPair) i.next()).getDNSKEYRecord()); records.add(pair.getDNSKEYRecord());
} }
} }
if (keypairs != null) if (keypairs != null)
{ {
for (Iterator i = keypairs.iterator(); i.hasNext();) for (DnsKeyPair pair : keypairs)
{ {
records.add(((DnsKeyPair) i.next()).getDNSKEYRecord()); records.add(pair.getDNSKEYRecord());
} }
} }
// read in the keysets, if any. // read in the keysets, if any.
List keysetrecs = getKeysets(state.keysetDirectory, zonename); List<Record> keysetrecs = getKeysets(state.keysetDirectory, zonename);
if (keysetrecs != null) if (keysetrecs != null)
{ {
records.addAll(keysetrecs); records.addAll(keysetrecs);
@ -697,7 +699,7 @@ public class SignZone extends CLBase
JCEDnsSecSigner signer = new JCEDnsSecSigner(state.verboseSigning); JCEDnsSecSigner signer = new JCEDnsSecSigner(state.verboseSigning);
// Sign the zone. // Sign the zone.
List signed_records; List<Record> signed_records;
if (state.useNsec3) if (state.useNsec3)
{ {

3
src/com/verisignlabs/dnssec/cl/VerifyZone.java
View File

@ -22,6 +22,7 @@ import java.util.List;
import org.apache.commons.cli.CommandLine; import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.OptionBuilder; import org.apache.commons.cli.OptionBuilder;
import org.apache.commons.cli.Options; import org.apache.commons.cli.Options;
import org.xbill.DNS.Record;
import com.verisignlabs.dnssec.security.ZoneUtils; import com.verisignlabs.dnssec.security.ZoneUtils;
import com.verisignlabs.dnssec.security.ZoneVerifier; import com.verisignlabs.dnssec.security.ZoneVerifier;
@ -126,7 +127,7 @@ public class VerifyZone extends CLBase
zoneverifier.getVerifier().setExpireFudge(state.expirefudge); zoneverifier.getVerifier().setExpireFudge(state.expirefudge);
zoneverifier.getVerifier().setIgnoreTime(state.ignoreTime); zoneverifier.getVerifier().setIgnoreTime(state.ignoreTime);
List records = ZoneUtils.readZoneFile(state.zonefile, null); List<Record> records = ZoneUtils.readZoneFile(state.zonefile, null);
log.fine("verifying zone..."); log.fine("verifying zone...");
int errors = zoneverifier.verifyZone(records); int errors = zoneverifier.verifyZone(records);

47
src/com/verisignlabs/dnssec/cl/ZoneFormat.java
View File

@ -18,16 +18,23 @@
package com.verisignlabs.dnssec.cl; package com.verisignlabs.dnssec.cl;
import java.io.IOException; import java.io.IOException;
import java.io.PrintWriter;
import java.security.NoSuchAlgorithmException; import java.security.NoSuchAlgorithmException;
import java.util.*; import java.util.ArrayList;
import java.util.logging.Handler; import java.util.Collections;
import java.util.logging.Level; import java.util.HashMap;
import java.util.logging.Logger; import java.util.List;
import java.util.ListIterator;
import org.apache.commons.cli.*; import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.Options; import org.apache.commons.cli.Options;
import org.xbill.DNS.*; import org.apache.commons.cli.ParseException;
import org.xbill.DNS.Master;
import org.xbill.DNS.NSEC3PARAMRecord;
import org.xbill.DNS.NSEC3Record;
import org.xbill.DNS.Name;
import org.xbill.DNS.Record;
import org.xbill.DNS.Section;
import org.xbill.DNS.Type;
import org.xbill.DNS.utils.base32; import org.xbill.DNS.utils.base32;
import com.verisignlabs.dnssec.security.RecordComparator; import com.verisignlabs.dnssec.security.RecordComparator;
@ -80,11 +87,11 @@ public class ZoneFormat extends CLBase
} }
} }
private static List readZoneFile(String filename) throws IOException private static List<Record> readZoneFile(String filename) throws IOException
{ {
Master master = new Master(filename); Master master = new Master(filename);
List res = new ArrayList(); List<Record> res = new ArrayList<Record>();
Record r = null; Record r = null;
while ((r = master.nextRecord()) != null) while ((r = master.nextRecord()) != null)
@ -99,21 +106,21 @@ public class ZoneFormat extends CLBase
return res; return res;
} }
private static void formatZone(List zone) private static void formatZone(List<Record> zone)
{ {
// Put the zone into a consistent (name and RR type) order. // Put the zone into a consistent (name and RR type) order.
RecordComparator cmp = new RecordComparator(); RecordComparator cmp = new RecordComparator();
Collections.sort(zone, cmp); Collections.sort(zone, cmp);
for (Iterator i = zone.iterator(); i.hasNext();) for (Record r : zone)
{ {
Record r = (Record) i.next();
System.out.println(r.toString()); System.out.println(r.toString());
} }
} }
private static void determineNSEC3Owners(List zone) throws NoSuchAlgorithmException private static void determineNSEC3Owners(List<Record> zone)
throws NoSuchAlgorithmException
{ {
// Put the zone into a consistent (name and RR type) order. // Put the zone into a consistent (name and RR type) order.
Collections.sort(zone, new RecordComparator()); Collections.sort(zone, new RecordComparator());
@ -121,12 +128,11 @@ public class ZoneFormat extends CLBase
// first, find the NSEC3PARAM record -- this is an inefficient linear // first, find the NSEC3PARAM record -- this is an inefficient linear
// search. // search.
NSEC3PARAMRecord nsec3param = null; NSEC3PARAMRecord nsec3param = null;
HashMap map = new HashMap(); HashMap<String, String> map = new HashMap<String, String>();
base32 b32 = new base32(base32.Alphabet.BASE32HEX, false, true); base32 b32 = new base32(base32.Alphabet.BASE32HEX, false, true);
for (Iterator i = zone.iterator(); i.hasNext();) for (Record r : zone)
{ {
Record r = (Record) i.next();
if (r.getType() == Type.NSEC3PARAM) if (r.getType() == Type.NSEC3PARAM)
{ {
nsec3param = (NSEC3PARAMRecord) r; nsec3param = (NSEC3PARAMRecord) r;
@ -139,9 +145,8 @@ public class ZoneFormat extends CLBase
// Next pass, calculate a mapping between ownernames and hashnames // Next pass, calculate a mapping between ownernames and hashnames
Name last_name = null; Name last_name = null;
for (Iterator i = zone.iterator(); i.hasNext();) for (Record r : zone)
{ {
Record r = (Record) i.next();
if (r.getName().equals(last_name)) continue; if (r.getName().equals(last_name)) continue;
if (r.getType() == Type.NSEC3) continue; if (r.getType() == Type.NSEC3) continue;
@ -152,9 +157,9 @@ public class ZoneFormat extends CLBase
} }
// Final pass, assign the names if we can // Final pass, assign the names if we can
for (ListIterator i = zone.listIterator(); i.hasNext();) for (ListIterator<Record> i = zone.listIterator(); i.hasNext();)
{ {
Record r = (Record) i.next(); Record r = i.next();
if (r.getType() != Type.NSEC3) continue; if (r.getType() != Type.NSEC3) continue;
NSEC3Record nsec3 = (NSEC3Record) r; NSEC3Record nsec3 = (NSEC3Record) r;
String hashname = nsec3.getName().getLabelString(0).toLowerCase(); String hashname = nsec3.getName().getLabelString(0).toLowerCase();
@ -171,7 +176,7 @@ public class ZoneFormat extends CLBase
public void execute() throws IOException, NoSuchAlgorithmException public void execute() throws IOException, NoSuchAlgorithmException
{ {
List z = readZoneFile(state.file); List<Record> z = readZoneFile(state.file);
if (state.assignNSEC3) determineNSEC3Owners(z); if (state.assignNSEC3) determineNSEC3Owners(z);
formatZone(z); formatZone(z);
} }

24
src/com/verisignlabs/dnssec/security/BareLogFormatter.java
View File

@ -1,24 +0,0 @@
package com.verisignlabs.dnssec.security;
import java.util.logging.LogRecord;
/**
* This is a very simple log formatter that simply outputs the log level and log
* string.
*/
public class BareLogFormatter extends java.util.logging.Formatter
{
@Override
public String format(LogRecord arg0)
{
StringBuilder out = new StringBuilder();
String lvl = arg0.getLevel().getName();
out.append(lvl);
out.append(": ");
out.append(arg0.getMessage());
out.append("\n");
return out.toString();
}
}

7
src/com/verisignlabs/dnssec/security/ByteArrayComparator.java
View File

@ -30,7 +30,7 @@ import java.util.logging.Logger;
* @author $Author$ * @author $Author$
* @version $Revision$ * @version $Revision$
*/ */
public class ByteArrayComparator implements Comparator public class ByteArrayComparator implements Comparator<byte[]>
{ {
private int mOffset = 0; private int mOffset = 0;
private boolean mDebug = false; private boolean mDebug = false;
@ -46,11 +46,8 @@ public class ByteArrayComparator implements Comparator
mDebug = debug; mDebug = debug;
} }
public int compare(Object o1, Object o2) throws ClassCastException public int compare(byte[] b1, byte[] b2)
{ {
byte[] b1 = (byte[]) o1;
byte[] b2 = (byte[]) o2;
for (int i = mOffset; i < b1.length && i < b2.length; i++) for (int i = mOffset; i < b1.length && i < b2.length; i++)
{ {
if (b1[i] != b2[i]) if (b1[i] != b2[i])

50
src/com/verisignlabs/dnssec/security/DnsKeyAlgorithm.java
View File

@ -77,16 +77,16 @@ public class DnsKeyAlgorithm
* This is a mapping of algorithm identifier to Entry. The Entry contains the * This is a mapping of algorithm identifier to Entry. The Entry contains the
* data needed to map the algorithm to the various crypto implementations. * data needed to map the algorithm to the various crypto implementations.
*/ */
private HashMap mAlgorithmMap; private HashMap<Integer, Entry> mAlgorithmMap;
/** /**
* This is a mapping of algorithm mnemonics to algorithm identifiers. * This is a mapping of algorithm mnemonics to algorithm identifiers.
*/ */
private HashMap mMnemonicToIdMap; private HashMap<String, Integer> mMnemonicToIdMap;
/** /**
* This is a mapping of identifiers to preferred mnemonic -- the preferred one * This is a mapping of identifiers to preferred mnemonic -- the preferred one
* is the first defined one * is the first defined one
*/ */
private HashMap mIdToMnemonicMap; private HashMap<Integer, String> mIdToMnemonicMap;
/** This is a cached key pair generator for RSA keys. */ /** This is a cached key pair generator for RSA keys. */
private KeyPairGenerator mRSAKeyGenerator; private KeyPairGenerator mRSAKeyGenerator;
@ -100,9 +100,9 @@ public class DnsKeyAlgorithm
public DnsKeyAlgorithm() public DnsKeyAlgorithm()
{ {
mAlgorithmMap = new HashMap(); mAlgorithmMap = new HashMap<Integer, Entry>();
mMnemonicToIdMap = new HashMap(); mMnemonicToIdMap = new HashMap<String, Integer>();
mIdToMnemonicMap = new HashMap(); mIdToMnemonicMap = new HashMap<Integer, String>();
// Load the standard DNSSEC algorithms. // Load the standard DNSSEC algorithms.
addAlgorithm(DNSSEC.RSAMD5, new Entry("MD5withRSA", RSA)); addAlgorithm(DNSSEC.RSAMD5, new Entry("MD5withRSA", RSA));
@ -137,40 +137,34 @@ public class DnsKeyAlgorithm
private void addAlgorithm(int algorithm, Entry entry) private void addAlgorithm(int algorithm, Entry entry)
{ {
Integer a = new Integer(algorithm); mAlgorithmMap.put(algorithm, entry);
mAlgorithmMap.put(a, entry);
} }
private void addMnemonic(String m, int alg) private void addMnemonic(String m, int alg)
{ {
Integer a = new Integer(alg); mMnemonicToIdMap.put(m.toUpperCase(), alg);
mMnemonicToIdMap.put(m.toUpperCase(), a); if (!mIdToMnemonicMap.containsKey(alg))
if (!mIdToMnemonicMap.containsKey(a))
{ {
mIdToMnemonicMap.put(a, m); mIdToMnemonicMap.put(alg, m);
} }
} }
public void addAlias(int alias, String mnemonic, int original_algorithm) public void addAlias(int alias, String mnemonic, int original_algorithm)
{ {
Integer a = new Integer(alias); if (mAlgorithmMap.containsKey(alias))
Integer o = new Integer(original_algorithm);
if (mAlgorithmMap.containsKey(a))
{ {
log.warning("Unable to alias algorithm " + alias log.warning("Unable to alias algorithm " + alias + " because it already exists.");
+ " because it already exists.");
return; return;
} }
if (!mAlgorithmMap.containsKey(o)) if (!mAlgorithmMap.containsKey(original_algorithm))
{ {
log.warning("Unable to alias algorith " + alias log.warning("Unable to alias algorith " + alias
+ " to unknown algorithm identifier " + original_algorithm); + " to unknown algorithm identifier " + original_algorithm);
return; return;
} }
mAlgorithmMap.put(a, mAlgorithmMap.get(o)); mAlgorithmMap.put(alias, mAlgorithmMap.get(original_algorithm));
if (mnemonic != null) if (mnemonic != null)
{ {
@ -180,7 +174,7 @@ public class DnsKeyAlgorithm
private Entry getEntry(int alg) private Entry getEntry(int alg)
{ {
return (Entry) mAlgorithmMap.get(new Integer(alg)); return mAlgorithmMap.get(alg);
} }
public Signature getSignature(int algorithm) public Signature getSignature(int algorithm)
@ -196,8 +190,8 @@ public class DnsKeyAlgorithm
} }
catch (NoSuchAlgorithmException e) catch (NoSuchAlgorithmException e)
{ {
log.severe("Unable to get signature implementation for algorithm " log.severe("Unable to get signature implementation for algorithm " + algorithm
+ algorithm + ": " + e); + ": " + e);
} }
return s; return s;
@ -205,14 +199,14 @@ public class DnsKeyAlgorithm
public int stringToAlgorithm(String s) public int stringToAlgorithm(String s)
{ {
Integer alg = (Integer) mMnemonicToIdMap.get(s.toUpperCase()); Integer alg = mMnemonicToIdMap.get(s.toUpperCase());
if (alg != null) return alg.intValue(); if (alg != null) return alg.intValue();
return -1; return -1;
} }
public String algToString(int algorithm) public String algToString(int algorithm)
{ {
return (String) mIdToMnemonicMap.get(new Integer(algorithm)); return mIdToMnemonicMap.get(algorithm);
} }
public int baseType(int algorithm) public int baseType(int algorithm)
@ -257,13 +251,11 @@ public class DnsKeyAlgorithm
RSAKeyGenParameterSpec rsa_spec; RSAKeyGenParameterSpec rsa_spec;
if (useLargeExp) if (useLargeExp)
{ {
rsa_spec = new RSAKeyGenParameterSpec(keysize, rsa_spec = new RSAKeyGenParameterSpec(keysize, RSAKeyGenParameterSpec.F4);
RSAKeyGenParameterSpec.F4);
} }
else else
{ {
rsa_spec = new RSAKeyGenParameterSpec(keysize, rsa_spec = new RSAKeyGenParameterSpec(keysize, RSAKeyGenParameterSpec.F0);
RSAKeyGenParameterSpec.F0);
} }
try try
{ {

27
src/com/verisignlabs/dnssec/security/DnsSecVerifier.java
View File

@ -51,20 +51,20 @@ public class DnsSecVerifier implements Verifier
// for now, this is implemented as a hash table of lists of // for now, this is implemented as a hash table of lists of
// DnsKeyPair objects (obviously, all of them will not have // DnsKeyPair objects (obviously, all of them will not have
// private keys). // private keys).
private HashMap mKeyMap; private HashMap<String, List<DnsKeyPair>> mKeyMap;
public TrustedKeyStore() public TrustedKeyStore()
{ {
mKeyMap = new HashMap(); mKeyMap = new HashMap<String, List<DnsKeyPair>>();
} }
public void add(DnsKeyPair pair) public void add(DnsKeyPair pair)
{ {
String n = pair.getDNSKEYName().toString().toLowerCase(); String n = pair.getDNSKEYName().toString().toLowerCase();
List l = (List) mKeyMap.get(n); List<DnsKeyPair> l = mKeyMap.get(n);
if (l == null) if (l == null)
{ {
l = new ArrayList(); l = new ArrayList<DnsKeyPair>();
mKeyMap.put(n, l); mKeyMap.put(n, l);
} }
@ -86,14 +86,13 @@ public class DnsSecVerifier implements Verifier
public DnsKeyPair find(Name name, int algorithm, int keyid) public DnsKeyPair find(Name name, int algorithm, int keyid)
{ {
String n = name.toString().toLowerCase(); String n = name.toString().toLowerCase();
List l = (List) mKeyMap.get(n); List<DnsKeyPair> l = mKeyMap.get(n);
if (l == null) return null; if (l == null) return null;
// FIXME: this algorithm assumes that name+alg+footprint is // FIXME: this algorithm assumes that name+alg+footprint is
// unique, which isn't necessarily true. // unique, which isn't necessarily true.
for (Iterator i = l.iterator(); i.hasNext();) for (DnsKeyPair p : l)
{ {
DnsKeyPair p = (DnsKeyPair) i.next();
if (p.getDNSKEYAlgorithm() == algorithm && p.getDNSKEYFootprint() == keyid) if (p.getDNSKEYAlgorithm() == algorithm && p.getDNSKEYFootprint() == keyid)
{ {
return p; return p;
@ -158,6 +157,7 @@ public class DnsSecVerifier implements Verifier
mIgnoreTime = v; mIgnoreTime = v;
} }
@SuppressWarnings("unchecked")
private DnsKeyPair findCachedKey(Cache cache, Name name, int algorithm, int footprint) private DnsKeyPair findCachedKey(Cache cache, Name name, int algorithm, int footprint)
{ {
RRset[] keysets = cache.findAnyRecords(name, Type.KEY); RRset[] keysets = cache.findAnyRecords(name, Type.KEY);
@ -165,11 +165,11 @@ public class DnsSecVerifier implements Verifier
// look for the particular key // look for the particular key
// FIXME: this assumes that name+alg+footprint is unique. // FIXME: this assumes that name+alg+footprint is unique.
for (Iterator i = keysets[0].rrs(); i.hasNext();) for (Iterator<Record> i = keysets[0].rrs(); i.hasNext();)
{ {
Object o = i.next(); Record r = i.next();
if (!(o instanceof DNSKEYRecord)) continue; if (r.getType() != Type.DNSKEY) continue;
DNSKEYRecord keyrec = (DNSKEYRecord) o; DNSKEYRecord keyrec = (DNSKEYRecord) r;
if (keyrec.getAlgorithm() == algorithm && keyrec.getFootprint() == footprint) if (keyrec.getAlgorithm() == algorithm && keyrec.getFootprint() == footprint)
{ {
return new DnsKeyPair(keyrec, (PrivateKey) null); return new DnsKeyPair(keyrec, (PrivateKey) null);
@ -190,7 +190,7 @@ public class DnsSecVerifier implements Verifier
return pair; return pair;
} }
private byte validateSignature(RRset rrset, RRSIGRecord sigrec, List reasons) private byte validateSignature(RRset rrset, RRSIGRecord sigrec, List<String> reasons)
{ {
if (rrset == null || sigrec == null) return DNSSEC.Failed; if (rrset == null || sigrec == null) return DNSSEC.Failed;
if (!rrset.getName().equals(sigrec.getName())) if (!rrset.getName().equals(sigrec.getName()))
@ -255,7 +255,7 @@ public class DnsSecVerifier implements Verifier
* could not be completed (usually because the public key was not * could not be completed (usually because the public key was not
* available). * available).
*/ */
public byte verifySignature(RRset rrset, RRSIGRecord sigrec, Cache cache, List reasons) public byte verifySignature(RRset rrset, RRSIGRecord sigrec, Cache cache, List<String> reasons)
{ {
byte result = validateSignature(rrset, sigrec, reasons); byte result = validateSignature(rrset, sigrec, reasons);
if (result != DNSSEC.Secure) return result; if (result != DNSSEC.Secure) return result;
@ -314,6 +314,7 @@ public class DnsSecVerifier implements Verifier
* @return DNSSEC.Secure if the set verified, DNSSEC.Failed if it did not, and * @return DNSSEC.Secure if the set verified, DNSSEC.Failed if it did not, and
* DNSSEC.Insecure if verification could not complete. * DNSSEC.Insecure if verification could not complete.
*/ */
@SuppressWarnings("unchecked")
public int verify(RRset rrset, Cache cache) public int verify(RRset rrset, Cache cache)
{ {
int result = mVerifyAllSigs ? DNSSEC.Secure : DNSSEC.Insecure; int result = mVerifyAllSigs ? DNSSEC.Secure : DNSSEC.Insecure;

87
src/com/verisignlabs/dnssec/security/JCEDnsSecSigner.java
View File

@ -130,8 +130,9 @@ public class JCEDnsSecSigner
* the expiration time for the resulting RRSIG records. * the expiration time for the resulting RRSIG records.
* @return a list of RRSIGRecord objects. * @return a list of RRSIGRecord objects.
*/ */
public List signRRset(RRset rrset, List keypairs, Date start, Date expire) public List<RRSIGRecord> signRRset(RRset rrset, List<DnsKeyPair> keypairs, Date start,
throws IOException, GeneralSecurityException Date expire) throws IOException,
GeneralSecurityException
{ {
if (rrset == null || keypairs == null) return null; if (rrset == null || keypairs == null) return null;
@ -149,12 +150,11 @@ public class JCEDnsSecSigner
// first, pre-calculate the RRset bytes. // first, pre-calculate the RRset bytes.
byte[] rrset_data = SignUtils.generateCanonicalRRsetData(rrset, 0, 0); byte[] rrset_data = SignUtils.generateCanonicalRRsetData(rrset, 0, 0);
ArrayList sigs = new ArrayList(keypairs.size()); ArrayList<RRSIGRecord> sigs = new ArrayList<RRSIGRecord>(keypairs.size());
// for each keypair, sign the RRset. // for each keypair, sign the RRset.
for (Iterator i = keypairs.iterator(); i.hasNext();) for (DnsKeyPair pair : keypairs)
{ {
DnsKeyPair pair = (DnsKeyPair) i.next();
DNSKEYRecord keyrec = pair.getDNSKEYRecord(); DNSKEYRecord keyrec = pair.getDNSKEYRecord();
if (keyrec == null) continue; if (keyrec == null) continue;
@ -164,8 +164,9 @@ public class JCEDnsSecSigner
if (mVerboseSigning) if (mVerboseSigning)
{ {
log.info("Canonical pre-signature data to sign with key " + keyrec.getName().toString() + "/" log.info("Canonical pre-signature data to sign with key "
+ keyrec.getAlgorithm() + "/" + keyrec.getFootprint() + ":"); + keyrec.getName().toString() + "/" + keyrec.getAlgorithm() + "/"
+ keyrec.getFootprint() + ":");
log.info(hexdump.dump(null, sign_data)); log.info(hexdump.dump(null, sign_data));
} }
@ -174,8 +175,7 @@ public class JCEDnsSecSigner
if (signer == null) if (signer == null)
{ {
// debug // debug
log.fine("missing private key that goes with:\n" log.fine("missing private key that goes with:\n" + pair.getDNSKEYRecord());
+ pair.getDNSKEYRecord());
throw new GeneralSecurityException("cannot sign without a valid Signer " throw new GeneralSecurityException("cannot sign without a valid Signer "
+ "(probably missing private key)"); + "(probably missing private key)");
} }
@ -219,24 +219,23 @@ public class JCEDnsSecSigner
* the RRSIG expiration time. * the RRSIG expiration time.
* @return a signed RRset. * @return a signed RRset.
*/ */
public RRset makeKeySet(List keypairs, Date start, Date expire) throws IOException, public RRset makeKeySet(List<DnsKeyPair> keypairs, Date start, Date expire)
GeneralSecurityException throws IOException, GeneralSecurityException
{ {
// Generate a KEY RR set to sign. // Generate a KEY RR set to sign.
RRset keyset = new RRset(); RRset keyset = new RRset();
for (Iterator i = keypairs.iterator(); i.hasNext();) for (DnsKeyPair pair : keypairs)
{ {
DnsKeyPair pair = (DnsKeyPair) i.next();
keyset.addRR(pair.getDNSKEYRecord()); keyset.addRR(pair.getDNSKEYRecord());
} }
List records = signRRset(keyset, keypairs, start, expire); List<RRSIGRecord> records = signRRset(keyset, keypairs, start, expire);
for (Iterator i = records.iterator(); i.hasNext();) for (RRSIGRecord r : records)
{ {
keyset.addRR((Record) i.next()); keyset.addRR(r);
} }
return keyset; return keyset;
@ -266,12 +265,14 @@ public class JCEDnsSecSigner
* *
* @return the name of the new last_cut. * @return the name of the new last_cut.
*/ */
private Name addRRset(List toList, Name zonename, RRset rrset, List kskpairs, @SuppressWarnings("unchecked")
List zskpairs, Date start, Date expire, boolean fullySignKeyset, private Name addRRset(List<Record> toList, Name zonename, RRset rrset,
Name last_cut, Name last_dname) throws IOException, GeneralSecurityException List<DnsKeyPair> kskpairs, List<DnsKeyPair> zskpairs, Date start,
Date expire, boolean fullySignKeyset, Name last_cut,
Name last_dname) throws IOException, GeneralSecurityException
{ {
// add the records themselves // add the records themselves
for (Iterator i = rrset.rrs(); i.hasNext();) for (Iterator<Record> i = rrset.rrs(); i.hasNext();)
{ {
toList.add(i.next()); toList.add(i.next());
} }
@ -296,7 +297,7 @@ public class JCEDnsSecSigner
// them with the zsks. // them with the zsks.
if (kskpairs != null && kskpairs.size() > 0) if (kskpairs != null && kskpairs.size() > 0)
{ {
List sigs = signRRset(rrset, kskpairs, start, expire); List<RRSIGRecord> sigs = signRRset(rrset, kskpairs, start, expire);
toList.addAll(sigs); toList.addAll(sigs);
// If we aren't going to sign with all the keys, bail out now. // If we aren't going to sign with all the keys, bail out now.
@ -305,7 +306,7 @@ public class JCEDnsSecSigner
} }
// otherwise, we are OK to sign this set. // otherwise, we are OK to sign this set.
List sigs = signRRset(rrset, zskpairs, start, expire); List<RRSIGRecord> sigs = signRRset(rrset, zskpairs, start, expire);
toList.addAll(sigs); toList.addAll(sigs);
return last_cut; return last_cut;
@ -365,11 +366,13 @@ public class JCEDnsSecSigner
* @throws IOException * @throws IOException
* @throws GeneralSecurityException * @throws GeneralSecurityException
*/ */
private List signZone(Name zonename, List records, List kskpairs, List zskpairs, private List<Record> signZone(Name zonename, List<Record> records,
List<DnsKeyPair> kskpairs, List<DnsKeyPair> zskpairs,
Date start, Date expire, boolean fullySignKeyset, Date start, Date expire, boolean fullySignKeyset,
int ds_digest_alg, int mode, List includedNames, byte[] salt, int ds_digest_alg, int mode, List<Name> includedNames,
int iterations, long nsec3paramttl, boolean beConservative) byte[] salt, int iterations, long nsec3paramttl,
throws IOException, GeneralSecurityException boolean beConservative) throws IOException,
GeneralSecurityException
{ {
// Remove any existing generated DNSSEC records (NSEC, NSEC3, NSEC3PARAM, // Remove any existing generated DNSSEC records (NSEC, NSEC3, NSEC3PARAM,
// RRSIG) // RRSIG)
@ -410,13 +413,13 @@ public class JCEDnsSecSigner
// Assemble into RRsets and sign. // Assemble into RRsets and sign.
RRset rrset = new RRset(); RRset rrset = new RRset();
ArrayList signed_records = new ArrayList(); ArrayList<Record> signed_records = new ArrayList<Record>();
Name last_cut = null; Name last_cut = null;
Name last_dname = null; Name last_dname = null;
for (ListIterator i = records.listIterator(); i.hasNext();) for (ListIterator<Record> i = records.listIterator(); i.hasNext();)
{ {
Record r = (Record) i.next(); Record r = i.next();
// First record // First record
if (rrset.size() == 0) if (rrset.size() == 0)
@ -478,9 +481,11 @@ public class JCEDnsSecSigner
* @return an ordered list of {@link org.xbill.DNS.Record} objects, * @return an ordered list of {@link org.xbill.DNS.Record} objects,
* representing the signed zone. * representing the signed zone.
*/ */
public List signZone(Name zonename, List records, List kskpairs, List zskpairs, public List<Record> signZone(Name zonename, List<Record> records,
Date start, Date expire, boolean fullySignKeyset, int ds_digest_alg) List<DnsKeyPair> kskpairs, List<DnsKeyPair> zskpairs,
throws IOException, GeneralSecurityException Date start, Date expire, boolean fullySignKeyset,
int ds_digest_alg) throws IOException,
GeneralSecurityException
{ {
return signZone(zonename, records, kskpairs, zskpairs, start, expire, return signZone(zonename, records, kskpairs, zskpairs, start, expire,
fullySignKeyset, ds_digest_alg, NSEC_MODE, null, null, 0, 0, false); fullySignKeyset, ds_digest_alg, NSEC_MODE, null, null, 0, 0, false);
@ -527,11 +532,13 @@ public class JCEDnsSecSigner
* @throws IOException * @throws IOException
* @throws GeneralSecurityException * @throws GeneralSecurityException
*/ */
public List signZoneNSEC3(Name zonename, List records, List kskpairs, List zskpairs, public List<Record> signZoneNSEC3(Name zonename, List<Record> records,
List<DnsKeyPair> kskpairs, List<DnsKeyPair> zskpairs,
Date start, Date expire, boolean fullySignKeyset, Date start, Date expire, boolean fullySignKeyset,
boolean useOptOut, List includedNames, byte[] salt, boolean useOptOut, List<Name> includedNames,
int iterations, int ds_digest_alg, long nsec3paramttl) byte[] salt, int iterations, int ds_digest_alg,
throws IOException, GeneralSecurityException long nsec3paramttl) throws IOException,
GeneralSecurityException
{ {
if (useOptOut) if (useOptOut)
{ {
@ -577,9 +584,11 @@ public class JCEDnsSecSigner
* @return an ordered list of {@link org.xbill.DNS.Record} objects, * @return an ordered list of {@link org.xbill.DNS.Record} objects,
* representing the signed zone. * representing the signed zone.
*/ */
public List signZoneOptIn(Name zonename, List records, List kskpairs, List zskpairs, public List<Record> signZoneOptIn(Name zonename, List<Record> records,
Date start, Date expire, boolean useConservativeOptIn, List<DnsKeyPair> kskpairs, List<DnsKeyPair> zskpairs,
boolean fullySignKeyset, List NSECIncludeNames, Date start, Date expire,
boolean useConservativeOptIn,
boolean fullySignKeyset, List<Name> NSECIncludeNames,
int ds_digest_alg) throws IOException, int ds_digest_alg) throws IOException,
GeneralSecurityException GeneralSecurityException
{ {

7
src/com/verisignlabs/dnssec/security/ProtoNSEC3.java
View File

@ -254,12 +254,11 @@ public class ProtoNSEC3
return sb.toString(); return sb.toString();
} }
public static class Comparator implements java.util.Comparator public static class Comparator implements java.util.Comparator<ProtoNSEC3>
{ {
public int compare(ProtoNSEC3 a, ProtoNSEC3 b)
public int compare(Object o1, Object o2)
{ {
return ((ProtoNSEC3) o1).compareTo((ProtoNSEC3) o2); return a.compareTo(b);
} }
} }

7
src/com/verisignlabs/dnssec/security/RecordComparator.java
View File

@ -35,7 +35,7 @@ import org.xbill.DNS.Type;
* @version $Revision$ * @version $Revision$
*/ */
public class RecordComparator implements Comparator public class RecordComparator implements Comparator<Record>
{ {
public RecordComparator() public RecordComparator()
{ {
@ -75,11 +75,8 @@ public class RecordComparator implements Comparator
return (a_rdata.length - b_rdata.length); return (a_rdata.length - b_rdata.length);
} }
public int compare(Object o1, Object o2) throws ClassCastException public int compare(Record a, Record b)
{ {
Record a = (Record) o1;
Record b = (Record) o2;
if (a == null && b == null) return 0; if (a == null && b == null) return 0;
if (a == null) return 1; if (a == null) return 1;
if (b == null) return -1; if (b == null) return -1;

304
src/com/verisignlabs/dnssec/security/SignUtils.java
View File

@ -81,13 +81,11 @@ public class SignUtils
* *
* @return a prototype signature based on the RRset and key information. * @return a prototype signature based on the RRset and key information.
*/ */
public static RRSIGRecord generatePreRRSIG(RRset rrset, DNSKEYRecord key, public static RRSIGRecord generatePreRRSIG(RRset rrset, DNSKEYRecord key, Date start,
Date start, Date expire, Date expire, long sig_ttl)
long sig_ttl)
{ {
return new RRSIGRecord(rrset.getName(), rrset.getDClass(), sig_ttl, return new RRSIGRecord(rrset.getName(), rrset.getDClass(), sig_ttl, rrset.getType(),
rrset.getType(), key.getAlgorithm(), key.getAlgorithm(), (int) rrset.getTTL(), expire, start,
(int) rrset.getTTL(), expire, start,
key.getFootprint(), key.getName(), null); key.getFootprint(), key.getName(), null);
} }
@ -108,14 +106,12 @@ public class SignUtils
* *
* @return a prototype signature based on the Record and key information. * @return a prototype signature based on the Record and key information.
*/ */
public static RRSIGRecord generatePreRRSIG(Record rec, DNSKEYRecord key, public static RRSIGRecord generatePreRRSIG(Record rec, DNSKEYRecord key, Date start,
Date start, Date expire, Date expire, long sig_ttl)
long sig_ttl)
{ {
return new RRSIGRecord(rec.getName(), rec.getDClass(), sig_ttl, return new RRSIGRecord(rec.getName(), rec.getDClass(), sig_ttl, rec.getType(),
rec.getType(), key.getAlgorithm(), rec.getTTL(), key.getAlgorithm(), rec.getTTL(), expire, start,
expire, start, key.getFootprint(), key.getName(), key.getFootprint(), key.getName(), null);
null);
} }
/** /**
@ -150,7 +146,6 @@ public class SignUtils
return image.toByteArray(); return image.toByteArray();
} }
/** /**
* Calculate the canonical wire line format of the RRset. * Calculate the canonical wire line format of the RRset.
* *
@ -165,8 +160,8 @@ public class SignUtils
* @return the canonical wire line format of the rrset. This is the second * @return the canonical wire line format of the rrset. This is the second
* part of data to be signed. * part of data to be signed.
*/ */
public static byte[] generateCanonicalRRsetData(RRset rrset, long ttl, @SuppressWarnings("unchecked")
int labels) public static byte[] generateCanonicalRRsetData(RRset rrset, long ttl, int labels)
{ {
DNSOutput image = new DNSOutput(); DNSOutput image = new DNSOutput();
@ -186,24 +181,22 @@ public class SignUtils
{ {
n = n.wild(n.labels() - labels); n = n.wild(n.labels() - labels);
wildcardName = true; wildcardName = true;
log.fine("Detected wildcard expansion: " + rrset.getName() log.fine("Detected wildcard expansion: " + rrset.getName() + " changed to " + n);
+ " changed to " + n);
} }
// now convert the wire format records in the RRset into a // now convert the wire format records in the RRset into a
// list of byte arrays. // list of byte arrays.
ArrayList canonical_rrs = new ArrayList(); ArrayList<byte[]> canonical_rrs = new ArrayList<byte[]>();
for (Iterator i = rrset.rrs(); i.hasNext();) for (Iterator<Record> i = rrset.rrs(); i.hasNext();)
{ {
Record r = (Record) i.next(); Record r = i.next();
if (r.getTTL() != ttl || wildcardName) if (r.getTTL() != ttl || wildcardName)
{ {
// If necessary, we need to create a new record with a new ttl // If necessary, we need to create a new record with a new ttl
// or ownername. // or ownername.
// In the TTL case, this avoids changing the ttl in the // In the TTL case, this avoids changing the ttl in the
// response. // response.
r = Record.newRecord(n, r.getType(), r.getDClass(), ttl, r r = Record.newRecord(n, r.getType(), r.getDClass(), ttl, r.rdataToWireCanonical());
.rdataToWireCanonical());
} }
byte[] wire_fmt = r.toWireCanonical(); byte[] wire_fmt = r.toWireCanonical();
canonical_rrs.add(wire_fmt); canonical_rrs.add(wire_fmt);
@ -218,9 +211,8 @@ public class SignUtils
Collections.sort(canonical_rrs, bac); Collections.sort(canonical_rrs, bac);
for (Iterator i = canonical_rrs.iterator(); i.hasNext();) for (byte[] wire_fmt_rec : canonical_rrs)
{ {
byte[] wire_fmt_rec = (byte[]) i.next();
image.writeByteArray(wire_fmt_rec); image.writeByteArray(wire_fmt_rec);
} }
@ -240,8 +232,7 @@ public class SignUtils
public static byte[] generateSigData(RRset rrset, RRSIGRecord presig) public static byte[] generateSigData(RRset rrset, RRSIGRecord presig)
throws IOException throws IOException
{ {
byte[] rrset_data = generateCanonicalRRsetData(rrset, byte[] rrset_data = generateCanonicalRRsetData(rrset, presig.getOrigTTL(),
presig.getOrigTTL(),
presig.getLabels()); presig.getLabels());
return generateSigData(rrset_data, presig); return generateSigData(rrset_data, presig);
@ -285,11 +276,11 @@ public class SignUtils
*/ */
public static RRSIGRecord generateRRSIG(byte[] signature, RRSIGRecord presig) public static RRSIGRecord generateRRSIG(byte[] signature, RRSIGRecord presig)
{ {
return new RRSIGRecord(presig.getName(), presig.getDClass(), return new RRSIGRecord(presig.getName(), presig.getDClass(), presig.getTTL(),
presig.getTTL(), presig.getTypeCovered(), presig.getTypeCovered(), presig.getAlgorithm(),
presig.getAlgorithm(), presig.getOrigTTL(), presig.getOrigTTL(), presig.getExpire(),
presig.getExpire(), presig.getTimeSigned(), presig.getTimeSigned(), presig.getFootprint(),
presig.getFootprint(), presig.getSigner(), signature); presig.getSigner(), signature);
} }
/** /**
@ -311,8 +302,7 @@ public class SignUtils
* if there was something wrong with the RFC 2536 formatted * if there was something wrong with the RFC 2536 formatted
* signature. * signature.
*/ */
public static byte[] convertDSASignature(byte[] signature) public static byte[] convertDSASignature(byte[] signature) throws SignatureException
throws SignatureException
{ {
if (signature.length != 41) if (signature.length != 41)
throw new SignatureException("RFC 2536 signature not expected length."); throw new SignatureException("RFC 2536 signature not expected length.");
@ -380,8 +370,7 @@ public class SignUtils
{ {
if (signature[0] != ASN1_SEQ || signature[2] != ASN1_INT) if (signature[0] != ASN1_SEQ || signature[2] != ASN1_INT)
{ {
throw new SignatureException( throw new SignatureException("Invalid ASN.1 signature format: expected SEQ, INT");
"Invalid ASN.1 signature format: expected SEQ, INT");
} }
byte r_pad = (byte) (signature[3] - 20); byte r_pad = (byte) (signature[3] - 20);
@ -478,8 +467,8 @@ public class SignUtils
* the name of the last DELEGATION record/set that was encountered * the name of the last DELEGATION record/set that was encountered
* while iterating over the zone in canonical order. * while iterating over the zone in canonical order.
*/ */
public static int recordSecType(Name zonename, Name name, int type, public static int recordSecType(Name zonename, Name name, int type, Name last_cut,
Name last_cut, Name last_dname) Name last_dname)
{ {
// records not even in the zone itself are invalid. // records not even in the zone itself are invalid.
if (!name.subdomain(zonename)) return RR_INVALID; if (!name.subdomain(zonename)) return RR_INVALID;
@ -507,7 +496,8 @@ public class SignUtils
} }
// if we are below a DNAME, then the RR is invalid. // if we are below a DNAME, then the RR is invalid.
if (last_dname != null && name.subdomain(last_dname) && name.labels() > last_dname.labels()) if (last_dname != null && name.subdomain(last_dname)
&& name.labels() > last_dname.labels())
{ {
return RR_INVALID; return RR_INVALID;
} }
@ -528,24 +518,13 @@ public class SignUtils
* canonical order. * canonical order.
* @return a List of {@link org.xbill.DNS.RRset} objects. * @return a List of {@link org.xbill.DNS.RRset} objects.
*/ */
public static List assembleIntoRRsets(List records) public static List<RRset> assembleIntoRRsets(List<Record> records)
{ {
RRset rrset = new RRset(); RRset rrset = new RRset();
ArrayList rrsets = new ArrayList(); ArrayList<RRset> rrsets = new ArrayList<RRset>();
for (Iterator i = records.iterator(); i.hasNext();) for (Record r : records)
{ {
Object o = i.next();
if (!(o instanceof Record))
{
log.warning("assembleIntoRRsets: a non-record object was "
+ "encountered and skipped: " + o + " (" + o.getClass() + ")");
continue;
}
Record r = (Record) o;
// First record // First record
if (rrset.size() == 0) if (rrset.size() == 0)
{ {
@ -585,7 +564,7 @@ public class SignUtils
public int type; public int type;
public long ttl; public long ttl;
public int dclass; public int dclass;
public Set typemap; public Set<Integer> typemap;
public boolean isSecureNode; // opt-in support. public boolean isSecureNode; // opt-in support.
public boolean hasOptInSpan; // opt-in support. public boolean hasOptInSpan; // opt-in support.
public int nsecIndex; public int nsecIndex;
@ -596,7 +575,7 @@ public class SignUtils
this.type = nodeType; this.type = nodeType;
this.ttl = r.getTTL(); this.ttl = r.getTTL();
this.dclass = r.getDClass(); this.dclass = r.getDClass();
this.typemap = new HashSet(); this.typemap = new HashSet<Integer>();
this.isSecureNode = false; this.isSecureNode = false;
this.hasOptInSpan = false; this.hasOptInSpan = false;
addType(r.getType()); addType(r.getType());
@ -614,8 +593,9 @@ public class SignUtils
} }
} }
public boolean hasType(int type) { public boolean hasType(int type)
return this.typemap.contains(new Integer(type)); {
return this.typemap.contains(type);
} }
public String toString() public String toString()
@ -653,7 +633,7 @@ public class SignUtils
* a list of {@link org.xbill.DNS.Record} objects in DNSSEC canonical * a list of {@link org.xbill.DNS.Record} objects in DNSSEC canonical
* order. * order.
*/ */
public static void generateNSECRecords(Name zonename, List records) public static void generateNSECRecords(Name zonename, List<Record> records)
{ {
// This works by iterating over a known sorted list of records. // This works by iterating over a known sorted list of records.
@ -667,24 +647,24 @@ public class SignUtils
// First find the SOA record -- it should be near the beginning -- and get // First find the SOA record -- it should be near the beginning -- and get
// the soa minimum // the soa minimum
for (Iterator i = records.iterator(); i.hasNext();) for (Record r : records)
{ {
Object o = i.next(); if (r.getType() == Type.SOA)
if (o instanceof SOARecord)
{ {
SOARecord soa = (SOARecord) o; SOARecord soa = (SOARecord) r;
nsec_ttl = soa.getMinimum(); nsec_ttl = soa.getMinimum();
break; break;
} }
} }
if (nsec_ttl == 0) if (nsec_ttl == 0)
{ {
throw new IllegalArgumentException("Zone did not contain a SOA record"); throw new IllegalArgumentException("Zone did not contain a SOA record");
} }
for (ListIterator i = records.listIterator(); i.hasNext();) for (ListIterator<Record> i = records.listIterator(); i.hasNext();)
{ {
Record r = (Record) i.next(); Record r = i.next();
Name r_name = r.getName(); Name r_name = r.getName();
int r_type = r.getType(); int r_type = r.getType();
int r_sectype = recordSecType(zonename, r_name, r_type, last_cut, last_dname); int r_sectype = recordSecType(zonename, r_name, r_type, last_cut, last_dname);
@ -716,9 +696,8 @@ public class SignUtils
if (last_node != null) if (last_node != null)
{ {
NSECRecord nsec = new NSECRecord(last_node.name, last_node.dclass, NSECRecord nsec = new NSECRecord(last_node.name, last_node.dclass, nsec_ttl,
nsec_ttl, current_node.name, current_node.name, last_node.getTypes());
last_node.getTypes());
// Note: we have to add this through the iterator, otherwise // Note: we have to add this through the iterator, otherwise
// the next access via the iterator will generate a // the next access via the iterator will generate a
// ConcurrencyModificationException. // ConcurrencyModificationException.
@ -743,17 +722,15 @@ public class SignUtils
// Generate next to last NSEC // Generate next to last NSEC
if (last_node != null) if (last_node != null)
{ {
NSECRecord nsec = new NSECRecord(last_node.name, last_node.dclass, NSECRecord nsec = new NSECRecord(last_node.name, last_node.dclass, nsec_ttl,
nsec_ttl, current_node.name, current_node.name, last_node.getTypes());
last_node.getTypes());
records.add(last_node.nsecIndex - 1, nsec); records.add(last_node.nsecIndex - 1, nsec);
log.finer("Generated: " + nsec); log.finer("Generated: " + nsec);
} }
// Generate last NSEC // Generate last NSEC
NSECRecord nsec = new NSECRecord(current_node.name, current_node.dclass, NSECRecord nsec = new NSECRecord(current_node.name, current_node.dclass, nsec_ttl,
nsec_ttl, zonename, zonename, current_node.getTypes());
current_node.getTypes());
records.add(nsec); records.add(nsec);
log.finer("Generated: " + nsec); log.finer("Generated: " + nsec);
@ -781,12 +758,11 @@ public class SignUtils
* will use the SOA minimum) * will use the SOA minimum)
* @throws NoSuchAlgorithmException * @throws NoSuchAlgorithmException
*/ */
public static void generateNSEC3Records(Name zonename, List records, public static void generateNSEC3Records(Name zonename, List<Record> records,
byte[] salt, int iterations, byte[] salt, int iterations, long nsec3param_ttl)
long nsec3param_ttl)
throws NoSuchAlgorithmException throws NoSuchAlgorithmException
{ {
List proto_nsec3s = new ArrayList(); List<ProtoNSEC3> proto_nsec3s = new ArrayList<ProtoNSEC3>();
NodeInfo current_node = null; NodeInfo current_node = null;
NodeInfo last_node = null; NodeInfo last_node = null;
// For detecting glue. // For detecting glue.
@ -796,9 +772,8 @@ public class SignUtils
long nsec3_ttl = 0; long nsec3_ttl = 0;
for (Iterator i = records.iterator(); i.hasNext();) for (Record r : records)
{ {
Record r = (Record) i.next();
Name r_name = r.getName(); Name r_name = r.getName();
int r_type = r.getType(); int r_type = r.getType();
@ -841,30 +816,24 @@ public class SignUtils
// At this point, r represents the start of a new node. // At this point, r represents the start of a new node.
// So we move current_node to last_node and generate a new current node. // So we move current_node to last_node and generate a new current node.
// But first, we need to do something with the last node. // But first, we need to do something with the last node.
generateNSEC3ForNode(last_node, zonename, salt, iterations, false, generateNSEC3ForNode(last_node, zonename, salt, iterations, false, proto_nsec3s);
proto_nsec3s);
last_node = current_node; last_node = current_node;
current_node = new NodeInfo(r, r_sectype); current_node = new NodeInfo(r, r_sectype);
} }
// process last two nodes. // process last two nodes.
generateNSEC3ForNode(last_node, zonename, salt, iterations, false, generateNSEC3ForNode(last_node, zonename, salt, iterations, false, proto_nsec3s);
proto_nsec3s); generateNSEC3ForNode(current_node, zonename, salt, iterations, false, proto_nsec3s);
generateNSEC3ForNode(current_node, zonename, salt, iterations, false,
proto_nsec3s);
List nsec3s = finishNSEC3s(proto_nsec3s, nsec3_ttl); List<NSEC3Record> nsec3s = finishNSEC3s(proto_nsec3s, nsec3_ttl);
records.addAll(nsec3s); records.addAll(nsec3s);
NSEC3PARAMRecord nsec3param = new NSEC3PARAMRecord( NSEC3PARAMRecord nsec3param = new NSEC3PARAMRecord(zonename, DClass.IN,
zonename,
DClass.IN,
nsec3param_ttl, nsec3param_ttl,
NSEC3Record.SHA1_DIGEST_ID, NSEC3Record.SHA1_DIGEST_ID,
(byte) 0, iterations, (byte) 0, iterations, salt);
salt);
records.add(nsec3param); records.add(nsec3param);
} }
@ -897,13 +866,12 @@ public class SignUtils
* will use the SOA minimum) * will use the SOA minimum)
* @throws NoSuchAlgorithmException * @throws NoSuchAlgorithmException
*/ */
public static void generateOptOutNSEC3Records(Name zonename, List records, public static void generateOptOutNSEC3Records(Name zonename, List<Record> records,
List includedNames, List<Name> includedNames, byte[] salt,
byte[] salt, int iterations, int iterations, long nsec3param_ttl)
long nsec3param_ttl)
throws NoSuchAlgorithmException throws NoSuchAlgorithmException
{ {
List proto_nsec3s = new ArrayList(); List<ProtoNSEC3> proto_nsec3s = new ArrayList<ProtoNSEC3>();
NodeInfo current_node = null; NodeInfo current_node = null;
NodeInfo last_node = null; NodeInfo last_node = null;
// For detecting glue. // For detecting glue.
@ -913,15 +881,14 @@ public class SignUtils
long nsec3_ttl = 0; long nsec3_ttl = 0;
HashSet includeSet = null; HashSet<Name> includeSet = null;
if (includedNames != null) if (includedNames != null)
{ {
includeSet = new HashSet(includedNames); includeSet = new HashSet<Name>(includedNames);
} }
for (Iterator i = records.iterator(); i.hasNext();) for (Record r : records)
{ {
Record r = (Record) i.next();
Name r_name = r.getName(); Name r_name = r.getName();
int r_type = r.getType(); int r_type = r.getType();
@ -968,8 +935,7 @@ public class SignUtils
// At this point, r represents the start of a new node. // At this point, r represents the start of a new node.
// So we move current_node to last_node and generate a new current node. // So we move current_node to last_node and generate a new current node.
// But first, we need to do something with the last node. // But first, we need to do something with the last node.
generateNSEC3ForNode(last_node, zonename, salt, iterations, true, generateNSEC3ForNode(last_node, zonename, salt, iterations, true, proto_nsec3s);
proto_nsec3s);
if (current_node.isSecureNode) if (current_node.isSecureNode)
{ {
@ -984,21 +950,16 @@ public class SignUtils
} }
// process last two nodes. // process last two nodes.
generateNSEC3ForNode(last_node, zonename, salt, iterations, true, generateNSEC3ForNode(last_node, zonename, salt, iterations, true, proto_nsec3s);
proto_nsec3s); generateNSEC3ForNode(current_node, zonename, salt, iterations, true, proto_nsec3s);
generateNSEC3ForNode(current_node, zonename, salt, iterations, true,
proto_nsec3s);
List nsec3s = finishNSEC3s(proto_nsec3s, nsec3_ttl); List<NSEC3Record> nsec3s = finishNSEC3s(proto_nsec3s, nsec3_ttl);
records.addAll(nsec3s); records.addAll(nsec3s);
NSEC3PARAMRecord nsec3param = new NSEC3PARAMRecord( NSEC3PARAMRecord nsec3param = new NSEC3PARAMRecord(zonename, DClass.IN,
zonename,
DClass.IN,
nsec3param_ttl, nsec3param_ttl,
NSEC3Record.SHA1_DIGEST_ID, NSEC3Record.SHA1_DIGEST_ID,
(byte) 0, iterations, (byte) 0, iterations, salt);
salt);
records.add(nsec3param); records.add(nsec3param);
} }
@ -1021,16 +982,16 @@ public class SignUtils
* The current list of NSEC3s -- this will be updated. * The current list of NSEC3s -- this will be updated.
* @throws NoSuchAlgorithmException * @throws NoSuchAlgorithmException
*/ */
private static void generateNSEC3ForNode(NodeInfo node, Name zonename, private static void generateNSEC3ForNode(NodeInfo node, Name zonename, byte[] salt,
byte[] salt, int iterations, int iterations, boolean optIn, List<ProtoNSEC3> nsec3s)
boolean optIn, List nsec3s)
throws NoSuchAlgorithmException throws NoSuchAlgorithmException
{ {
if (node == null) return; if (node == null) return;
if (optIn && !node.isSecureNode) return; if (optIn && !node.isSecureNode) return;
// Add our default types. // Add our default types.
if (node.type == RR_NORMAL || (node.type == RR_DELEGATION && node.hasType(Type.DS))) { if (node.type == RR_NORMAL || (node.type == RR_DELEGATION && node.hasType(Type.DS)))
{
node.addType(Type.RRSIG); node.addType(Type.RRSIG);
} }
if (node.name.equals(zonename)) node.addType(Type.NSEC3PARAM); if (node.name.equals(zonename)) node.addType(Type.NSEC3PARAM);
@ -1042,13 +1003,13 @@ public class SignUtils
{ {
Name n = new Name(node.name, i); Name n = new Name(node.name, i);
log.fine("Generating ENT NSEC3 for " + n); log.fine("Generating ENT NSEC3 for " + n);
ProtoNSEC3 nsec3 = generateNSEC3(n, zonename, node.ttl, salt, iterations, ProtoNSEC3 nsec3 = generateNSEC3(n, zonename, node.ttl, salt, iterations, optIn,
optIn, null); null);
nsec3s.add(nsec3); nsec3s.add(nsec3);
} }
ProtoNSEC3 nsec3 = generateNSEC3(node.name, zonename, node.ttl, salt, ProtoNSEC3 nsec3 = generateNSEC3(node.name, zonename, node.ttl, salt, iterations,
iterations, optIn, node.getTypes()); optIn, node.getTypes());
nsec3s.add(nsec3); nsec3s.add(nsec3);
} }
@ -1074,17 +1035,15 @@ public class SignUtils
* @throws NoSuchAlgorithmException * @throws NoSuchAlgorithmException
*/ */
private static ProtoNSEC3 generateNSEC3(Name name, Name zonename, long ttl, private static ProtoNSEC3 generateNSEC3(Name name, Name zonename, long ttl,
byte[] salt, int iterations, byte[] salt, int iterations, boolean optIn,
boolean optIn, int[] types) int[] types) throws NoSuchAlgorithmException
throws NoSuchAlgorithmException
{ {
byte[] hash = nsec3hash(name, NSEC3Record.SHA1_DIGEST_ID, byte[] hash = nsec3hash(name, NSEC3Record.SHA1_DIGEST_ID, iterations, salt);
iterations, salt);
byte flags = (byte) (optIn ? 0x01 : 0x00); byte flags = (byte) (optIn ? 0x01 : 0x00);
ProtoNSEC3 r = new ProtoNSEC3(hash, name, zonename, DClass.IN, ttl, ProtoNSEC3 r = new ProtoNSEC3(hash, name, zonename, DClass.IN, ttl,
NSEC3Record.SHA1_DIGEST_ID, flags, NSEC3Record.SHA1_DIGEST_ID, flags, iterations, salt,
iterations, salt, null, types); null, types);
log.finer("Generated: " + r); log.finer("Generated: " + r);
return r; return r;
@ -1102,7 +1061,7 @@ public class SignUtils
* should match the SOA minimum value for the zone. * should match the SOA minimum value for the zone.
* @return The list of {@link org.xbill.DNS.NSEC3Record} objects. * @return The list of {@link org.xbill.DNS.NSEC3Record} objects.
*/ */
private static List finishNSEC3s(List nsec3s, long ttl) private static List<NSEC3Record> finishNSEC3s(List<ProtoNSEC3> nsec3s, long ttl)
{ {
if (nsec3s == null) return null; if (nsec3s == null) return null;
Collections.sort(nsec3s, new ProtoNSEC3.Comparator()); Collections.sort(nsec3s, new ProtoNSEC3.Comparator());
@ -1111,9 +1070,9 @@ public class SignUtils
ProtoNSEC3 cur_nsec3 = null; ProtoNSEC3 cur_nsec3 = null;
byte[] first_nsec3_hash = null; byte[] first_nsec3_hash = null;
for (ListIterator i = nsec3s.listIterator(); i.hasNext();) for (ListIterator<ProtoNSEC3> i = nsec3s.listIterator(); i.hasNext();)
{ {
cur_nsec3 = (ProtoNSEC3) i.next(); cur_nsec3 = i.next();
// check to see if cur is a duplicate (by name) // check to see if cur is a duplicate (by name)
if (prev_nsec3 != null if (prev_nsec3 != null
@ -1154,10 +1113,9 @@ public class SignUtils
} }
// Convert our ProtoNSEC3s to actual (immutable) NSEC3Record objects. // Convert our ProtoNSEC3s to actual (immutable) NSEC3Record objects.
List res = new ArrayList(nsec3s.size()); List<NSEC3Record> res = new ArrayList<NSEC3Record>(nsec3s.size());
for (Iterator i = nsec3s.iterator(); i.hasNext();) for (ProtoNSEC3 p : nsec3s)
{ {
ProtoNSEC3 p = (ProtoNSEC3) i.next();
p.setTTL(ttl); p.setTTL(ttl);
res.add(p.getNSEC3Record()); res.add(p.getNSEC3Record());
} }
@ -1184,8 +1142,8 @@ public class SignUtils
* if true, then Opt-In NXTs will only be generated where there is * if true, then Opt-In NXTs will only be generated where there is
* actually a span of insecure delegations. * actually a span of insecure delegations.
*/ */
public static void generateOptInNSECRecords(Name zonename, List records, public static void generateOptInNSECRecords(Name zonename, List<Record> records,
List includeNames, List<Name> includeNames,
boolean beConservative) boolean beConservative)
{ {
// This works by iterating over a known sorted list of records. // This works by iterating over a known sorted list of records.
@ -1197,16 +1155,16 @@ public class SignUtils
Name last_dname = null; Name last_dname = null;
int backup; int backup;
HashSet includeSet = null; HashSet<Name> includeSet = null;
if (includeNames != null) if (includeNames != null)
{ {
includeSet = new HashSet(includeNames); includeSet = new HashSet<Name>(includeNames);
} }
for (ListIterator i = records.listIterator(); i.hasNext();) for (ListIterator<Record> i = records.listIterator(); i.hasNext();)
{ {
Record r = (Record) i.next(); Record r = i.next();
Name r_name = r.getName(); Name r_name = r.getName();
int r_type = r.getType(); int r_type = r.getType();
int r_sectype = recordSecType(zonename, r_name, r_type, last_cut, last_dname); int r_sectype = recordSecType(zonename, r_name, r_type, last_cut, last_dname);
@ -1248,9 +1206,8 @@ public class SignUtils
{ {
last_node.addType(Type.NSEC); last_node.addType(Type.NSEC);
} }
NSECRecord nsec = new NSECRecord(last_node.name, last_node.dclass, NSECRecord nsec = new NSECRecord(last_node.name, last_node.dclass, last_node.ttl,
last_node.ttl, current_node.name, current_node.name, last_node.getTypes());
last_node.getTypes());
// Note: we have to add this through the iterator, otherwise // Note: we have to add this through the iterator, otherwise
// the next access via the iterator will generate a // the next access via the iterator will generate a
// ConcurrencyModificationException. // ConcurrencyModificationException.
@ -1289,9 +1246,8 @@ public class SignUtils
{ {
last_node.addType(Type.NSEC); last_node.addType(Type.NSEC);
} }
NSECRecord nsec = new NSECRecord(last_node.name, last_node.dclass, NSECRecord nsec = new NSECRecord(last_node.name, last_node.dclass, last_node.ttl,
last_node.ttl, current_node.name, current_node.name, last_node.getTypes());
last_node.getTypes());
records.add(last_node.nsecIndex - 1, nsec); records.add(last_node.nsecIndex - 1, nsec);
log.finer("Generated: " + nsec); log.finer("Generated: " + nsec);
} }
@ -1304,16 +1260,16 @@ public class SignUtils
{ {
current_node.addType(Type.NSEC); current_node.addType(Type.NSEC);
} }
nsec = new NSECRecord(current_node.name, current_node.dclass, nsec = new NSECRecord(current_node.name, current_node.dclass, current_node.ttl,
current_node.ttl, zonename, current_node.getTypes()); zonename, current_node.getTypes());
// we can just tack this on the end as we are working on the // we can just tack this on the end as we are working on the
// last node. // last node.
records.add(nsec); records.add(nsec);
} }
else else
{ {
nsec = new NSECRecord(last_node.name, last_node.dclass, last_node.ttl, nsec = new NSECRecord(last_node.name, last_node.dclass, last_node.ttl, zonename,
zonename, last_node.getTypes()); last_node.getTypes());
// We need to tack this on after the last secure node, not the // We need to tack this on after the last secure node, not the
// end of the whole list. // end of the whole list.
records.add(last_node.nsecIndex, nsec); records.add(last_node.nsecIndex, nsec);
@ -1334,13 +1290,12 @@ public class SignUtils
* @param digest_alg * @param digest_alg
* The digest algorithm to use. * The digest algorithm to use.
*/ */
public static void generateDSRecords(Name zonename, List records, public static void generateDSRecords(Name zonename, List<Record> records, int digest_alg)
int digest_alg)
{ {
for (ListIterator i = records.listIterator(); i.hasNext();) for (ListIterator<Record> i = records.listIterator(); i.hasNext();)
{ {
Record r = (Record) i.next(); Record r = i.next();
if (r == null) continue; // this should never be true. if (r == null) continue; // this should never be true.
Name r_name = r.getName(); Name r_name = r.getName();
@ -1349,8 +1304,7 @@ public class SignUtils
// Convert non-zone level KEY records into DS records. // Convert non-zone level KEY records into DS records.
if (r.getType() == Type.DNSKEY && !r_name.equals(zonename)) if (r.getType() == Type.DNSKEY && !r_name.equals(zonename))
{ {
DSRecord ds = calculateDSRecord((DNSKEYRecord) r, digest_alg, DSRecord ds = calculateDSRecord((DNSKEYRecord) r, digest_alg, r.getTTL());
r.getTTL());
i.set(ds); i.set(ds);
} }
@ -1365,9 +1319,9 @@ public class SignUtils
* @param records * @param records
* a list of {@link org.xbill.DNS.Record} objects. * a list of {@link org.xbill.DNS.Record} objects.
*/ */
public static void removeGeneratedRecords(Name zonename, List records) public static void removeGeneratedRecords(Name zonename, List<Record> records)
{ {
for (Iterator i = records.iterator(); i.hasNext();) for (Iterator<Record> i = records.iterator(); i.hasNext();)
{ {
Record r = (Record) i.next(); Record r = (Record) i.next();
@ -1387,12 +1341,12 @@ public class SignUtils
* @param records * @param records
* a list of {@link org.xbill.DNS.Record} object, in sorted order. * a list of {@link org.xbill.DNS.Record} object, in sorted order.
*/ */
public static void removeDuplicateRecords(List records) public static void removeDuplicateRecords(List<Record> records)
{ {
Record lastrec = null; Record lastrec = null;
for (Iterator i = records.iterator(); i.hasNext();) for (Iterator<Record> i = records.iterator(); i.hasNext();)
{ {
Record r = (Record) i.next(); Record r = i.next();
if (lastrec == null) if (lastrec == null)
{ {
lastrec = r; lastrec = r;
@ -1419,8 +1373,7 @@ public class SignUtils
* the original KEY RR's TTL will be used. * the original KEY RR's TTL will be used.
* @return the corresponding {@link org.xbill.DNS.DSRecord} * @return the corresponding {@link org.xbill.DNS.DSRecord}
*/ */
public static DSRecord calculateDSRecord(DNSKEYRecord keyrec, int digest_alg, public static DSRecord calculateDSRecord(DNSKEYRecord keyrec, int digest_alg, long ttl)
long ttl)
{ {
if (keyrec == null) return null; if (keyrec == null) return null;
@ -1451,8 +1404,8 @@ public class SignUtils
} }
return new DSRecord(keyrec.getName(), keyrec.getDClass(), ttl, return new DSRecord(keyrec.getName(), keyrec.getDClass(), ttl,
keyrec.getFootprint(), keyrec.getAlgorithm(), keyrec.getFootprint(), keyrec.getAlgorithm(), digest_alg,
digest_alg, digest); digest);
} }
catch (NoSuchAlgorithmException e) catch (NoSuchAlgorithmException e)
@ -1465,15 +1418,20 @@ public class SignUtils
/** /**
* Calculate an NSEC3 hash based on a DNS name and NSEC3 hash parameters. * Calculate an NSEC3 hash based on a DNS name and NSEC3 hash parameters.
* *
* @param n The name to hash. * @param n
* @param hash_algorithm The hash algorithm to use. * The name to hash.
* @param iterations The number of iterations to do. * @param hash_algorithm
* @param salt The salt to use. * The hash algorithm to use.
* @param iterations
* The number of iterations to do.
* @param salt
* The salt to use.
* @return The calculated hash as a byte array. * @return The calculated hash as a byte array.
* @throws NoSuchAlgorithmException If the hash algorithm is unrecognized. * @throws NoSuchAlgorithmException
* If the hash algorithm is unrecognized.
*/ */
public static byte[] nsec3hash(Name n, byte hash_algorithm, int iterations, public static byte[] nsec3hash(Name n, byte hash_algorithm, int iterations, byte[] salt)
byte[] salt) throws NoSuchAlgorithmException throws NoSuchAlgorithmException
{ {
MessageDigest md; MessageDigest md;
@ -1483,8 +1441,8 @@ public class SignUtils
md = MessageDigest.getInstance("SHA1"); md = MessageDigest.getInstance("SHA1");
break; break;
default: default:
throw new NoSuchAlgorithmException( throw new NoSuchAlgorithmException("Unknown NSEC3 algorithm identifier: "
"Unknown NSEC3 algorithm identifier: " + hash_algorithm); + hash_algorithm);
} }
// Construct our wire form. // Construct our wire form.

13
src/com/verisignlabs/dnssec/security/TypeMap.java
View File

@ -22,29 +22,29 @@ public class TypeMap
{ {
private static final Integer[] integerArray = new Integer[0]; private static final Integer[] integerArray = new Integer[0];
private Set typeSet; private Set<Integer> typeSet;
public TypeMap() public TypeMap()
{ {
this.typeSet = new HashSet(); this.typeSet = new HashSet<Integer>();
} }
/** Add the given type to the typemap. */ /** Add the given type to the typemap. */
public void set(int type) public void set(int type)
{ {
typeSet.add(new Integer(type)); typeSet.add(type);
} }
/** Remove the given type from the type map. */ /** Remove the given type from the type map. */
public void clear(int type) public void clear(int type)
{ {
typeSet.remove(new Integer(type)); typeSet.remove(type);
} }
/** @return true if the given type is present in the type map. */ /** @return true if the given type is present in the type map. */
public boolean get(int type) public boolean get(int type)
{ {
return typeSet.contains(new Integer(type)); return typeSet.contains(type);
} }
public static TypeMap fromTypes(int[] types) public static TypeMap fromTypes(int[] types)
@ -109,8 +109,7 @@ public class TypeMap
return sb.toString(); return sb.toString();
} }
protected static void mapToWire(DNSOutput out, int[] types, int base, protected static void mapToWire(DNSOutput out, int[] types, int base, int start, int end)
int start, int end)
{ {
// calculate the length of this map by looking at the largest // calculate the length of this map by looking at the largest
// typecode in this section. // typecode in this section.

70
src/com/verisignlabs/dnssec/security/ZoneUtils.java
View File

@ -56,9 +56,9 @@ public class ZoneUtils
* @throws IOException * @throws IOException
* if something goes wrong reading the zone file. * if something goes wrong reading the zone file.
*/ */
public static List readZoneFile(String zonefile, Name origin) throws IOException public static List<Record> readZoneFile(String zonefile, Name origin) throws IOException
{ {
ArrayList records = new ArrayList(); ArrayList<Record> records = new ArrayList<Record>();
Master m; Master m;
if (zonefile.equals("-")) if (zonefile.equals("-"))
{ {
@ -88,7 +88,7 @@ public class ZoneUtils
* @param zonefile * @param zonefile
* the file to write to. If null or equal to "-", System.out is used. * the file to write to. If null or equal to "-", System.out is used.
*/ */
public static void writeZoneFile(List records, String zonefile) throws IOException public static void writeZoneFile(List<Record> records, String zonefile) throws IOException
{ {
PrintWriter out = null; PrintWriter out = null;
@ -101,9 +101,9 @@ public class ZoneUtils
out = new PrintWriter(new BufferedWriter(new FileWriter(zonefile))); out = new PrintWriter(new BufferedWriter(new FileWriter(zonefile)));
} }
for (Iterator i = records.iterator(); i.hasNext();) for (Record r : records)
{ {
out.println(i.next()); out.println(r);
} }
out.close(); out.close();
@ -113,85 +113,53 @@ public class ZoneUtils
* Given just the list of records, determine the zone name (origin). * Given just the list of records, determine the zone name (origin).
* *
* @param records * @param records
* a list of {@link org.xbill.DNS.Record} or * a list of {@link org.xbill.DNS.Record} objects.
* {@link org.xbill.DNS.RRset} objects.
* @return the zone name, if found. null if one couldn't be found. * @return the zone name, if found. null if one couldn't be found.
*/ */
public static Name findZoneName(List records) public static Name findZoneName(List<Record> records)
{ {
for (Iterator i = records.iterator(); i.hasNext();) for (Record r : records)
{ {
int type = 0; int type = r.getType();
Name n = null;
Object o = i.next(); if (type == Type.SOA) return r.getName();
if (o instanceof Record)
{
Record r = (Record) o;
type = r.getType();
n = r.getName();
}
else if (o instanceof RRset)
{
RRset r = (RRset) o;
type = r.getType();
n = r.getName();
}
if (type == Type.SOA) return n;
} }
return null; return null;
} }
public static List findRRs(List records, Name name, int type) public static List<Record> findRRs(List<Record> records, Name name, int type)
{ {
List res = new ArrayList(); List<Record> res = new ArrayList<Record>();
for (Iterator i = records.iterator(); i.hasNext();) for (Record r : records)
{ {
Object o = i.next();
if (o instanceof Record)
{
Record r = (Record) o;
if (r.getName().equals(name) && r.getType() == type) if (r.getName().equals(name) && r.getType() == type)
{ {
res.add(r); res.add(r);
} }
} }
else if (o instanceof RRset)
{
RRset r = (RRset) o;
if (r.getName().equals(name) && r.getType() == type)
{
for (Iterator j = r.rrs(); j.hasNext();)
{
res.add(j.next());
}
}
}
}
return res; return res;
} }
/** This is an alternate way to format an RRset into a string */ /** This is an alternate way to format an RRset into a string */
@SuppressWarnings("unchecked")
public static String rrsetToString(RRset rrset, boolean includeSigs) public static String rrsetToString(RRset rrset, boolean includeSigs)
{ {
StringBuilder out = new StringBuilder(); StringBuilder out = new StringBuilder();
for (Iterator i = rrset.rrs(false); i.hasNext();) for (Iterator<Record> i = rrset.rrs(false); i.hasNext();)
{ {
Record r = (Record) i.next(); Record r = i.next();
out.append(r.toString()); out.append(r.toString());
out.append("\n"); out.append("\n");
} }
if (includeSigs) if (includeSigs)
{ {
for (Iterator i = rrset.sigs(); i.hasNext();) for (Iterator<Record> i = rrset.sigs(); i.hasNext();)
{ {
Record r = (Record) i.next(); Record r = i.next();
out.append(r.toString()); out.append(r.toString());
out.append("\n"); out.append("\n");
} }

15
src/com/verisignlabs/dnssec/security/ZoneVerifier.java
View File

@ -337,25 +337,26 @@ public class ZoneVerifier
return errors; return errors;
} }
private static String reasonListToString(List reasons) private static String reasonListToString(List<String> reasons)
{ {
if (reasons == null) return ""; if (reasons == null) return "";
StringBuffer out = new StringBuffer(); StringBuffer out = new StringBuffer();
for (Iterator i = reasons.iterator(); i.hasNext();) for (Iterator<String> i = reasons.iterator(); i.hasNext();)
{ {
out.append("Reason: "); out.append("Reason: ");
out.append((String) i.next()); out.append(i.next());
if (i.hasNext()) out.append("\n"); if (i.hasNext()) out.append("\n");
} }
return out.toString(); return out.toString();
} }
@SuppressWarnings("unchecked")
private int processRRset(RRset rrset) private int processRRset(RRset rrset)
{ {
List reasons = new ArrayList(); List<String> reasons = new ArrayList<String>();
int result = DNSSEC.Failed; int result = DNSSEC.Failed;
for (Iterator i = rrset.sigs(); i.hasNext();) for (Iterator<Record> i = rrset.sigs(); i.hasNext();)
{ {
RRSIGRecord sigrec = (RRSIGRecord) i.next(); RRSIGRecord sigrec = (RRSIGRecord) i.next();
byte res = mVerifier.verifySignature(rrset, sigrec, null, reasons); byte res = mVerifier.verifySignature(rrset, sigrec, null, reasons);
@ -415,7 +416,7 @@ public class ZoneVerifier
// should be empty. // should be empty.
if (typeset == null) return types.length == 0; if (typeset == null) return types.length == 0;
Set compareTypeset = new HashSet(); Set<Integer> compareTypeset = new HashSet<Integer>();
for (int i = 0; i < types.length; ++i) for (int i = 0; i < types.length; ++i)
{ {
compareTypeset.add(types[i]); compareTypeset.add(types[i]);
@ -705,7 +706,7 @@ public class ZoneVerifier
return errors; return errors;
} }
public int verifyZone(List records) throws NoSuchAlgorithmException, TextParseException public int verifyZone(List<Record> records) throws NoSuchAlgorithmException, TextParseException
{ {
int errors = 0; int errors = 0;