Compare commits
No commits in common. "33b4630f4bef0c44616b062e7013f1da0d4cfc9c" and "6118ae718ea974821bef43142d9b2afdfb67c9e3" have entirely different histories.
33b4630f4b
...
6118ae718e
6
.gitattributes
vendored
Normal file
6
.gitattributes
vendored
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
#
|
||||||
|
# https://help.github.com/articles/dealing-with-line-endings/
|
||||||
|
#
|
||||||
|
# These are explicitly windows files and should use crlf
|
||||||
|
*.bat text eol=crlf
|
||||||
|
|
25
build.gradle
Normal file
25
build.gradle
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
/**
|
||||||
|
|
||||||
|
Declares dependencies for Jdnssec-tools
|
||||||
|
|
||||||
|
**/
|
||||||
|
|
||||||
|
apply plugin: 'java'
|
||||||
|
apply plugin: 'eclipse'
|
||||||
|
apply plugin: 'idea'
|
||||||
|
|
||||||
|
jar {
|
||||||
|
baseName = 'jdnssec-tools'
|
||||||
|
version = '0.17.1'
|
||||||
|
}
|
||||||
|
|
||||||
|
repositories {
|
||||||
|
mavenCentral()
|
||||||
|
}
|
||||||
|
|
||||||
|
sourceCompatibility = 1.8
|
||||||
|
targetCompatibility = 1.8
|
||||||
|
|
||||||
|
dependencies {
|
||||||
|
compile fileTree(dir: 'lib', include: '*.jar')
|
||||||
|
}
|
@ -1,2 +1,3 @@
|
|||||||
|
#build.compiler=jikes
|
||||||
|
#build.compiler=modern
|
||||||
build.deprecation=true
|
build.deprecation=true
|
||||||
build.debug=true
|
|
||||||
|
10
build.xml
10
build.xml
@ -44,11 +44,11 @@
|
|||||||
<javac srcdir="${build.src}"
|
<javac srcdir="${build.src}"
|
||||||
destdir="${build.dest}"
|
destdir="${build.dest}"
|
||||||
classpathref="project.classpath"
|
classpathref="project.classpath"
|
||||||
deprecation="${build.deprecation}"
|
deprecation="true"
|
||||||
includeantruntime="false"
|
includeantruntime="false"
|
||||||
includes="com/verisignlabs/dnssec/"
|
includes="com/verisignlabs/dnssec/"
|
||||||
debug="${build.debug}"
|
source="17"
|
||||||
release="17" />
|
target="17" />
|
||||||
</target>
|
</target>
|
||||||
|
|
||||||
<target name="sectools-jar" depends="usage,sectools">
|
<target name="sectools-jar" depends="usage,sectools">
|
||||||
@ -154,11 +154,13 @@
|
|||||||
|
|
||||||
|
|
||||||
<target name="dist" depends="sectools-dist">
|
<target name="dist" depends="sectools-dist">
|
||||||
|
<echo message="do not forget to tag the release:" />
|
||||||
|
<echo message=" svn-tag ${version}" />
|
||||||
</target>
|
</target>
|
||||||
|
|
||||||
<target name="usage">
|
<target name="usage">
|
||||||
<echo message=" " />
|
<echo message=" " />
|
||||||
<echo message="jdnssec-tools v. ${version} Build System" />
|
<echo message="SECTOOLS v. ${version} Build System" />
|
||||||
<echo message="--------------------------------" />
|
<echo message="--------------------------------" />
|
||||||
<echo message="Available Targets:" />
|
<echo message="Available Targets:" />
|
||||||
<echo message=" compile (default) - compiles the source code, creates jar" />
|
<echo message=" compile (default) - compiles the source code, creates jar" />
|
||||||
|
BIN
gradle/wrapper/gradle-wrapper.jar
vendored
Normal file
BIN
gradle/wrapper/gradle-wrapper.jar
vendored
Normal file
Binary file not shown.
5
gradle/wrapper/gradle-wrapper.properties
vendored
Normal file
5
gradle/wrapper/gradle-wrapper.properties
vendored
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
distributionBase=GRADLE_USER_HOME
|
||||||
|
distributionPath=wrapper/dists
|
||||||
|
distributionUrl=https\://services.gradle.org/distributions/gradle-6.7.1-bin.zip
|
||||||
|
zipStoreBase=GRADLE_USER_HOME
|
||||||
|
zipStorePath=wrapper/dists
|
185
gradlew
vendored
Executable file
185
gradlew
vendored
Executable file
@ -0,0 +1,185 @@
|
|||||||
|
#!/usr/bin/env sh
|
||||||
|
|
||||||
|
#
|
||||||
|
# Copyright 2015 the original author or authors.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
#
|
||||||
|
|
||||||
|
##############################################################################
|
||||||
|
##
|
||||||
|
## Gradle start up script for UN*X
|
||||||
|
##
|
||||||
|
##############################################################################
|
||||||
|
|
||||||
|
# Attempt to set APP_HOME
|
||||||
|
# Resolve links: $0 may be a link
|
||||||
|
PRG="$0"
|
||||||
|
# Need this for relative symlinks.
|
||||||
|
while [ -h "$PRG" ] ; do
|
||||||
|
ls=`ls -ld "$PRG"`
|
||||||
|
link=`expr "$ls" : '.*-> \(.*\)$'`
|
||||||
|
if expr "$link" : '/.*' > /dev/null; then
|
||||||
|
PRG="$link"
|
||||||
|
else
|
||||||
|
PRG=`dirname "$PRG"`"/$link"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
SAVED="`pwd`"
|
||||||
|
cd "`dirname \"$PRG\"`/" >/dev/null
|
||||||
|
APP_HOME="`pwd -P`"
|
||||||
|
cd "$SAVED" >/dev/null
|
||||||
|
|
||||||
|
APP_NAME="Gradle"
|
||||||
|
APP_BASE_NAME=`basename "$0"`
|
||||||
|
|
||||||
|
# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
|
||||||
|
DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
|
||||||
|
|
||||||
|
# Use the maximum available, or set MAX_FD != -1 to use that value.
|
||||||
|
MAX_FD="maximum"
|
||||||
|
|
||||||
|
warn () {
|
||||||
|
echo "$*"
|
||||||
|
}
|
||||||
|
|
||||||
|
die () {
|
||||||
|
echo
|
||||||
|
echo "$*"
|
||||||
|
echo
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
# OS specific support (must be 'true' or 'false').
|
||||||
|
cygwin=false
|
||||||
|
msys=false
|
||||||
|
darwin=false
|
||||||
|
nonstop=false
|
||||||
|
case "`uname`" in
|
||||||
|
CYGWIN* )
|
||||||
|
cygwin=true
|
||||||
|
;;
|
||||||
|
Darwin* )
|
||||||
|
darwin=true
|
||||||
|
;;
|
||||||
|
MINGW* )
|
||||||
|
msys=true
|
||||||
|
;;
|
||||||
|
NONSTOP* )
|
||||||
|
nonstop=true
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
|
||||||
|
|
||||||
|
|
||||||
|
# Determine the Java command to use to start the JVM.
|
||||||
|
if [ -n "$JAVA_HOME" ] ; then
|
||||||
|
if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
|
||||||
|
# IBM's JDK on AIX uses strange locations for the executables
|
||||||
|
JAVACMD="$JAVA_HOME/jre/sh/java"
|
||||||
|
else
|
||||||
|
JAVACMD="$JAVA_HOME/bin/java"
|
||||||
|
fi
|
||||||
|
if [ ! -x "$JAVACMD" ] ; then
|
||||||
|
die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
|
||||||
|
|
||||||
|
Please set the JAVA_HOME variable in your environment to match the
|
||||||
|
location of your Java installation."
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
JAVACMD="java"
|
||||||
|
which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
|
||||||
|
|
||||||
|
Please set the JAVA_HOME variable in your environment to match the
|
||||||
|
location of your Java installation."
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Increase the maximum file descriptors if we can.
|
||||||
|
if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then
|
||||||
|
MAX_FD_LIMIT=`ulimit -H -n`
|
||||||
|
if [ $? -eq 0 ] ; then
|
||||||
|
if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then
|
||||||
|
MAX_FD="$MAX_FD_LIMIT"
|
||||||
|
fi
|
||||||
|
ulimit -n $MAX_FD
|
||||||
|
if [ $? -ne 0 ] ; then
|
||||||
|
warn "Could not set maximum file descriptor limit: $MAX_FD"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# For Darwin, add options to specify how the application appears in the dock
|
||||||
|
if $darwin; then
|
||||||
|
GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\""
|
||||||
|
fi
|
||||||
|
|
||||||
|
# For Cygwin or MSYS, switch paths to Windows format before running java
|
||||||
|
if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then
|
||||||
|
APP_HOME=`cygpath --path --mixed "$APP_HOME"`
|
||||||
|
CLASSPATH=`cygpath --path --mixed "$CLASSPATH"`
|
||||||
|
|
||||||
|
JAVACMD=`cygpath --unix "$JAVACMD"`
|
||||||
|
|
||||||
|
# We build the pattern for arguments to be converted via cygpath
|
||||||
|
ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null`
|
||||||
|
SEP=""
|
||||||
|
for dir in $ROOTDIRSRAW ; do
|
||||||
|
ROOTDIRS="$ROOTDIRS$SEP$dir"
|
||||||
|
SEP="|"
|
||||||
|
done
|
||||||
|
OURCYGPATTERN="(^($ROOTDIRS))"
|
||||||
|
# Add a user-defined pattern to the cygpath arguments
|
||||||
|
if [ "$GRADLE_CYGPATTERN" != "" ] ; then
|
||||||
|
OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)"
|
||||||
|
fi
|
||||||
|
# Now convert the arguments - kludge to limit ourselves to /bin/sh
|
||||||
|
i=0
|
||||||
|
for arg in "$@" ; do
|
||||||
|
CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -`
|
||||||
|
CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option
|
||||||
|
|
||||||
|
if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition
|
||||||
|
eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"`
|
||||||
|
else
|
||||||
|
eval `echo args$i`="\"$arg\""
|
||||||
|
fi
|
||||||
|
i=`expr $i + 1`
|
||||||
|
done
|
||||||
|
case $i in
|
||||||
|
0) set -- ;;
|
||||||
|
1) set -- "$args0" ;;
|
||||||
|
2) set -- "$args0" "$args1" ;;
|
||||||
|
3) set -- "$args0" "$args1" "$args2" ;;
|
||||||
|
4) set -- "$args0" "$args1" "$args2" "$args3" ;;
|
||||||
|
5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;;
|
||||||
|
6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;;
|
||||||
|
7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;;
|
||||||
|
8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;;
|
||||||
|
9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;;
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Escape application args
|
||||||
|
save () {
|
||||||
|
for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done
|
||||||
|
echo " "
|
||||||
|
}
|
||||||
|
APP_ARGS=`save "$@"`
|
||||||
|
|
||||||
|
# Collect all arguments for the java command, following the shell quoting and substitution rules
|
||||||
|
eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS"
|
||||||
|
|
||||||
|
exec "$JAVACMD" "$@"
|
89
gradlew.bat
vendored
Normal file
89
gradlew.bat
vendored
Normal file
@ -0,0 +1,89 @@
|
|||||||
|
@rem
|
||||||
|
@rem Copyright 2015 the original author or authors.
|
||||||
|
@rem
|
||||||
|
@rem Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
@rem you may not use this file except in compliance with the License.
|
||||||
|
@rem You may obtain a copy of the License at
|
||||||
|
@rem
|
||||||
|
@rem https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
@rem
|
||||||
|
@rem Unless required by applicable law or agreed to in writing, software
|
||||||
|
@rem distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
@rem See the License for the specific language governing permissions and
|
||||||
|
@rem limitations under the License.
|
||||||
|
@rem
|
||||||
|
|
||||||
|
@if "%DEBUG%" == "" @echo off
|
||||||
|
@rem ##########################################################################
|
||||||
|
@rem
|
||||||
|
@rem Gradle startup script for Windows
|
||||||
|
@rem
|
||||||
|
@rem ##########################################################################
|
||||||
|
|
||||||
|
@rem Set local scope for the variables with windows NT shell
|
||||||
|
if "%OS%"=="Windows_NT" setlocal
|
||||||
|
|
||||||
|
set DIRNAME=%~dp0
|
||||||
|
if "%DIRNAME%" == "" set DIRNAME=.
|
||||||
|
set APP_BASE_NAME=%~n0
|
||||||
|
set APP_HOME=%DIRNAME%
|
||||||
|
|
||||||
|
@rem Resolve any "." and ".." in APP_HOME to make it shorter.
|
||||||
|
for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi
|
||||||
|
|
||||||
|
@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
|
||||||
|
set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m"
|
||||||
|
|
||||||
|
@rem Find java.exe
|
||||||
|
if defined JAVA_HOME goto findJavaFromJavaHome
|
||||||
|
|
||||||
|
set JAVA_EXE=java.exe
|
||||||
|
%JAVA_EXE% -version >NUL 2>&1
|
||||||
|
if "%ERRORLEVEL%" == "0" goto execute
|
||||||
|
|
||||||
|
echo.
|
||||||
|
echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
|
||||||
|
echo.
|
||||||
|
echo Please set the JAVA_HOME variable in your environment to match the
|
||||||
|
echo location of your Java installation.
|
||||||
|
|
||||||
|
goto fail
|
||||||
|
|
||||||
|
:findJavaFromJavaHome
|
||||||
|
set JAVA_HOME=%JAVA_HOME:"=%
|
||||||
|
set JAVA_EXE=%JAVA_HOME%/bin/java.exe
|
||||||
|
|
||||||
|
if exist "%JAVA_EXE%" goto execute
|
||||||
|
|
||||||
|
echo.
|
||||||
|
echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
|
||||||
|
echo.
|
||||||
|
echo Please set the JAVA_HOME variable in your environment to match the
|
||||||
|
echo location of your Java installation.
|
||||||
|
|
||||||
|
goto fail
|
||||||
|
|
||||||
|
:execute
|
||||||
|
@rem Setup the command line
|
||||||
|
|
||||||
|
set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
|
||||||
|
|
||||||
|
|
||||||
|
@rem Execute Gradle
|
||||||
|
"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %*
|
||||||
|
|
||||||
|
:end
|
||||||
|
@rem End local scope for the variables with windows NT shell
|
||||||
|
if "%ERRORLEVEL%"=="0" goto mainEnd
|
||||||
|
|
||||||
|
:fail
|
||||||
|
rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
|
||||||
|
rem the _cmd.exe /c_ return code!
|
||||||
|
if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1
|
||||||
|
exit /b 1
|
||||||
|
|
||||||
|
:mainEnd
|
||||||
|
if "%OS%"=="Windows_NT" endlocal
|
||||||
|
|
||||||
|
:omega
|
BIN
lib/commons-cli-1.5.0.jar
Normal file
BIN
lib/commons-cli-1.5.0.jar
Normal file
Binary file not shown.
Binary file not shown.
Binary file not shown.
BIN
lib/eddsa-0.3.0.jar
Normal file
BIN
lib/eddsa-0.3.0.jar
Normal file
Binary file not shown.
@ -56,7 +56,7 @@ public class DSTool extends CLBase {
|
|||||||
public dsType createType = dsType.DS;
|
public dsType createType = dsType.DS;
|
||||||
public String outputfile = null;
|
public String outputfile = null;
|
||||||
public String keyname = null;
|
public String keyname = null;
|
||||||
public int digestId = DNSSEC.Digest.SHA256;
|
public int digestId = DNSSEC.Digest.SHA1;
|
||||||
|
|
||||||
public CLIState() {
|
public CLIState() {
|
||||||
super("jdnssec-dstool [..options..] keyfile");
|
super("jdnssec-dstool [..options..] keyfile");
|
||||||
@ -71,8 +71,7 @@ public class DSTool extends CLBase {
|
|||||||
protected void setupOptions(Options opts) {
|
protected void setupOptions(Options opts) {
|
||||||
opts.addOption(Option.builder("D").longOpt("dlv").desc("Generate a DLV record instead.").build());
|
opts.addOption(Option.builder("D").longOpt("dlv").desc("Generate a DLV record instead.").build());
|
||||||
opts.addOption(Option.builder("C").longOpt("cds").desc("Generate a CDS record instead").build());
|
opts.addOption(Option.builder("C").longOpt("cds").desc("Generate a CDS record instead").build());
|
||||||
opts.addOption(
|
opts.addOption(Option.builder("d").hasArg().argName("id").longOpt("digest").desc("The digest algorithm to use").build());
|
||||||
Option.builder("d").hasArg().argName("id").longOpt("digest").desc("The digest algorithm to use").build());
|
|
||||||
opts.addOption(Option.builder("f").hasArg().argName("file").longOpt("output").desc("output to file").build());
|
opts.addOption(Option.builder("f").hasArg().argName("file").longOpt("output").desc("output to file").build());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -44,8 +44,8 @@ public class KeyGen extends CLBase {
|
|||||||
* state.
|
* state.
|
||||||
*/
|
*/
|
||||||
protected static class CLIState extends CLIStateBase {
|
protected static class CLIState extends CLIStateBase {
|
||||||
public int algorithm = 13;
|
public int algorithm = 8;
|
||||||
public int keylength = 2048;
|
public int keylength = 1024;
|
||||||
public boolean useLargeE = true;
|
public boolean useLargeE = true;
|
||||||
public String outputfile = null;
|
public String outputfile = null;
|
||||||
public File keydir = null;
|
public File keydir = null;
|
||||||
@ -77,10 +77,10 @@ public class KeyGen extends CLBase {
|
|||||||
String[] algStrings = DnsKeyAlgorithm.getInstance().supportedAlgMnemonics();
|
String[] algStrings = DnsKeyAlgorithm.getInstance().supportedAlgMnemonics();
|
||||||
String algStringSet = String.join(" | ", algStrings);
|
String algStringSet = String.join(" | ", algStrings);
|
||||||
opts.addOption(Option.builder("a").hasArg().argName("algorithm")
|
opts.addOption(Option.builder("a").hasArg().argName("algorithm")
|
||||||
.desc(algStringSet + " | alias, ECDSAP256SHA256 is default.").build());
|
.desc(algStringSet + " | alias, RSASHA256 is default.").build());
|
||||||
|
|
||||||
opts.addOption(Option.builder("b").hasArg().argName("size").desc(
|
opts.addOption(Option.builder("b").hasArg().argName("size").desc(
|
||||||
"key size, in bits (default 2048). RSA: [512..4096], DSA: [512..1024], DH: [128..4096], ECDSA: ignored, EdDSA: ignored")
|
"key size, in bits (default 1024). RSA: [512..4096], DSA: [512..1024], DH: [128..4096], ECDSA: ignored, EdDSA: ignored")
|
||||||
.build());
|
.build());
|
||||||
opts.addOption(Option.builder("f").hasArg().argName("file").longOpt("output-file")
|
opts.addOption(Option.builder("f").hasArg().argName("file").longOpt("output-file")
|
||||||
.desc("base filename from the public/private key files").build());
|
.desc("base filename from the public/private key files").build());
|
||||||
|
@ -84,13 +84,13 @@ public class KeyInfoTool extends CLBase {
|
|||||||
+ " (" + dnskey.getAlgorithm() + ")");
|
+ " (" + dnskey.getAlgorithm() + ")");
|
||||||
System.out.println("ID: " + dnskey.getFootprint());
|
System.out.println("ID: " + dnskey.getFootprint());
|
||||||
System.out.println("KeyFileBase: " + BINDKeyUtils.keyFileBase(key));
|
System.out.println("KeyFileBase: " + BINDKeyUtils.keyFileBase(key));
|
||||||
DnsKeyAlgorithm.BaseAlgorithm basetype = dnskeyalg.baseType(dnskey.getAlgorithm());
|
int basetype = dnskeyalg.baseType(dnskey.getAlgorithm());
|
||||||
|
|
||||||
if (basetype == DnsKeyAlgorithm.BaseAlgorithm.RSA) {
|
if (basetype == DnsKeyAlgorithm.RSA) {
|
||||||
RSAPublicKey pub = (RSAPublicKey) key.getPublic();
|
RSAPublicKey pub = (RSAPublicKey) key.getPublic();
|
||||||
System.out.println("RSA Public Exponent: " + pub.getPublicExponent());
|
System.out.println("RSA Public Exponent: " + pub.getPublicExponent());
|
||||||
System.out.println("RSA Modulus: " + pub.getModulus());
|
System.out.println("RSA Modulus: " + pub.getModulus());
|
||||||
} else if (basetype == DnsKeyAlgorithm.BaseAlgorithm.DSA) {
|
} else if (basetype == DnsKeyAlgorithm.DSA) {
|
||||||
DSAPublicKey pub = (DSAPublicKey) key.getPublic();
|
DSAPublicKey pub = (DSAPublicKey) key.getPublic();
|
||||||
System.out.println("DSA base (G): " + pub.getParams().getG());
|
System.out.println("DSA base (G): " + pub.getParams().getG());
|
||||||
System.out.println("DSA prime (P): " + pub.getParams().getP());
|
System.out.println("DSA prime (P): " + pub.getParams().getP());
|
||||||
|
@ -75,14 +75,10 @@ public class SignKeyset extends CLBase {
|
|||||||
opts.addOption("a", "verify", false, "verify generated signatures>");
|
opts.addOption("a", "verify", false, "verify generated signatures>");
|
||||||
|
|
||||||
// Argument options
|
// Argument options
|
||||||
opts.addOption(Option.builder("D").hasArg().argName("dir").longOpt("key-directory")
|
opts.addOption(Option.builder("D").hasArg().argName("dir").longOpt("key-directory").desc("directory where key files are found (default '.').").build());
|
||||||
.desc("directory where key files are found (default '.').").build());
|
opts.addOption(Option.builder("s").hasArg().argName("time/offset").longOpt("start-time").desc("signature starting time (default is now - 1 hour)").build());
|
||||||
opts.addOption(Option.builder("s").hasArg().argName("time/offset").longOpt("start-time")
|
opts.addOption(Option.builder("e").hasArg().argName("time/offset").longOpt("expire-time").desc("signature expiration time (default is start-time + 30 days)").build());
|
||||||
.desc("signature starting time (default is now - 1 hour)").build());
|
opts.addOption(Option.builder("f").hasArg().argName("outfile").desc("file the signed keyset is written to").build());
|
||||||
opts.addOption(Option.builder("e").hasArg().argName("time/offset").longOpt("expire-time")
|
|
||||||
.desc("signature expiration time (default is start-time + 30 days)").build());
|
|
||||||
opts.addOption(
|
|
||||||
Option.builder("f").hasArg().argName("outfile").desc("file the signed keyset is written to").build());
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
@ -134,8 +130,10 @@ public class SignKeyset extends CLBase {
|
|||||||
/**
|
/**
|
||||||
* Verify the generated signatures.
|
* Verify the generated signatures.
|
||||||
*
|
*
|
||||||
* @param records a list of {@link org.xbill.DNS.Record}s.
|
* @param records
|
||||||
* @param keypairs a list of keypairs used the sign the zone.
|
* a list of {@link org.xbill.DNS.Record}s.
|
||||||
|
* @param keypairs
|
||||||
|
* a list of keypairs used the sign the zone.
|
||||||
* @return true if all of the signatures validated.
|
* @return true if all of the signatures validated.
|
||||||
*/
|
*/
|
||||||
private static boolean verifySigs(List<Record> records,
|
private static boolean verifySigs(List<Record> records,
|
||||||
@ -171,12 +169,15 @@ public class SignKeyset extends CLBase {
|
|||||||
/**
|
/**
|
||||||
* Load the key pairs from the key files.
|
* Load the key pairs from the key files.
|
||||||
*
|
*
|
||||||
* @param keyfiles a string array containing the base names or paths of the
|
* @param keyfiles
|
||||||
* keys to be loaded.
|
* a string array containing the base names or paths of the
|
||||||
* @param startIndex the starting index of keyfiles string array to use. This
|
* keys
|
||||||
* allows us to use the straight command line argument
|
* to be loaded.
|
||||||
* array.
|
* @param startIndex
|
||||||
* @param inDirectory the directory to look in (may be null).
|
* the starting index of keyfiles string array to use. This
|
||||||
|
* allows us to use the straight command line argument array.
|
||||||
|
* @param inDirectory
|
||||||
|
* the directory to look in (may be null).
|
||||||
* @return a list of keypair objects.
|
* @return a list of keypair objects.
|
||||||
*/
|
*/
|
||||||
private static List<DnsKeyPair> getKeys(String[] keyfiles, int startIndex,
|
private static List<DnsKeyPair> getKeys(String[] keyfiles, int startIndex,
|
||||||
|
@ -137,8 +137,10 @@ public class SignRRset extends CLBase {
|
|||||||
/**
|
/**
|
||||||
* Verify the generated signatures.
|
* Verify the generated signatures.
|
||||||
*
|
*
|
||||||
* @param records a list of {@link org.xbill.DNS.Record}s.
|
* @param records
|
||||||
* @param keypairs a list of keypairs used the sign the zone.
|
* a list of {@link org.xbill.DNS.Record}s.
|
||||||
|
* @param keypairs
|
||||||
|
* a list of keypairs used the sign the zone.
|
||||||
* @return true if all of the signatures validated.
|
* @return true if all of the signatures validated.
|
||||||
*/
|
*/
|
||||||
private static boolean verifySigs(List<Record> records, List<DnsKeyPair> keypairs) {
|
private static boolean verifySigs(List<Record> records, List<DnsKeyPair> keypairs) {
|
||||||
@ -174,12 +176,15 @@ public class SignRRset extends CLBase {
|
|||||||
/**
|
/**
|
||||||
* Load the key pairs from the key files.
|
* Load the key pairs from the key files.
|
||||||
*
|
*
|
||||||
* @param keyfiles a string array containing the base names or paths of the
|
* @param keyfiles
|
||||||
* keys to be loaded.
|
* a string array containing the base names or paths of the
|
||||||
* @param startIndex the starting index of keyfiles string array to use. This
|
* keys
|
||||||
* allows us to use the straight command line argument
|
* to be loaded.
|
||||||
* array.
|
* @param startIndex
|
||||||
* @param inDirectory the directory to look in (may be null).
|
* the starting index of keyfiles string array to use. This
|
||||||
|
* allows us to use the straight command line argument array.
|
||||||
|
* @param inDirectory
|
||||||
|
* the directory to look in (may be null).
|
||||||
* @return a list of keypair objects.
|
* @return a list of keypair objects.
|
||||||
*/
|
*/
|
||||||
private static List<DnsKeyPair> getKeys(String[] keyfiles, int startIndex,
|
private static List<DnsKeyPair> getKeys(String[] keyfiles, int startIndex,
|
||||||
|
@ -79,8 +79,6 @@ public class SignZone extends CLBase {
|
|||||||
public long nsec3paramttl = -1;
|
public long nsec3paramttl = -1;
|
||||||
public boolean verboseSigning = false;
|
public boolean verboseSigning = false;
|
||||||
|
|
||||||
private static final Random rand = new Random();
|
|
||||||
|
|
||||||
public CLIState() {
|
public CLIState() {
|
||||||
super("jdnssec-signzone [..options..] zone_file [key_file ...]");
|
super("jdnssec-signzone [..options..] zone_file [key_file ...]");
|
||||||
}
|
}
|
||||||
@ -200,8 +198,9 @@ public class SignZone extends CLBase {
|
|||||||
if ((optstr = cli.getOptionValue('R')) != null) {
|
if ((optstr = cli.getOptionValue('R')) != null) {
|
||||||
int length = parseInt(optstr, 0);
|
int length = parseInt(optstr, 0);
|
||||||
if (length > 0 && length <= 255) {
|
if (length > 0 && length <= 255) {
|
||||||
|
Random random = new Random();
|
||||||
salt = new byte[length];
|
salt = new byte[length];
|
||||||
rand.nextBytes(salt);
|
random.nextBytes(salt);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -242,8 +241,8 @@ public class SignZone extends CLBase {
|
|||||||
/**
|
/**
|
||||||
* Load a list of DNS names from a file.
|
* Load a list of DNS names from a file.
|
||||||
*
|
*
|
||||||
* @param nameListFile the path of a file containing a bare list of DNS
|
* @param nameListFile
|
||||||
* names.
|
* the path of a file containing a bare list of DNS names.
|
||||||
* @return a list of {@link org.xbill.DNS.Name} objects.
|
* @return a list of {@link org.xbill.DNS.Name} objects.
|
||||||
*/
|
*/
|
||||||
private static List<Name> getNameList(File nameListFile) throws IOException {
|
private static List<Name> getNameList(File nameListFile) throws IOException {
|
||||||
@ -255,6 +254,9 @@ public class SignZone extends CLBase {
|
|||||||
try {
|
try {
|
||||||
Name n = Name.fromString(line);
|
Name n = Name.fromString(line);
|
||||||
// force the name to be absolute.
|
// force the name to be absolute.
|
||||||
|
// FIXME: we should probably get some fancy logic here to
|
||||||
|
// detect if the name needs the origin appended, or just the
|
||||||
|
// root.
|
||||||
if (!n.isAbsolute())
|
if (!n.isAbsolute())
|
||||||
n = Name.concatenate(n, Name.root);
|
n = Name.concatenate(n, Name.root);
|
||||||
|
|
||||||
@ -272,12 +274,14 @@ public class SignZone extends CLBase {
|
|||||||
/**
|
/**
|
||||||
* Verify the generated signatures.
|
* Verify the generated signatures.
|
||||||
*
|
*
|
||||||
* @param records a list of {@link org.xbill.DNS.Record}s.
|
* @param records
|
||||||
* @param keypairs a list of keypairs used the sign the zone.
|
* a list of {@link org.xbill.DNS.Record}s.
|
||||||
|
* @param keypairs
|
||||||
|
* a list of keypairs used the sign the zone.
|
||||||
* @return true if all of the signatures validated.
|
* @return true if all of the signatures validated.
|
||||||
*/
|
*/
|
||||||
private static boolean verifyZoneSigs(List<Record> records,
|
private static boolean verifyZoneSigs(List<Record> records,
|
||||||
List<DnsKeyPair> keypairs, List<DnsKeyPair> kskpairs) {
|
List<DnsKeyPair> keypairs) {
|
||||||
boolean secure = true;
|
boolean secure = true;
|
||||||
|
|
||||||
DnsSecVerifier verifier = new DnsSecVerifier();
|
DnsSecVerifier verifier = new DnsSecVerifier();
|
||||||
@ -285,9 +289,7 @@ public class SignZone extends CLBase {
|
|||||||
for (DnsKeyPair pair : keypairs) {
|
for (DnsKeyPair pair : keypairs) {
|
||||||
verifier.addTrustedKey(pair);
|
verifier.addTrustedKey(pair);
|
||||||
}
|
}
|
||||||
for (DnsKeyPair pair : kskpairs) {
|
|
||||||
verifier.addTrustedKey(pair);
|
|
||||||
}
|
|
||||||
verifier.setVerifyAllSigs(true);
|
verifier.setVerifyAllSigs(true);
|
||||||
|
|
||||||
List<RRset> rrsets = SignUtils.assembleIntoRRsets(records);
|
List<RRset> rrsets = SignUtils.assembleIntoRRsets(records);
|
||||||
@ -301,7 +303,6 @@ public class SignZone extends CLBase {
|
|||||||
boolean result = verifier.verify(rrset);
|
boolean result = verifier.verify(rrset);
|
||||||
|
|
||||||
if (!result) {
|
if (!result) {
|
||||||
System.err.println("Signatures did not verify for RRset: " + rrset);
|
|
||||||
staticLog.fine("Signatures did not verify for RRset: " + rrset);
|
staticLog.fine("Signatures did not verify for RRset: " + rrset);
|
||||||
secure = false;
|
secure = false;
|
||||||
}
|
}
|
||||||
@ -313,12 +314,17 @@ public class SignZone extends CLBase {
|
|||||||
/**
|
/**
|
||||||
* Load the key pairs from the key files.
|
* Load the key pairs from the key files.
|
||||||
*
|
*
|
||||||
* @param keyfiles a string array containing the base names or paths of the
|
* @param keyfiles
|
||||||
* keys to be loaded.
|
* a string array containing the base names or paths of the
|
||||||
* @param startIndex the starting index of keyfiles string array to use. This
|
* keys to
|
||||||
* allows us to use the straight command line argument
|
* be loaded.
|
||||||
* array.
|
* @param startIndex
|
||||||
* @param inDirectory the directory to look in (may be null).
|
* the starting index of keyfiles string array to use. This
|
||||||
|
* allows
|
||||||
|
* us
|
||||||
|
* to use the straight command line argument array.
|
||||||
|
* @param inDirectory
|
||||||
|
* the directory to look in (may be null).
|
||||||
* @return a list of keypair objects.
|
* @return a list of keypair objects.
|
||||||
*/
|
*/
|
||||||
private static List<DnsKeyPair> getKeys(String[] keyfiles, int startIndex,
|
private static List<DnsKeyPair> getKeys(String[] keyfiles, int startIndex,
|
||||||
@ -412,12 +418,19 @@ public class SignZone extends CLBase {
|
|||||||
/**
|
/**
|
||||||
* Load keysets (which contain delegation point security info).
|
* Load keysets (which contain delegation point security info).
|
||||||
*
|
*
|
||||||
* @param inDirectory the directory to look for the keyset files (may be null,
|
* @param inDirectory
|
||||||
* in which case it defaults to looking in the current
|
* the directory to look for the keyset files (may be null,
|
||||||
* working directory).
|
* in
|
||||||
* @param zonename the name of the zone we are signing, so we can ignore
|
* which
|
||||||
* keysets that do not belong in the zone.
|
* case it defaults to looking in the current working
|
||||||
* @return a list of {@link org.xbill.DNS.Record}s found in the keyset files.
|
* directory).
|
||||||
|
* @param zonename
|
||||||
|
* the name of the zone we are signing, so we can ignore
|
||||||
|
* keysets
|
||||||
|
* that
|
||||||
|
* do not belong in the zone.
|
||||||
|
* @return a list of {@link org.xbill.DNS.Record}s found in the keyset
|
||||||
|
* files.
|
||||||
*/
|
*/
|
||||||
private static List<Record> getKeysets(File inDirectory, Name zonename)
|
private static List<Record> getKeysets(File inDirectory, Name zonename)
|
||||||
throws IOException {
|
throws IOException {
|
||||||
@ -450,9 +463,13 @@ public class SignZone extends CLBase {
|
|||||||
/**
|
/**
|
||||||
* Determine if the given keypairs can be used to sign the zone.
|
* Determine if the given keypairs can be used to sign the zone.
|
||||||
*
|
*
|
||||||
* @param zonename the zone origin.
|
* @param zonename
|
||||||
* @param keypairs a list of {@link DnsKeyPair} objects that will be used to
|
* the zone origin.
|
||||||
* sign the zone.
|
* @param keypairs
|
||||||
|
* a list of {@link DnsKeyPair} objects that will be used to
|
||||||
|
* sign
|
||||||
|
* the
|
||||||
|
* zone.
|
||||||
* @return true if the keypairs valid.
|
* @return true if the keypairs valid.
|
||||||
*/
|
*/
|
||||||
private static boolean keyPairsValidForZone(Name zonename, List<DnsKeyPair> keypairs) {
|
private static boolean keyPairsValidForZone(Name zonename, List<DnsKeyPair> keypairs) {
|
||||||
@ -486,70 +503,55 @@ public class SignZone extends CLBase {
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Load the key pairs. Note that getKeys() always returns array.
|
// Load the key pairs.
|
||||||
|
|
||||||
List<DnsKeyPair> keypairs = getKeys(state.keyFiles, 0, state.keyDirectory);
|
List<DnsKeyPair> keypairs = getKeys(state.keyFiles, 0, state.keyDirectory);
|
||||||
List<DnsKeyPair> kskpairs = getKeys(state.kskFiles, 0, state.keyDirectory);
|
List<DnsKeyPair> kskpairs = getKeys(state.kskFiles, 0, state.keyDirectory);
|
||||||
|
|
||||||
// If we didn't get any keys on the command line, look at the zone apex for
|
// If we didn't get any keys on the command line, look at the zone apex for
|
||||||
// any public keys.
|
// any public keys.
|
||||||
if (keypairs.isEmpty()) {
|
if (keypairs == null && kskpairs == null) {
|
||||||
List<Record> dnskeys = ZoneUtils.findRRs(records, zonename, Type.DNSKEY);
|
List<Record> dnskeys = ZoneUtils.findRRs(records, zonename, Type.DNSKEY);
|
||||||
keypairs = getKeys(dnskeys, state.keyDirectory);
|
keypairs = getKeys(dnskeys, state.keyDirectory);
|
||||||
}
|
}
|
||||||
|
|
||||||
// If we *still* don't have any key pairs, look for keys the key directory
|
// If we *still* don't have any key pairs, look for keys the key directory
|
||||||
// that match
|
// that match
|
||||||
if (keypairs.isEmpty()) {
|
if (keypairs == null && kskpairs == null) {
|
||||||
keypairs = findZoneKeys(state.keyDirectory, zonename);
|
keypairs = findZoneKeys(state.keyDirectory, zonename);
|
||||||
}
|
}
|
||||||
|
|
||||||
// If we don't have any KSKs, but we do have more than one zone
|
// If we don't have any KSKs, but we do have more than one zone
|
||||||
// signing key (presumably), presume that the zone signing keys
|
// signing key (presumably), presume that the zone signing keys
|
||||||
// are just not differentiated and try to figure out which keys
|
// are just not differentiated and try to figure out which keys
|
||||||
// are actually KSKs by looking at the SEP flag.
|
// are actually ksks by looking at the SEP flag.
|
||||||
if (kskpairs.isEmpty() && !keypairs.isEmpty()) {
|
if ((kskpairs == null || kskpairs.isEmpty()) && keypairs != null
|
||||||
|
&& keypairs.size() > 1) {
|
||||||
for (Iterator<DnsKeyPair> i = keypairs.iterator(); i.hasNext();) {
|
for (Iterator<DnsKeyPair> i = keypairs.iterator(); i.hasNext();) {
|
||||||
DnsKeyPair pair = i.next();
|
DnsKeyPair pair = i.next();
|
||||||
DNSKEYRecord kr = pair.getDNSKEYRecord();
|
DNSKEYRecord kr = pair.getDNSKEYRecord();
|
||||||
if ((kr.getFlags() & DNSKEYRecord.Flags.SEP_KEY) != 0) {
|
if ((kr.getFlags() & DNSKEYRecord.Flags.SEP_KEY) != 0) {
|
||||||
|
if (kskpairs == null)
|
||||||
|
kskpairs = new ArrayList<>();
|
||||||
kskpairs.add(pair);
|
kskpairs.add(pair);
|
||||||
i.remove();
|
i.remove();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// If we have zero keypairs at all, we are stuck.
|
// If there are no ZSKs defined at this point (yet there are KSKs
|
||||||
if (keypairs.isEmpty() && kskpairs.isEmpty()) {
|
// provided), all KSKs will be treated as ZSKs, as well.
|
||||||
|
if (keypairs == null || keypairs.isEmpty()) {
|
||||||
|
keypairs = kskpairs;
|
||||||
|
}
|
||||||
|
|
||||||
|
// If there *still* aren't any ZSKs defined, bail.
|
||||||
|
if (keypairs == null || keypairs.isEmpty()) {
|
||||||
System.err.println("No zone signing keys could be determined.");
|
System.err.println("No zone signing keys could be determined.");
|
||||||
state.usage();
|
state.usage();
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
// If we only have one type of key (all ZSKs or all KSKs), then these are
|
|
||||||
// "CSKs" -- Combined signing keys, so assign one set to the other.
|
|
||||||
if (keypairs.isEmpty()) {
|
|
||||||
keypairs = kskpairs;
|
|
||||||
} else if (kskpairs.isEmpty()) {
|
|
||||||
kskpairs = keypairs;
|
|
||||||
}
|
|
||||||
|
|
||||||
// Output what keys we are using for what
|
|
||||||
if (keypairs == kskpairs) {
|
|
||||||
System.out.println("CSKs: ");
|
|
||||||
for (DnsKeyPair kp : keypairs) {
|
|
||||||
System.out.println(" - " + kp);
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
System.out.println("KSKs: ");
|
|
||||||
for (DnsKeyPair kp : kskpairs) {
|
|
||||||
System.out.println(" - " + kp);
|
|
||||||
}
|
|
||||||
System.out.println("ZSKs: ");
|
|
||||||
for (DnsKeyPair kp : keypairs) {
|
|
||||||
System.out.println(" - " + kp);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// default the output file, if not set.
|
// default the output file, if not set.
|
||||||
if (state.outputfile == null && !state.zonefile.equals("-")) {
|
if (state.outputfile == null && !state.zonefile.equals("-")) {
|
||||||
if (zonename.isAbsolute()) {
|
if (zonename.isAbsolute()) {
|
||||||
@ -569,12 +571,12 @@ public class SignZone extends CLBase {
|
|||||||
// We force the signing keys to be in the zone by just appending
|
// We force the signing keys to be in the zone by just appending
|
||||||
// them to the zone here. Currently JCEDnsSecSigner.signZone
|
// them to the zone here. Currently JCEDnsSecSigner.signZone
|
||||||
// removes duplicate records.
|
// removes duplicate records.
|
||||||
if (!kskpairs.isEmpty()) {
|
if (kskpairs != null) {
|
||||||
for (DnsKeyPair pair : kskpairs) {
|
for (DnsKeyPair pair : kskpairs) {
|
||||||
records.add(pair.getDNSKEYRecord());
|
records.add(pair.getDNSKEYRecord());
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (!keypairs.isEmpty()) {
|
if (keypairs != null) {
|
||||||
for (DnsKeyPair pair : keypairs) {
|
for (DnsKeyPair pair : keypairs) {
|
||||||
records.add(pair.getDNSKEYRecord());
|
records.add(pair.getDNSKEYRecord());
|
||||||
}
|
}
|
||||||
@ -606,11 +608,15 @@ public class SignZone extends CLBase {
|
|||||||
|
|
||||||
// write out the signed zone
|
// write out the signed zone
|
||||||
ZoneUtils.writeZoneFile(signedRecords, state.outputfile);
|
ZoneUtils.writeZoneFile(signedRecords, state.outputfile);
|
||||||
System.out.println("zone signing complete");
|
|
||||||
|
|
||||||
if (state.verifySigs) {
|
if (state.verifySigs) {
|
||||||
|
// FIXME: ugh.
|
||||||
|
if (kskpairs != null) {
|
||||||
|
keypairs.addAll(kskpairs);
|
||||||
|
}
|
||||||
|
|
||||||
log.fine("verifying generated signatures");
|
log.fine("verifying generated signatures");
|
||||||
boolean res = verifyZoneSigs(signedRecords, keypairs, kskpairs);
|
boolean res = verifyZoneSigs(signedRecords, keypairs);
|
||||||
|
|
||||||
if (res) {
|
if (res) {
|
||||||
System.out.println("Generated signatures verified");
|
System.out.println("Generated signatures verified");
|
||||||
@ -618,6 +624,7 @@ public class SignZone extends CLBase {
|
|||||||
System.out.println("Generated signatures did not verify.");
|
System.out.println("Generated signatures did not verify.");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public static void main(String[] args) {
|
public static void main(String[] args) {
|
||||||
|
@ -100,6 +100,7 @@ public class ZoneFormat extends CLBase {
|
|||||||
|
|
||||||
private static void formatZone(List<Record> zone) {
|
private static void formatZone(List<Record> zone) {
|
||||||
|
|
||||||
|
|
||||||
for (Record r : zone) {
|
for (Record r : zone) {
|
||||||
System.out.println(r.toString());
|
System.out.println(r.toString());
|
||||||
}
|
}
|
||||||
|
@ -46,8 +46,7 @@ import org.xbill.DNS.utils.base64;
|
|||||||
*/
|
*/
|
||||||
public class BINDKeyUtils {
|
public class BINDKeyUtils {
|
||||||
|
|
||||||
private BINDKeyUtils() {
|
private BINDKeyUtils() { }
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Calculate the BIND9 key file base name (i.e., without the ".key" or
|
* Calculate the BIND9 key file base name (i.e., without the ".key" or
|
||||||
@ -61,7 +60,8 @@ public class BINDKeyUtils {
|
|||||||
/** Reads in the DNSKEYRecord from the public key file */
|
/** Reads in the DNSKEYRecord from the public key file */
|
||||||
private static DNSKEYRecord loadPublicKeyFile(File publicKeyFile)
|
private static DNSKEYRecord loadPublicKeyFile(File publicKeyFile)
|
||||||
throws IOException {
|
throws IOException {
|
||||||
try (Master m = new Master(publicKeyFile.getAbsolutePath(), null, 600)) {
|
Master m = new Master(publicKeyFile.getAbsolutePath(), null, 600);
|
||||||
|
|
||||||
Record r;
|
Record r;
|
||||||
DNSKEYRecord result = null;
|
DNSKEYRecord result = null;
|
||||||
|
|
||||||
@ -73,7 +73,6 @@ public class BINDKeyUtils {
|
|||||||
|
|
||||||
return result;
|
return result;
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
/** Reads in the private key verbatim from the private key file */
|
/** Reads in the private key verbatim from the private key file */
|
||||||
private static String loadPrivateKeyFile(File privateKeyFile)
|
private static String loadPrivateKeyFile(File privateKeyFile)
|
||||||
@ -107,12 +106,17 @@ public class BINDKeyUtils {
|
|||||||
* Given the information necessary to construct the path to a BIND9 generated
|
* Given the information necessary to construct the path to a BIND9 generated
|
||||||
* key pair, load the key pair.
|
* key pair, load the key pair.
|
||||||
*
|
*
|
||||||
* @param signer the DNS name of the key.
|
* @param signer
|
||||||
* @param algorithm the DNSSEC algorithm of the key.
|
* the DNS name of the key.
|
||||||
* @param keyid the DNSSEC key footprint.
|
* @param algorithm
|
||||||
* @param inDirectory the directory to look for the files (may be null).
|
* the DNSSEC algorithm of the key.
|
||||||
|
* @param keyid
|
||||||
|
* the DNSSEC key footprint.
|
||||||
|
* @param inDirectory
|
||||||
|
* the directory to look for the files (may be null).
|
||||||
* @return the loaded key pair.
|
* @return the loaded key pair.
|
||||||
* @throws IOException if there was a problem reading the BIND9 files.
|
* @throws IOException
|
||||||
|
* if there was a problem reading the BIND9 files.
|
||||||
*/
|
*/
|
||||||
public static DnsKeyPair loadKeyPair(Name signer, int algorithm, int keyid,
|
public static DnsKeyPair loadKeyPair(Name signer, int algorithm, int keyid,
|
||||||
File inDirectory) throws IOException {
|
File inDirectory) throws IOException {
|
||||||
@ -124,12 +128,16 @@ public class BINDKeyUtils {
|
|||||||
/**
|
/**
|
||||||
* Given a base path to a BIND9 key pair, load the key pair.
|
* Given a base path to a BIND9 key pair, load the key pair.
|
||||||
*
|
*
|
||||||
* @param keyFileBasePath the base filename (or real filename for either the
|
* @param keyFileBasePath
|
||||||
* public or private key) of the key.
|
* the base filename (or real filename for either the
|
||||||
* @param inDirectory the directory to look in, if the keyFileBasePath is
|
* public or
|
||||||
|
* private key) of the key.
|
||||||
|
* @param inDirectory
|
||||||
|
* the directory to look in, if the keyFileBasePath is
|
||||||
* relative.
|
* relative.
|
||||||
* @return the loaded key pair.
|
* @return the loaded key pair.
|
||||||
* @throws IOException if there was a problem reading the files
|
* @throws IOException
|
||||||
|
* if there was a problem reading the files
|
||||||
*/
|
*/
|
||||||
public static DnsKeyPair loadKeyPair(String keyFileBasePath, File inDirectory)
|
public static DnsKeyPair loadKeyPair(String keyFileBasePath, File inDirectory)
|
||||||
throws IOException {
|
throws IOException {
|
||||||
@ -154,12 +162,15 @@ public class BINDKeyUtils {
|
|||||||
* Given a base path to a BIND9 key pair, load the public part (only) of the
|
* Given a base path to a BIND9 key pair, load the public part (only) of the
|
||||||
* key pair
|
* key pair
|
||||||
*
|
*
|
||||||
* @param keyFileBasePath the base or real path to the public part of a key
|
* @param keyFileBasePath
|
||||||
|
* the base or real path to the public part of a key
|
||||||
* pair.
|
* pair.
|
||||||
* @param inDirectory the directory to look in if the path is relative
|
* @param inDirectory
|
||||||
* (may be null).
|
* the directory to look in if the path is relative (may
|
||||||
|
* be null).
|
||||||
* @return a {@link DnsKeyPair} containing just the public key information.
|
* @return a {@link DnsKeyPair} containing just the public key information.
|
||||||
* @throws IOException if there was a problem reading the public key file.
|
* @throws IOException
|
||||||
|
* if there was a problem reading the public key file.
|
||||||
*/
|
*/
|
||||||
public static DnsKeyPair loadKey(String keyFileBasePath, File inDirectory)
|
public static DnsKeyPair loadKey(String keyFileBasePath, File inDirectory)
|
||||||
throws IOException {
|
throws IOException {
|
||||||
@ -179,11 +190,15 @@ public class BINDKeyUtils {
|
|||||||
* "keyset-[signer]." where [signer] is the DNS owner name of the key. The
|
* "keyset-[signer]." where [signer] is the DNS owner name of the key. The
|
||||||
* keyset may be signed, but doesn't have to be.
|
* keyset may be signed, but doesn't have to be.
|
||||||
*
|
*
|
||||||
* @param keysetFileName the name of the keyset file.
|
* @param keysetFileName
|
||||||
* @param inDirectory the directory to look in if the path is relative (may
|
* the name of the keyset file.
|
||||||
* be null, defaults to the current working directory).
|
* @param inDirectory
|
||||||
|
* the directory to look in if the path is relative (may
|
||||||
|
* be null,
|
||||||
|
* defaults to the current working directory).
|
||||||
* @return a RRset contain the KEY records and any associated SIG records.
|
* @return a RRset contain the KEY records and any associated SIG records.
|
||||||
* @throws IOException if there was a problem reading the keyset file.
|
* @throws IOException
|
||||||
|
* if there was a problem reading the keyset file.
|
||||||
*/
|
*/
|
||||||
public static RRset loadKeySet(String keysetFileName, File inDirectory)
|
public static RRset loadKeySet(String keysetFileName, File inDirectory)
|
||||||
throws IOException {
|
throws IOException {
|
||||||
@ -203,8 +218,8 @@ public class BINDKeyUtils {
|
|||||||
/**
|
/**
|
||||||
* Calculate the key file base for this key pair.
|
* Calculate the key file base for this key pair.
|
||||||
*
|
*
|
||||||
* @param pair the {@link DnsKeyPair} to work from. It only needs a public
|
* @param pair
|
||||||
* key.
|
* the {@link DnsKeyPair} to work from. It only needs a public key.
|
||||||
* @return the base name of the key files.
|
* @return the base name of the key files.
|
||||||
*/
|
*/
|
||||||
public static String keyFileBase(DnsKeyPair pair) {
|
public static String keyFileBase(DnsKeyPair pair) {
|
||||||
@ -244,7 +259,8 @@ public class BINDKeyUtils {
|
|||||||
* Given a the contents of a BIND9 private key file, convert it into a native
|
* Given a the contents of a BIND9 private key file, convert it into a native
|
||||||
* {@link java.security.PrivateKey} object.
|
* {@link java.security.PrivateKey} object.
|
||||||
*
|
*
|
||||||
* @param privateKeyString the contents of a BIND9 key file in string form.
|
* @param privateKeyString
|
||||||
|
* the contents of a BIND9 key file in string form.
|
||||||
* @return a {@link java.security.PrivateKey}
|
* @return a {@link java.security.PrivateKey}
|
||||||
*/
|
*/
|
||||||
public static PrivateKey convertPrivateKeyString(String privateKeyString) {
|
public static PrivateKey convertPrivateKeyString(String privateKeyString) {
|
||||||
@ -256,7 +272,7 @@ public class BINDKeyUtils {
|
|||||||
try {
|
try {
|
||||||
DnsKeyConverter conv = new DnsKeyConverter();
|
DnsKeyConverter conv = new DnsKeyConverter();
|
||||||
return conv.parsePrivateKeyString(privateKeyString);
|
return conv.parsePrivateKeyString(privateKeyString);
|
||||||
} catch (IOException | NoSuchAlgorithmException e) {
|
} catch (IOException|NoSuchAlgorithmException e) {
|
||||||
e.printStackTrace();
|
e.printStackTrace();
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -267,8 +283,10 @@ public class BINDKeyUtils {
|
|||||||
* Given a native private key, convert it into a BIND9 private key file
|
* Given a native private key, convert it into a BIND9 private key file
|
||||||
* format.
|
* format.
|
||||||
*
|
*
|
||||||
* @param priv the private key to convert.
|
* @param priv
|
||||||
* @param pub the private key's corresponding public key. Some algorithms
|
* the private key to convert.
|
||||||
|
* @param pub
|
||||||
|
* the private key's corresponding public key. Some algorithms
|
||||||
* require information from both.
|
* require information from both.
|
||||||
* @return a string containing the contents of a BIND9 private key file.
|
* @return a string containing the contents of a BIND9 private key file.
|
||||||
*/
|
*/
|
||||||
@ -309,11 +327,16 @@ public class BINDKeyUtils {
|
|||||||
/**
|
/**
|
||||||
* This routine will write out the BIND9 dnssec-* tool compatible files.
|
* This routine will write out the BIND9 dnssec-* tool compatible files.
|
||||||
*
|
*
|
||||||
* @param baseFileName use this base file name. If null, the standard BIND9
|
* @param baseFileName
|
||||||
* base file name will be computed.
|
* use this base file name. If null, the standard BIND9 base
|
||||||
* @param pair the keypair in question.
|
* file
|
||||||
* @param inDirectory the directory to write to (may be null).
|
* name will be computed.
|
||||||
* @throws IOException if there is a problem writing the files.
|
* @param pair
|
||||||
|
* the keypair in question.
|
||||||
|
* @param inDirectory
|
||||||
|
* the directory to write to (may be null).
|
||||||
|
* @throws IOException
|
||||||
|
* if there is a problem writing the files.
|
||||||
*/
|
*/
|
||||||
public static void writeKeyFiles(String baseFileName, DnsKeyPair pair,
|
public static void writeKeyFiles(String baseFileName, DnsKeyPair pair,
|
||||||
File inDirectory) throws IOException {
|
File inDirectory) throws IOException {
|
||||||
@ -346,8 +369,10 @@ public class BINDKeyUtils {
|
|||||||
* This routine will write out the BIND9 dnssec-* tool compatible files to the
|
* This routine will write out the BIND9 dnssec-* tool compatible files to the
|
||||||
* standard file names.
|
* standard file names.
|
||||||
*
|
*
|
||||||
* @param pair the key pair in question.
|
* @param pair
|
||||||
* @param inDirectory the directory to write to (may be null).
|
* the key pair in question.
|
||||||
|
* @param inDirectory
|
||||||
|
* the directory to write to (may be null).
|
||||||
*/
|
*/
|
||||||
public static void writeKeyFiles(DnsKeyPair pair, File inDirectory)
|
public static void writeKeyFiles(DnsKeyPair pair, File inDirectory)
|
||||||
throws IOException {
|
throws IOException {
|
||||||
|
@ -34,6 +34,7 @@ import java.security.KeyPair;
|
|||||||
import java.security.KeyPairGenerator;
|
import java.security.KeyPairGenerator;
|
||||||
import java.security.NoSuchAlgorithmException;
|
import java.security.NoSuchAlgorithmException;
|
||||||
import java.security.Provider;
|
import java.security.Provider;
|
||||||
|
import java.security.SecureRandom;
|
||||||
import java.security.Security;
|
import java.security.Security;
|
||||||
import java.security.Signature;
|
import java.security.Signature;
|
||||||
import java.security.spec.ECFieldFp;
|
import java.security.spec.ECFieldFp;
|
||||||
@ -42,7 +43,6 @@ import java.security.spec.ECParameterSpec;
|
|||||||
import java.security.spec.ECPoint;
|
import java.security.spec.ECPoint;
|
||||||
import java.security.spec.EllipticCurve;
|
import java.security.spec.EllipticCurve;
|
||||||
import java.security.spec.InvalidParameterSpecException;
|
import java.security.spec.InvalidParameterSpecException;
|
||||||
import java.security.spec.NamedParameterSpec;
|
|
||||||
import java.security.spec.RSAKeyGenParameterSpec;
|
import java.security.spec.RSAKeyGenParameterSpec;
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
import java.util.HashMap;
|
import java.util.HashMap;
|
||||||
@ -51,6 +51,12 @@ import java.util.logging.Logger;
|
|||||||
|
|
||||||
import org.xbill.DNS.DNSSEC;
|
import org.xbill.DNS.DNSSEC;
|
||||||
|
|
||||||
|
import net.i2p.crypto.eddsa.spec.EdDSANamedCurveTable;
|
||||||
|
// for now, we need to import the EdDSA parameter spec classes
|
||||||
|
// because they have no generic form in java.security.spec.*
|
||||||
|
// sadly, this will currently fail if you don't have the lib.
|
||||||
|
import net.i2p.crypto.eddsa.spec.EdDSAParameterSpec;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* This class handles translating DNS signing algorithm identifiers into various
|
* This class handles translating DNS signing algorithm identifiers into various
|
||||||
* usable java implementations.
|
* usable java implementations.
|
||||||
@ -66,24 +72,21 @@ public class DnsKeyAlgorithm {
|
|||||||
|
|
||||||
// Our base algorithm numbers. This is a normalization of the DNSSEC
|
// Our base algorithm numbers. This is a normalization of the DNSSEC
|
||||||
// algorithms (which are really signature algorithms). Thus RSASHA1,
|
// algorithms (which are really signature algorithms). Thus RSASHA1,
|
||||||
// RSASHA256, etc. all boil down to 'RSA' here. Similary, ECDSAP256SHA256 and
|
// RSASHA256, etc. all boil down to 'RSA' here.
|
||||||
// ECDSAP384SHA384 both become 'ECDSA'.
|
public static final int UNKNOWN = -1;
|
||||||
public enum BaseAlgorithm {
|
public static final int RSA = 1;
|
||||||
UNKNOWN,
|
public static final int DH = 2;
|
||||||
RSA,
|
public static final int DSA = 3;
|
||||||
DH,
|
public static final int ECC_GOST = 4;
|
||||||
DSA,
|
public static final int ECDSA = 5;
|
||||||
ECC_GOST,
|
public static final int EDDSA = 6;
|
||||||
ECDSA,
|
|
||||||
EDDSA;
|
|
||||||
}
|
|
||||||
|
|
||||||
private static class AlgEntry {
|
private static class AlgEntry {
|
||||||
public int dnssecAlgorithm;
|
public int dnssecAlgorithm;
|
||||||
public String sigName;
|
public String sigName;
|
||||||
public BaseAlgorithm baseType;
|
public int baseType;
|
||||||
|
|
||||||
public AlgEntry(int algorithm, String sigName, BaseAlgorithm baseType) {
|
public AlgEntry(int algorithm, String sigName, int baseType) {
|
||||||
this.dnssecAlgorithm = algorithm;
|
this.dnssecAlgorithm = algorithm;
|
||||||
this.sigName = sigName;
|
this.sigName = sigName;
|
||||||
this.baseType = baseType;
|
this.baseType = baseType;
|
||||||
@ -93,20 +96,18 @@ public class DnsKeyAlgorithm {
|
|||||||
private static class ECAlgEntry extends AlgEntry {
|
private static class ECAlgEntry extends AlgEntry {
|
||||||
public ECParameterSpec ecSpec;
|
public ECParameterSpec ecSpec;
|
||||||
|
|
||||||
public ECAlgEntry(int algorithm, String sigName, BaseAlgorithm baseType, ECParameterSpec spec) {
|
public ECAlgEntry(int algorithm, String sigName, int baseType, ECParameterSpec spec) {
|
||||||
super(algorithm, sigName, baseType);
|
super(algorithm, sigName, baseType);
|
||||||
this.ecSpec = spec;
|
this.ecSpec = spec;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private static class EdAlgEntry extends AlgEntry {
|
private static class EdAlgEntry extends AlgEntry {
|
||||||
public String curveName;
|
public EdDSAParameterSpec edSpec;
|
||||||
public NamedParameterSpec paramSpec;
|
|
||||||
|
|
||||||
public EdAlgEntry(int algorithm, String sigName, BaseAlgorithm baseType, String curveName) {
|
public EdAlgEntry(int algorithm, String sigName, int baseType, EdDSAParameterSpec spec) {
|
||||||
super(algorithm, sigName, baseType);
|
super(algorithm, sigName, baseType);
|
||||||
this.curveName = curveName;
|
this.edSpec = spec;
|
||||||
this.paramSpec = new NamedParameterSpec(curveName);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -142,15 +143,24 @@ public class DnsKeyAlgorithm {
|
|||||||
private static DnsKeyAlgorithm mInstance = null;
|
private static DnsKeyAlgorithm mInstance = null;
|
||||||
|
|
||||||
public DnsKeyAlgorithm() {
|
public DnsKeyAlgorithm() {
|
||||||
// Attempt to add the bouncycastle provider. This is so we can use this
|
// Attempt to add the bouncycastle provider.
|
||||||
// provider if it is available, but not require the user to add it as one of
|
// This is so we can use this provider if it is available, but not require
|
||||||
// the java.security providers.
|
// the user to add it as one of the java.security providers.
|
||||||
try {
|
try {
|
||||||
Class<?> bcProviderClass = Class.forName("org.bouncycastle.jce.provider.BouncyCastleProvider");
|
Class<?> bcProviderClass = Class.forName("org.bouncycastle.jce.provider.BouncyCastleProvider");
|
||||||
Provider bcProvider = (Provider) bcProviderClass.getDeclaredConstructor().newInstance();
|
Provider bcProvider = (Provider) bcProviderClass.getDeclaredConstructor().newInstance();
|
||||||
Security.addProvider(bcProvider);
|
Security.addProvider(bcProvider);
|
||||||
} catch (ReflectiveOperationException e) {
|
} catch (ReflectiveOperationException e) {
|
||||||
log.fine("Unable to load BC provider");
|
log.info("Unable to load BC provider");
|
||||||
|
}
|
||||||
|
|
||||||
|
// Attempt to add the EdDSA-Java provider.
|
||||||
|
try {
|
||||||
|
Class<?> eddsaProviderClass = Class.forName("net.i2p.crypto.eddsa.EdDSASecurityProvider");
|
||||||
|
Provider eddsaProvider = (Provider) eddsaProviderClass.getDeclaredConstructor().newInstance();
|
||||||
|
Security.addProvider(eddsaProvider);
|
||||||
|
} catch (ReflectiveOperationException e) {
|
||||||
|
log.warning("Unable to load EdDSA provider");
|
||||||
}
|
}
|
||||||
|
|
||||||
initialize();
|
initialize();
|
||||||
@ -162,16 +172,16 @@ public class DnsKeyAlgorithm {
|
|||||||
mIdToMnemonicMap = new HashMap<>();
|
mIdToMnemonicMap = new HashMap<>();
|
||||||
|
|
||||||
// Load the standard DNSSEC algorithms.
|
// Load the standard DNSSEC algorithms.
|
||||||
addAlgorithm(DNSSEC.Algorithm.RSAMD5, "MD5withRSA", BaseAlgorithm.RSA);
|
addAlgorithm(DNSSEC.Algorithm.RSAMD5, "MD5withRSA", RSA);
|
||||||
addMnemonic("RSAMD5", DNSSEC.Algorithm.RSAMD5);
|
addMnemonic("RSAMD5", DNSSEC.Algorithm.RSAMD5);
|
||||||
|
|
||||||
addAlgorithm(DNSSEC.Algorithm.DH, "", BaseAlgorithm.DH);
|
addAlgorithm(DNSSEC.Algorithm.DH, "", DH);
|
||||||
addMnemonic("DH", DNSSEC.Algorithm.DH);
|
addMnemonic("DH", DNSSEC.Algorithm.DH);
|
||||||
|
|
||||||
addAlgorithm(DNSSEC.Algorithm.DSA, "SHA1withDSA", BaseAlgorithm.DSA);
|
addAlgorithm(DNSSEC.Algorithm.DSA, "SHA1withDSA", DSA);
|
||||||
addMnemonic("DSA", DNSSEC.Algorithm.DSA);
|
addMnemonic("DSA", DNSSEC.Algorithm.DSA);
|
||||||
|
|
||||||
addAlgorithm(DNSSEC.Algorithm.RSASHA1, "SHA1withRSA", BaseAlgorithm.RSA);
|
addAlgorithm(DNSSEC.Algorithm.RSASHA1, "SHA1withRSA", RSA);
|
||||||
addMnemonic("RSASHA1", DNSSEC.Algorithm.RSASHA1);
|
addMnemonic("RSASHA1", DNSSEC.Algorithm.RSASHA1);
|
||||||
addMnemonic("RSA", DNSSEC.Algorithm.RSASHA1);
|
addMnemonic("RSA", DNSSEC.Algorithm.RSASHA1);
|
||||||
|
|
||||||
@ -183,49 +193,42 @@ public class DnsKeyAlgorithm {
|
|||||||
addMnemonic("NSEC3RSASHA1", DNSSEC.Algorithm.RSA_NSEC3_SHA1);
|
addMnemonic("NSEC3RSASHA1", DNSSEC.Algorithm.RSA_NSEC3_SHA1);
|
||||||
|
|
||||||
// Algorithms added by RFC 5702.
|
// Algorithms added by RFC 5702.
|
||||||
addAlgorithm(DNSSEC.Algorithm.RSASHA256, "SHA256withRSA", BaseAlgorithm.RSA);
|
addAlgorithm(DNSSEC.Algorithm.RSASHA256, "SHA256withRSA", RSA);
|
||||||
addMnemonic("RSASHA256", DNSSEC.Algorithm.RSASHA256);
|
addMnemonic("RSASHA256", DNSSEC.Algorithm.RSASHA256);
|
||||||
|
|
||||||
addAlgorithm(DNSSEC.Algorithm.RSASHA512, "SHA512withRSA", BaseAlgorithm.RSA);
|
addAlgorithm(DNSSEC.Algorithm.RSASHA512, "SHA512withRSA", RSA);
|
||||||
addMnemonic("RSASHA512", DNSSEC.Algorithm.RSASHA512);
|
addMnemonic("RSASHA512", DNSSEC.Algorithm.RSASHA512);
|
||||||
|
|
||||||
// ECC-GOST is not supported by Java 1.8's Sun crypto provider. The
|
// ECC-GOST is not supported by Java 1.8's Sun crypto provider. The
|
||||||
// bouncycastle.org provider, however, does support it.
|
// bouncycastle.org provider, however, does support it.
|
||||||
// GostR3410-2001-CryptoPro-A is the named curve in the BC provider, but we
|
// GostR3410-2001-CryptoPro-A is the named curve in the BC provider, but we
|
||||||
// will get the parameters directly.
|
// will get the parameters directly.
|
||||||
addAlgorithm(DNSSEC.Algorithm.ECC_GOST, "GOST3411withECGOST3410", BaseAlgorithm.ECC_GOST, null);
|
addAlgorithm(DNSSEC.Algorithm.ECC_GOST, "GOST3411withECGOST3410", ECC_GOST, null);
|
||||||
addMnemonic("ECCGOST", DNSSEC.Algorithm.ECC_GOST);
|
addMnemonic("ECCGOST", DNSSEC.Algorithm.ECC_GOST);
|
||||||
addMnemonic("ECC-GOST", DNSSEC.Algorithm.ECC_GOST);
|
addMnemonic("ECC-GOST", DNSSEC.Algorithm.ECC_GOST);
|
||||||
|
|
||||||
addAlgorithm(DNSSEC.Algorithm.ECDSAP256SHA256, "SHA256withECDSA", BaseAlgorithm.ECDSA, "secp256r1");
|
addAlgorithm(DNSSEC.Algorithm.ECDSAP256SHA256, "SHA256withECDSA", ECDSA, "secp256r1");
|
||||||
addMnemonic("ECDSAP256SHA256", DNSSEC.Algorithm.ECDSAP256SHA256);
|
addMnemonic("ECDSAP256SHA256", DNSSEC.Algorithm.ECDSAP256SHA256);
|
||||||
addMnemonic("ECDSA-P256", DNSSEC.Algorithm.ECDSAP256SHA256);
|
addMnemonic("ECDSA-P256", DNSSEC.Algorithm.ECDSAP256SHA256);
|
||||||
|
|
||||||
addAlgorithm(DNSSEC.Algorithm.ECDSAP384SHA384, "SHA384withECDSA", BaseAlgorithm.ECDSA, "secp384r1");
|
addAlgorithm(DNSSEC.Algorithm.ECDSAP384SHA384, "SHA384withECDSA", ECDSA, "secp384r1");
|
||||||
addMnemonic("ECDSAP384SHA384", DNSSEC.Algorithm.ECDSAP384SHA384);
|
addMnemonic("ECDSAP384SHA384", DNSSEC.Algorithm.ECDSAP384SHA384);
|
||||||
addMnemonic("ECDSA-P384", DNSSEC.Algorithm.ECDSAP384SHA384);
|
addMnemonic("ECDSA-P384", DNSSEC.Algorithm.ECDSAP384SHA384);
|
||||||
|
|
||||||
// For the Edwards Curve implementations, we just initialize Signature and
|
// EdDSA is not supported by either the Java 1.8 Sun crypto
|
||||||
// KeyPairGenerator with the curve name.
|
// provider or bouncycastle. It is added by the Ed25519-Java
|
||||||
addAlgorithm(15, "Ed25519", BaseAlgorithm.EDDSA, "Ed25519");
|
// library. We don't have a corresponding constant in
|
||||||
|
// org.xbill.DNS.DNSSEC yet, though.
|
||||||
|
addAlgorithm(15, "NONEwithEdDSA", EDDSA, "Ed25519");
|
||||||
addMnemonic("ED25519", 15);
|
addMnemonic("ED25519", 15);
|
||||||
addAlgorithm(16, "Ed448", BaseAlgorithm.EDDSA, "Ed448");
|
|
||||||
addMnemonic(("ED448"), 16);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private void addAlgorithm(int algorithm, String sigName, BaseAlgorithm baseType) {
|
private void addAlgorithm(int algorithm, String sigName, int baseType) {
|
||||||
mAlgorithmMap.put(algorithm, new AlgEntry(algorithm, sigName, baseType));
|
mAlgorithmMap.put(algorithm, new AlgEntry(algorithm, sigName, baseType));
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
private void addAlgorithm(int algorithm, String sigName, int baseType, String curveName) {
|
||||||
* Add a ECDSA (algorithms 13/14) to the set, looking up the curve names.
|
if (baseType == ECDSA) {
|
||||||
*
|
|
||||||
* @param algorithm the DNSSEC algorithm number.
|
|
||||||
* @param sigName the name of the signature scheme.
|
|
||||||
* @param curveName the official name of the elliptic curve in our crypto
|
|
||||||
* library (SunEC).
|
|
||||||
*/
|
|
||||||
private void addECDSAAlgorithm(int algorithm, String sigName, String curveName) {
|
|
||||||
ECParameterSpec ecSpec = ECSpecFromAlgorithm(algorithm);
|
ECParameterSpec ecSpec = ECSpecFromAlgorithm(algorithm);
|
||||||
if (ecSpec == null)
|
if (ecSpec == null)
|
||||||
ecSpec = ECSpecFromName(curveName);
|
ecSpec = ECSpecFromName(curveName);
|
||||||
@ -241,56 +244,28 @@ public class DnsKeyAlgorithm {
|
|||||||
// If not, do not add the algorithm.
|
// If not, do not add the algorithm.
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
ECAlgEntry entry = new ECAlgEntry(algorithm, sigName, BaseAlgorithm.ECDSA, ecSpec);
|
ECAlgEntry entry = new ECAlgEntry(algorithm, sigName, baseType, ecSpec);
|
||||||
mAlgorithmMap.put(algorithm, entry);
|
mAlgorithmMap.put(algorithm, entry);
|
||||||
}
|
} else if (baseType == EDDSA) {
|
||||||
|
EdDSAParameterSpec edSpec = EdDSASpecFromName(curveName);
|
||||||
|
if (edSpec == null)
|
||||||
|
return;
|
||||||
|
|
||||||
/**
|
|
||||||
* Add an EdDSA (Edwards curve algorithms, DNSSEC algorithms 15/16), looking up
|
|
||||||
* the curve.
|
|
||||||
*
|
|
||||||
* @param algorithm the DNSSEC algorithm numer.
|
|
||||||
* @param sigName the name of the signing scheme. For EdDSA, this is the same
|
|
||||||
* as the curve.
|
|
||||||
* @param curveName the name of the curve.
|
|
||||||
*/
|
|
||||||
private void addEdDSAAlgorithm(int algorithm, String sigName, String curveName) {
|
|
||||||
// Check to see if we can get a Signature object for this algorithm.
|
// Check to see if we can get a Signature object for this algorithm.
|
||||||
try {
|
try {
|
||||||
Signature.getInstance(sigName);
|
Signature.getInstance(sigName);
|
||||||
} catch (NoSuchAlgorithmException e) {
|
} catch (NoSuchAlgorithmException e) {
|
||||||
// for now, let's find out
|
// for now, let's find out
|
||||||
log.severe("could not get signature for EdDSA curve" + curveName + ": " + e.getMessage());
|
log.severe("could not get signature for " + sigName + ": " + e.getMessage());
|
||||||
// If not, do not add the algorithm.
|
// If not, do not add the algorithm.
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
EdAlgEntry entry = new EdAlgEntry(algorithm, sigName, BaseAlgorithm.EDDSA, curveName);
|
EdAlgEntry entry = new EdAlgEntry(algorithm, sigName, baseType, edSpec);
|
||||||
mAlgorithmMap.put(algorithm, entry);
|
mAlgorithmMap.put(algorithm, entry);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* Add an Elliptic Curve algorithm given a signing scheme and curve name.
|
|
||||||
*
|
|
||||||
* @param algorithm the DNSSEC algorithm number
|
|
||||||
* @param sigName the signature scheme (e.g., which crypto hash function are
|
|
||||||
* we using?)
|
|
||||||
* @param baseType the base type (either ECDSA or EDDSA).
|
|
||||||
* @param curveName the name of the curve.
|
|
||||||
*/
|
|
||||||
private void addAlgorithm(int algorithm, String sigName, BaseAlgorithm baseType, String curveName) {
|
|
||||||
if (baseType == BaseAlgorithm.ECDSA) {
|
|
||||||
addECDSAAlgorithm(algorithm, sigName, curveName);
|
|
||||||
} else if (baseType == BaseAlgorithm.EDDSA) {
|
|
||||||
addEdDSAAlgorithm(algorithm, sigName, curveName);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* Add an alternate mnemonic for an algorithm.
|
|
||||||
*
|
|
||||||
* @param m the new mnemonic.
|
|
||||||
* @param alg the DNSSEC algorithm number.
|
|
||||||
*/
|
|
||||||
private void addMnemonic(String m, int alg) {
|
private void addMnemonic(String m, int alg) {
|
||||||
// Do not add mnemonics for algorithms that ended up not actually being
|
// Do not add mnemonics for algorithms that ended up not actually being
|
||||||
// supported.
|
// supported.
|
||||||
@ -301,19 +276,19 @@ public class DnsKeyAlgorithm {
|
|||||||
mIdToMnemonicMap.computeIfAbsent(alg, k -> m);
|
mIdToMnemonicMap.computeIfAbsent(alg, k -> m);
|
||||||
}
|
}
|
||||||
|
|
||||||
public void addAlias(int alias, String mnemonic, int origAlgorithm) {
|
public void addAlias(int alias, String mnemonic, int original_algorithm) {
|
||||||
if (mAlgorithmMap.containsKey(alias)) {
|
if (mAlgorithmMap.containsKey(alias)) {
|
||||||
log.warning("Unable to alias algorithm " + alias + " because it already exists.");
|
log.warning("Unable to alias algorithm " + alias + " because it already exists.");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!mAlgorithmMap.containsKey(origAlgorithm)) {
|
if (!mAlgorithmMap.containsKey(original_algorithm)) {
|
||||||
log.warning("Unable to alias algorithm " + alias
|
log.warning("Unable to alias algorithm " + alias
|
||||||
+ " to unknown algorithm identifier " + origAlgorithm);
|
+ " to unknown algorithm identifier " + original_algorithm);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
mAlgorithmMap.put(alias, mAlgorithmMap.get(origAlgorithm));
|
mAlgorithmMap.put(alias, mAlgorithmMap.get(original_algorithm));
|
||||||
|
|
||||||
if (mnemonic != null) {
|
if (mnemonic != null) {
|
||||||
addMnemonic(mnemonic, alias);
|
addMnemonic(mnemonic, alias);
|
||||||
@ -347,8 +322,8 @@ public class DnsKeyAlgorithm {
|
|||||||
private ECParameterSpec ECSpecFromName(String stdName) {
|
private ECParameterSpec ECSpecFromName(String stdName) {
|
||||||
try {
|
try {
|
||||||
AlgorithmParameters ap = AlgorithmParameters.getInstance("EC");
|
AlgorithmParameters ap = AlgorithmParameters.getInstance("EC");
|
||||||
ECGenParameterSpec ecgSpec = new ECGenParameterSpec(stdName);
|
ECGenParameterSpec ecg_spec = new ECGenParameterSpec(stdName);
|
||||||
ap.init(ecgSpec);
|
ap.init(ecg_spec);
|
||||||
return ap.getParameterSpec(ECParameterSpec.class);
|
return ap.getParameterSpec(ECParameterSpec.class);
|
||||||
} catch (NoSuchAlgorithmException e) {
|
} catch (NoSuchAlgorithmException e) {
|
||||||
log.info("Elliptic Curve not supported by any crypto provider: " + e.getMessage());
|
log.info("Elliptic Curve not supported by any crypto provider: " + e.getMessage());
|
||||||
@ -358,6 +333,24 @@ public class DnsKeyAlgorithm {
|
|||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Fetch the curve parameters from a named EdDSA curve.
|
||||||
|
private EdDSAParameterSpec EdDSASpecFromName(String stdName) {
|
||||||
|
try {
|
||||||
|
EdDSAParameterSpec spec = EdDSANamedCurveTable.getByName(stdName);
|
||||||
|
if (spec != null)
|
||||||
|
return spec;
|
||||||
|
throw new InvalidParameterSpecException("Edwards Curve " + stdName + " not found.");
|
||||||
|
}
|
||||||
|
// catch (NoSuchAlgorithmException e) {
|
||||||
|
// log.info("Edwards Curve not supported by any crypto provider: " +
|
||||||
|
// e.getMessage());
|
||||||
|
// }
|
||||||
|
catch (InvalidParameterSpecException e) {
|
||||||
|
log.info("Edwards Curve " + stdName + " not supported");
|
||||||
|
}
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
public String[] supportedAlgMnemonics() {
|
public String[] supportedAlgMnemonics() {
|
||||||
Set<Integer> keyset = mAlgorithmMap.keySet();
|
Set<Integer> keyset = mAlgorithmMap.keySet();
|
||||||
Integer[] algs = keyset.toArray(new Integer[keyset.size()]);
|
Integer[] algs = keyset.toArray(new Integer[keyset.size()]);
|
||||||
@ -395,10 +388,11 @@ public class DnsKeyAlgorithm {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Given one of the ECDSA algorithms (ECDSAP256SHA256, etc.) return the
|
* Given one of the ECDSA algorithms (ECDSAP256SHA256, etc.) return
|
||||||
* elliptic curve parameters.
|
* the elliptic curve parameters.
|
||||||
*
|
*
|
||||||
* @param algorithm The DNSSEC algorithm number.
|
* @param algorithm
|
||||||
|
* The DNSSEC algorithm number.
|
||||||
* @return The calculated JCA ECParameterSpec for that DNSSEC algorithm, or
|
* @return The calculated JCA ECParameterSpec for that DNSSEC algorithm, or
|
||||||
* null if not a recognized/supported EC algorithm.
|
* null if not a recognized/supported EC algorithm.
|
||||||
*/
|
*/
|
||||||
@ -408,35 +402,37 @@ public class DnsKeyAlgorithm {
|
|||||||
return null;
|
return null;
|
||||||
if (!(entry instanceof ECAlgEntry))
|
if (!(entry instanceof ECAlgEntry))
|
||||||
return null;
|
return null;
|
||||||
ECAlgEntry ecEntry = (ECAlgEntry) entry;
|
ECAlgEntry ec_entry = (ECAlgEntry) entry;
|
||||||
|
|
||||||
return ecEntry.ecSpec;
|
return ec_entry.ecSpec;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Given one of the EdDSA algorithms (ED25519 or ED448), return the named
|
* Given one of the EdDSA algorithms (Ed25519, Ed448) return the
|
||||||
* parameter spec.
|
* elliptic curve parameters.
|
||||||
*
|
*
|
||||||
* @param algorithm The DNSSEC algorithm number.
|
* @param algorithm
|
||||||
* @return The NamedParameterSpec for that DNSSEC algorithm, nor null if the
|
* The DNSSEC algorithm number.
|
||||||
* algorithm wasn't a supported EdDSA algorithm.
|
* @return The stored EdDSAParameterSpec for that algorithm, or
|
||||||
|
* null if not a recognized/supported EdDSA algorithm.
|
||||||
*/
|
*/
|
||||||
public NamedParameterSpec getEdwardsCurveSpec(int algorithm) {
|
public EdDSAParameterSpec getEdwardsCurveParams(int algorithm) {
|
||||||
AlgEntry entry = getEntry(algorithm);
|
AlgEntry entry = getEntry(algorithm);
|
||||||
if (entry == null)
|
if (entry == null)
|
||||||
return null;
|
return null;
|
||||||
if (!(entry instanceof EdAlgEntry))
|
if (!(entry instanceof EdAlgEntry))
|
||||||
return null;
|
return null;
|
||||||
EdAlgEntry edEntry = (EdAlgEntry) entry;
|
EdAlgEntry ed_entry = (EdAlgEntry) entry;
|
||||||
|
|
||||||
return edEntry.paramSpec;
|
return ed_entry.edSpec;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Translate a possible algorithm alias back to the original DNSSEC algorithm
|
* Translate a possible algorithm alias back to the original DNSSEC algorithm
|
||||||
* number
|
* number
|
||||||
*
|
*
|
||||||
* @param algorithm a DNSSEC algorithm that may be an alias.
|
* @param algorithm
|
||||||
|
* a DNSSEC algorithm that may be an alias.
|
||||||
* @return -1 if the algorithm isn't recognised, the orignal algorithm number
|
* @return -1 if the algorithm isn't recognised, the orignal algorithm number
|
||||||
* if it is.
|
* if it is.
|
||||||
*/
|
*/
|
||||||
@ -462,7 +458,8 @@ public class DnsKeyAlgorithm {
|
|||||||
* Given an algorithm mnemonic, convert the mnemonic to a DNSSEC algorithm
|
* Given an algorithm mnemonic, convert the mnemonic to a DNSSEC algorithm
|
||||||
* number.
|
* number.
|
||||||
*
|
*
|
||||||
* @param s The mnemonic string. This is case-insensitive.
|
* @param s
|
||||||
|
* The mnemonic string. This is case-insensitive.
|
||||||
* @return -1 if the mnemonic isn't recognized or supported, the algorithm
|
* @return -1 if the mnemonic isn't recognized or supported, the algorithm
|
||||||
* number if it is.
|
* number if it is.
|
||||||
*/
|
*/
|
||||||
@ -476,7 +473,8 @@ public class DnsKeyAlgorithm {
|
|||||||
/**
|
/**
|
||||||
* Given a DNSSEC algorithm number, return the "preferred" mnemonic.
|
* Given a DNSSEC algorithm number, return the "preferred" mnemonic.
|
||||||
*
|
*
|
||||||
* @param algorithm A DNSSEC algorithm number.
|
* @param algorithm
|
||||||
|
* A DNSSEC algorithm number.
|
||||||
* @return The preferred mnemonic string, or null if not supported or
|
* @return The preferred mnemonic string, or null if not supported or
|
||||||
* recognized.
|
* recognized.
|
||||||
*/
|
*/
|
||||||
@ -484,15 +482,15 @@ public class DnsKeyAlgorithm {
|
|||||||
return mIdToMnemonicMap.get(algorithm);
|
return mIdToMnemonicMap.get(algorithm);
|
||||||
}
|
}
|
||||||
|
|
||||||
public BaseAlgorithm baseType(int algorithm) {
|
public int baseType(int algorithm) {
|
||||||
AlgEntry entry = getEntry(algorithm);
|
AlgEntry entry = getEntry(algorithm);
|
||||||
if (entry != null)
|
if (entry != null)
|
||||||
return entry.baseType;
|
return entry.baseType;
|
||||||
return BaseAlgorithm.UNKNOWN;
|
return UNKNOWN;
|
||||||
}
|
}
|
||||||
|
|
||||||
public boolean isDSA(int algorithm) {
|
public boolean isDSA(int algorithm) {
|
||||||
return (baseType(algorithm) == BaseAlgorithm.DSA);
|
return (baseType(algorithm) == DSA);
|
||||||
}
|
}
|
||||||
|
|
||||||
public KeyPair generateKeyPair(int algorithm, int keysize, boolean useLargeExp)
|
public KeyPair generateKeyPair(int algorithm, int keysize, boolean useLargeExp)
|
||||||
@ -504,14 +502,14 @@ public class DnsKeyAlgorithm {
|
|||||||
mRSAKeyGenerator = KeyPairGenerator.getInstance("RSA");
|
mRSAKeyGenerator = KeyPairGenerator.getInstance("RSA");
|
||||||
}
|
}
|
||||||
|
|
||||||
RSAKeyGenParameterSpec rsaSpec;
|
RSAKeyGenParameterSpec rsa_spec;
|
||||||
if (useLargeExp) {
|
if (useLargeExp) {
|
||||||
rsaSpec = new RSAKeyGenParameterSpec(keysize, RSAKeyGenParameterSpec.F4);
|
rsa_spec = new RSAKeyGenParameterSpec(keysize, RSAKeyGenParameterSpec.F4);
|
||||||
} else {
|
} else {
|
||||||
rsaSpec = new RSAKeyGenParameterSpec(keysize, RSAKeyGenParameterSpec.F0);
|
rsa_spec = new RSAKeyGenParameterSpec(keysize, RSAKeyGenParameterSpec.F0);
|
||||||
}
|
}
|
||||||
try {
|
try {
|
||||||
mRSAKeyGenerator.initialize(rsaSpec);
|
mRSAKeyGenerator.initialize(rsa_spec);
|
||||||
} catch (InvalidAlgorithmParameterException e) {
|
} catch (InvalidAlgorithmParameterException e) {
|
||||||
// Fold the InvalidAlgorithmParameterException into our existing
|
// Fold the InvalidAlgorithmParameterException into our existing
|
||||||
// thrown exception. Ugly, but requires less code change.
|
// thrown exception. Ugly, but requires less code change.
|
||||||
@ -562,9 +560,18 @@ public class DnsKeyAlgorithm {
|
|||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
case EDDSA: {
|
case EDDSA: {
|
||||||
EdAlgEntry entry = (EdAlgEntry) getEntry(algorithm);
|
if (mEdKeyGenerator == null) {
|
||||||
mEdKeyGenerator = KeyPairGenerator.getInstance(entry.curveName);
|
mEdKeyGenerator = KeyPairGenerator.getInstance("EdDSA");
|
||||||
|
}
|
||||||
|
|
||||||
|
EdDSAParameterSpec edSpec = getEdwardsCurveParams(algorithm);
|
||||||
|
try {
|
||||||
|
mEdKeyGenerator.initialize(edSpec, new SecureRandom());
|
||||||
|
} catch (InvalidAlgorithmParameterException e) {
|
||||||
|
// Fold the InvalidAlgorithmParameterException into our existing
|
||||||
|
// thrown exception. Ugly, but requires less code change.
|
||||||
|
throw new NoSuchAlgorithmException("invalid key parameter spec");
|
||||||
|
}
|
||||||
pair = mEdKeyGenerator.generateKeyPair();
|
pair = mEdKeyGenerator.generateKeyPair();
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
@ -30,16 +30,12 @@ import java.security.interfaces.DSAPrivateKey;
|
|||||||
import java.security.interfaces.DSAPublicKey;
|
import java.security.interfaces.DSAPublicKey;
|
||||||
import java.security.interfaces.ECPrivateKey;
|
import java.security.interfaces.ECPrivateKey;
|
||||||
import java.security.interfaces.ECPublicKey;
|
import java.security.interfaces.ECPublicKey;
|
||||||
import java.security.interfaces.EdECPrivateKey;
|
|
||||||
import java.security.interfaces.EdECPublicKey;
|
|
||||||
import java.security.interfaces.RSAPrivateCrtKey;
|
import java.security.interfaces.RSAPrivateCrtKey;
|
||||||
import java.security.spec.DSAPrivateKeySpec;
|
import java.security.spec.DSAPrivateKeySpec;
|
||||||
import java.security.spec.ECParameterSpec;
|
import java.security.spec.ECParameterSpec;
|
||||||
import java.security.spec.ECPrivateKeySpec;
|
import java.security.spec.ECPrivateKeySpec;
|
||||||
import java.security.spec.EdECPrivateKeySpec;
|
|
||||||
import java.security.spec.InvalidKeySpecException;
|
import java.security.spec.InvalidKeySpecException;
|
||||||
import java.security.spec.KeySpec;
|
import java.security.spec.KeySpec;
|
||||||
import java.security.spec.NamedParameterSpec;
|
|
||||||
import java.security.spec.PKCS8EncodedKeySpec;
|
import java.security.spec.PKCS8EncodedKeySpec;
|
||||||
import java.security.spec.RSAPrivateCrtKeySpec;
|
import java.security.spec.RSAPrivateCrtKeySpec;
|
||||||
import java.util.StringTokenizer;
|
import java.util.StringTokenizer;
|
||||||
@ -54,6 +50,13 @@ import org.xbill.DNS.DNSSEC.DNSSECException;
|
|||||||
import org.xbill.DNS.Name;
|
import org.xbill.DNS.Name;
|
||||||
import org.xbill.DNS.utils.base64;
|
import org.xbill.DNS.utils.base64;
|
||||||
|
|
||||||
|
import net.i2p.crypto.eddsa.EdDSAPrivateKey;
|
||||||
|
// For now, just import the native EdDSA classes
|
||||||
|
import net.i2p.crypto.eddsa.EdDSAPublicKey;
|
||||||
|
import net.i2p.crypto.eddsa.spec.EdDSAParameterSpec;
|
||||||
|
import net.i2p.crypto.eddsa.spec.EdDSAPrivateKeySpec;
|
||||||
|
import net.i2p.crypto.eddsa.spec.EdDSAPublicKeySpec;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* This class handles conversions between JCA key formats and DNSSEC and BIND9
|
* This class handles conversions between JCA key formats and DNSSEC and BIND9
|
||||||
* key formats.
|
* key formats.
|
||||||
@ -84,6 +87,7 @@ public class DnsKeyConverter {
|
|||||||
|
|
||||||
// Because we have arbitrarily aliased algorithms, we need to possibly
|
// Because we have arbitrarily aliased algorithms, we need to possibly
|
||||||
// translate the aliased algorithm back to the actual algorithm.
|
// translate the aliased algorithm back to the actual algorithm.
|
||||||
|
|
||||||
int originalAlgorithm = mAlgorithms.originalAlgorithm(pKeyRecord.getAlgorithm());
|
int originalAlgorithm = mAlgorithms.originalAlgorithm(pKeyRecord.getAlgorithm());
|
||||||
|
|
||||||
if (originalAlgorithm <= 0)
|
if (originalAlgorithm <= 0)
|
||||||
@ -97,6 +101,16 @@ public class DnsKeyConverter {
|
|||||||
pKeyRecord.getKey());
|
pKeyRecord.getKey());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// do not rely on DNSJava's method for EdDSA for now.
|
||||||
|
if (mAlgorithms.baseType(originalAlgorithm) == DnsKeyAlgorithm.EDDSA) {
|
||||||
|
try {
|
||||||
|
return parseEdDSADNSKEYRecord(pKeyRecord);
|
||||||
|
} catch (InvalidKeySpecException e) {
|
||||||
|
// just to be expedient, recast this as a NoSuchAlgorithmException.
|
||||||
|
throw new NoSuchAlgorithmException(e.getMessage());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
// This uses DNSJava's DNSSEC.toPublicKey() method.
|
// This uses DNSJava's DNSSEC.toPublicKey() method.
|
||||||
return pKeyRecord.getPublicKey();
|
return pKeyRecord.getPublicKey();
|
||||||
@ -105,12 +119,30 @@ public class DnsKeyConverter {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Since we don't (yet) have support in DNSJava for parsing the
|
||||||
|
* newer EdDSA algorithms, here is a local version.
|
||||||
|
*/
|
||||||
|
private PublicKey parseEdDSADNSKEYRecord(DNSKEYRecord pKeyRecord)
|
||||||
|
throws IllegalArgumentException, NoSuchAlgorithmException, InvalidKeySpecException {
|
||||||
|
byte[] seed = pKeyRecord.getKey();
|
||||||
|
|
||||||
|
EdDSAPublicKeySpec spec = new EdDSAPublicKeySpec(seed,
|
||||||
|
mAlgorithms.getEdwardsCurveParams(pKeyRecord.getAlgorithm()));
|
||||||
|
|
||||||
|
KeyFactory factory = KeyFactory.getInstance("EdDSA");
|
||||||
|
return factory.generatePublic(spec);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Given a JCA public key and the ancillary data, generate a DNSKEY record.
|
* Given a JCA public key and the ancillary data, generate a DNSKEY record.
|
||||||
*/
|
*/
|
||||||
public DNSKEYRecord generateDNSKEYRecord(Name name, int dclass, long ttl,
|
public DNSKEYRecord generateDNSKEYRecord(Name name, int dclass, long ttl,
|
||||||
int flags, int alg, PublicKey key) {
|
int flags, int alg, PublicKey key) {
|
||||||
try {
|
try {
|
||||||
|
if (mAlgorithms.baseType(alg) == DnsKeyAlgorithm.EDDSA) {
|
||||||
|
return generateEdDSADNSKEYRecord(name, dclass, ttl, flags, alg, key);
|
||||||
|
}
|
||||||
return new DNSKEYRecord(name, dclass, ttl, flags, DNSKEYRecord.Protocol.DNSSEC, alg,
|
return new DNSKEYRecord(name, dclass, ttl, flags, DNSKEYRecord.Protocol.DNSSEC, alg,
|
||||||
key);
|
key);
|
||||||
} catch (DNSSECException e) {
|
} catch (DNSSECException e) {
|
||||||
@ -120,6 +152,13 @@ public class DnsKeyConverter {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private DNSKEYRecord generateEdDSADNSKEYRecord(Name name, int dclass, long ttl,
|
||||||
|
int flags, int alg, PublicKey key) {
|
||||||
|
EdDSAPublicKey ed_key = (EdDSAPublicKey) key;
|
||||||
|
byte[] key_data = ed_key.getAbyte();
|
||||||
|
return new DNSKEYRecord(name, dclass, ttl, flags, DNSKEYRecord.Protocol.DNSSEC, alg,
|
||||||
|
key_data);
|
||||||
|
}
|
||||||
// Private Key Specific Parsing routines
|
// Private Key Specific Parsing routines
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -129,9 +168,9 @@ public class DnsKeyConverter {
|
|||||||
PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(key);
|
PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(key);
|
||||||
try {
|
try {
|
||||||
switch (mAlgorithms.baseType(algorithm)) {
|
switch (mAlgorithms.baseType(algorithm)) {
|
||||||
case RSA:
|
case DnsKeyAlgorithm.RSA:
|
||||||
return mRSAKeyFactory.generatePrivate(spec);
|
return mRSAKeyFactory.generatePrivate(spec);
|
||||||
case DSA:
|
case DnsKeyAlgorithm.DSA:
|
||||||
return mDSAKeyFactory.generatePrivate(spec);
|
return mDSAKeyFactory.generatePrivate(spec);
|
||||||
default:
|
default:
|
||||||
return null;
|
return null;
|
||||||
@ -186,17 +225,17 @@ public class DnsKeyConverter {
|
|||||||
int alg = parseInt(val, -1);
|
int alg = parseInt(val, -1);
|
||||||
|
|
||||||
switch (mAlgorithms.baseType(alg)) {
|
switch (mAlgorithms.baseType(alg)) {
|
||||||
case RSA:
|
case DnsKeyAlgorithm.RSA:
|
||||||
return parsePrivateRSA(lines);
|
return parsePrivateRSA(lines);
|
||||||
case DSA:
|
case DnsKeyAlgorithm.DSA:
|
||||||
return parsePrivateDSA(lines);
|
return parsePrivateDSA(lines);
|
||||||
case DH:
|
case DnsKeyAlgorithm.DH:
|
||||||
return parsePrivateDH(lines);
|
return parsePrivateDH(lines);
|
||||||
case ECC_GOST:
|
case DnsKeyAlgorithm.ECC_GOST:
|
||||||
return parsePrivateECDSA(lines, alg);
|
return parsePrivateECDSA(lines, alg);
|
||||||
case ECDSA:
|
case DnsKeyAlgorithm.ECDSA:
|
||||||
return parsePrivateECDSA(lines, alg);
|
return parsePrivateECDSA(lines, alg);
|
||||||
case EDDSA:
|
case DnsKeyAlgorithm.EDDSA:
|
||||||
return parsePrivateEdDSA(lines, alg);
|
return parsePrivateEdDSA(lines, alg);
|
||||||
default:
|
default:
|
||||||
throw new IOException("unsupported private key algorithm: " + val);
|
throw new IOException("unsupported private key algorithm: " + val);
|
||||||
@ -233,12 +272,12 @@ public class DnsKeyConverter {
|
|||||||
private PrivateKey parsePrivateRSA(StringTokenizer lines)
|
private PrivateKey parsePrivateRSA(StringTokenizer lines)
|
||||||
throws NoSuchAlgorithmException {
|
throws NoSuchAlgorithmException {
|
||||||
BigInteger modulus = null;
|
BigInteger modulus = null;
|
||||||
BigInteger publicExponent = null;
|
BigInteger public_exponent = null;
|
||||||
BigInteger privateExponent = null;
|
BigInteger private_exponent = null;
|
||||||
BigInteger primeP = null;
|
BigInteger prime_p = null;
|
||||||
BigInteger primeQ = null;
|
BigInteger prime_q = null;
|
||||||
BigInteger primePExponent = null;
|
BigInteger prime_p_exponent = null;
|
||||||
BigInteger primeQExponent = null;
|
BigInteger prime_q_exponent = null;
|
||||||
BigInteger coefficient = null;
|
BigInteger coefficient = null;
|
||||||
|
|
||||||
while (lines.hasMoreTokens()) {
|
while (lines.hasMoreTokens()) {
|
||||||
@ -257,28 +296,33 @@ public class DnsKeyConverter {
|
|||||||
|
|
||||||
if (line.startsWith("Modulus: ")) {
|
if (line.startsWith("Modulus: ")) {
|
||||||
modulus = new BigInteger(1, data);
|
modulus = new BigInteger(1, data);
|
||||||
|
// printBigIntCompare(data, modulus);
|
||||||
} else if (line.startsWith("PublicExponent: ")) {
|
} else if (line.startsWith("PublicExponent: ")) {
|
||||||
publicExponent = new BigInteger(1, data);
|
public_exponent = new BigInteger(1, data);
|
||||||
|
// printBigIntCompare(data, public_exponent);
|
||||||
} else if (line.startsWith("PrivateExponent: ")) {
|
} else if (line.startsWith("PrivateExponent: ")) {
|
||||||
privateExponent = new BigInteger(1, data);
|
private_exponent = new BigInteger(1, data);
|
||||||
|
// printBigIntCompare(data, private_exponent);
|
||||||
} else if (line.startsWith("Prime1: ")) {
|
} else if (line.startsWith("Prime1: ")) {
|
||||||
primeP = new BigInteger(1, data);
|
prime_p = new BigInteger(1, data);
|
||||||
|
// printBigIntCompare(data, prime_p);
|
||||||
} else if (line.startsWith("Prime2: ")) {
|
} else if (line.startsWith("Prime2: ")) {
|
||||||
primeQ = new BigInteger(1, data);
|
prime_q = new BigInteger(1, data);
|
||||||
|
// printBigIntCompare(data, prime_q);
|
||||||
} else if (line.startsWith("Exponent1: ")) {
|
} else if (line.startsWith("Exponent1: ")) {
|
||||||
primePExponent = new BigInteger(1, data);
|
prime_p_exponent = new BigInteger(1, data);
|
||||||
} else if (line.startsWith("Exponent2: ")) {
|
} else if (line.startsWith("Exponent2: ")) {
|
||||||
primeQExponent = new BigInteger(1, data);
|
prime_q_exponent = new BigInteger(1, data);
|
||||||
} else if (line.startsWith("Coefficient: ")) {
|
} else if (line.startsWith("Coefficient: ")) {
|
||||||
coefficient = new BigInteger(1, data);
|
coefficient = new BigInteger(1, data);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
KeySpec spec = new RSAPrivateCrtKeySpec(modulus, publicExponent,
|
KeySpec spec = new RSAPrivateCrtKeySpec(modulus, public_exponent,
|
||||||
privateExponent, primeP,
|
private_exponent, prime_p,
|
||||||
primeQ, primePExponent,
|
prime_q, prime_p_exponent,
|
||||||
primeQExponent, coefficient);
|
prime_q_exponent, coefficient);
|
||||||
if (mRSAKeyFactory == null) {
|
if (mRSAKeyFactory == null) {
|
||||||
mRSAKeyFactory = KeyFactory.getInstance("RSA");
|
mRSAKeyFactory = KeyFactory.getInstance("RSA");
|
||||||
}
|
}
|
||||||
@ -422,13 +466,13 @@ public class DnsKeyConverter {
|
|||||||
if (mECKeyFactory == null) {
|
if (mECKeyFactory == null) {
|
||||||
mECKeyFactory = KeyFactory.getInstance("EC");
|
mECKeyFactory = KeyFactory.getInstance("EC");
|
||||||
}
|
}
|
||||||
ECParameterSpec ecSpec = mAlgorithms.getEllipticCurveParams(algorithm);
|
ECParameterSpec ec_spec = mAlgorithms.getEllipticCurveParams(algorithm);
|
||||||
if (ecSpec == null) {
|
if (ec_spec == null) {
|
||||||
throw new NoSuchAlgorithmException("DNSSEC algorithm " + algorithm +
|
throw new NoSuchAlgorithmException("DNSSEC algorithm " + algorithm +
|
||||||
" is not a recognized Elliptic Curve algorithm");
|
" is not a recognized Elliptic Curve algorithm");
|
||||||
}
|
}
|
||||||
|
|
||||||
KeySpec spec = new ECPrivateKeySpec(s, ecSpec);
|
KeySpec spec = new ECPrivateKeySpec(s, ec_spec);
|
||||||
|
|
||||||
try {
|
try {
|
||||||
return mECKeyFactory.generatePrivate(spec);
|
return mECKeyFactory.generatePrivate(spec);
|
||||||
@ -472,13 +516,13 @@ public class DnsKeyConverter {
|
|||||||
if (mEdKeyFactory == null) {
|
if (mEdKeyFactory == null) {
|
||||||
mEdKeyFactory = KeyFactory.getInstance("EdDSA");
|
mEdKeyFactory = KeyFactory.getInstance("EdDSA");
|
||||||
}
|
}
|
||||||
NamedParameterSpec namedSpec = mAlgorithms.getEdwardsCurveSpec(algorithm);
|
EdDSAParameterSpec ed_spec = mAlgorithms.getEdwardsCurveParams(algorithm);
|
||||||
if (namedSpec == null) {
|
if (ed_spec == null) {
|
||||||
throw new NoSuchAlgorithmException("DNSSEC algorithm " + algorithm +
|
throw new NoSuchAlgorithmException("DNSSEC algorithm " + algorithm +
|
||||||
" is not a recognized Edwards Curve algorithm");
|
" is not a recognized Edwards Curve algorithm");
|
||||||
}
|
}
|
||||||
|
|
||||||
EdECPrivateKeySpec spec = new EdECPrivateKeySpec(namedSpec, seed);
|
KeySpec spec = new EdDSAPrivateKeySpec(seed, ed_spec);
|
||||||
|
|
||||||
try {
|
try {
|
||||||
return mEdKeyFactory.generatePrivate(spec);
|
return mEdKeyFactory.generatePrivate(spec);
|
||||||
@ -501,8 +545,8 @@ public class DnsKeyConverter {
|
|||||||
return generatePrivateDH((DHPrivateKey) priv, (DHPublicKey) pub, alg);
|
return generatePrivateDH((DHPrivateKey) priv, (DHPublicKey) pub, alg);
|
||||||
} else if (priv instanceof ECPrivateKey && pub instanceof ECPublicKey) {
|
} else if (priv instanceof ECPrivateKey && pub instanceof ECPublicKey) {
|
||||||
return generatePrivateEC((ECPrivateKey) priv, (ECPublicKey) pub, alg);
|
return generatePrivateEC((ECPrivateKey) priv, (ECPublicKey) pub, alg);
|
||||||
} else if (priv instanceof EdECPrivateKey && pub instanceof EdECPublicKey) {
|
} else if (priv instanceof EdDSAPrivateKey && pub instanceof EdDSAPublicKey) {
|
||||||
return generatePrivateED((EdECPrivateKey) priv, (EdECPublicKey) pub, alg);
|
return generatePrivateED((EdDSAPrivateKey) priv, (EdDSAPublicKey) pub, alg);
|
||||||
}
|
}
|
||||||
|
|
||||||
return null;
|
return null;
|
||||||
@ -512,16 +556,16 @@ public class DnsKeyConverter {
|
|||||||
* Convert from 'unsigned' big integer to original 'signed format' in Base64
|
* Convert from 'unsigned' big integer to original 'signed format' in Base64
|
||||||
*/
|
*/
|
||||||
private static String b64BigInt(BigInteger i) {
|
private static String b64BigInt(BigInteger i) {
|
||||||
byte[] origBytes = i.toByteArray();
|
byte[] orig_bytes = i.toByteArray();
|
||||||
|
|
||||||
if (origBytes[0] != 0 || origBytes.length == 1) {
|
if (orig_bytes[0] != 0 || orig_bytes.length == 1) {
|
||||||
return base64.toString(origBytes);
|
return base64.toString(orig_bytes);
|
||||||
}
|
}
|
||||||
|
|
||||||
byte[] signedBytes = new byte[origBytes.length - 1];
|
byte[] signed_bytes = new byte[orig_bytes.length - 1];
|
||||||
System.arraycopy(origBytes, 1, signedBytes, 0, signedBytes.length);
|
System.arraycopy(orig_bytes, 1, signed_bytes, 0, signed_bytes.length);
|
||||||
|
|
||||||
return base64.toString(signedBytes);
|
return base64.toString(signed_bytes);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -624,7 +668,7 @@ public class DnsKeyConverter {
|
|||||||
* Given an edwards curve key pair, and the actual algorithm (which will
|
* Given an edwards curve key pair, and the actual algorithm (which will
|
||||||
* describe the curve used), return the BIND9-style text encoding.
|
* describe the curve used), return the BIND9-style text encoding.
|
||||||
*/
|
*/
|
||||||
private String generatePrivateED(EdECPrivateKey priv, EdECPublicKey pub, int alg) {
|
private String generatePrivateED(EdDSAPrivateKey priv, EdDSAPublicKey pub, int alg) {
|
||||||
StringWriter sw = new StringWriter();
|
StringWriter sw = new StringWriter();
|
||||||
PrintWriter out = new PrintWriter(sw);
|
PrintWriter out = new PrintWriter(sw);
|
||||||
|
|
||||||
@ -632,8 +676,7 @@ public class DnsKeyConverter {
|
|||||||
out.println("Algorithm: " + alg + " (" + mAlgorithms.algToString(alg)
|
out.println("Algorithm: " + alg + " (" + mAlgorithms.algToString(alg)
|
||||||
+ ")");
|
+ ")");
|
||||||
out.print("PrivateKey: ");
|
out.print("PrivateKey: ");
|
||||||
byte[] keyBytes = priv.getBytes().orElse("null".getBytes());
|
out.println(base64.toString(priv.getSeed()));
|
||||||
out.println(base64.toString(keyBytes));
|
|
||||||
|
|
||||||
return sw.toString();
|
return sw.toString();
|
||||||
}
|
}
|
||||||
|
@ -264,23 +264,19 @@ public class DnsKeyPair {
|
|||||||
* @throws NoSuchAlgorithmException
|
* @throws NoSuchAlgorithmException
|
||||||
*/
|
*/
|
||||||
public Signature getVerifier() {
|
public Signature getVerifier() {
|
||||||
if (mVerifier != null)
|
if (mVerifier == null) {
|
||||||
return mVerifier;
|
|
||||||
|
|
||||||
mVerifier = getSignature();
|
mVerifier = getSignature();
|
||||||
PublicKey pk = getPublic();
|
PublicKey pk = getPublic();
|
||||||
|
if (mVerifier != null && pk != null) {
|
||||||
if (mVerifier == null || pk == null) {
|
|
||||||
log.warning("Could not get a Signature object for this key pair" + this);
|
|
||||||
return null;
|
|
||||||
}
|
|
||||||
|
|
||||||
try {
|
try {
|
||||||
mVerifier.initVerify(pk);
|
mVerifier.initVerify(pk);
|
||||||
} catch (InvalidKeyException e) {
|
} catch (InvalidKeyException e) {
|
||||||
log.warning("Key pair cannot initialize with public key: " + this);
|
}
|
||||||
|
} else {
|
||||||
|
// do not return an uninitialized verifier
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return mVerifier;
|
return mVerifier;
|
||||||
}
|
}
|
||||||
@ -334,7 +330,6 @@ public class DnsKeyPair {
|
|||||||
// This is from a StackOverflow answer. There are number of bytes-to-hex
|
// This is from a StackOverflow answer. There are number of bytes-to-hex
|
||||||
// converters in the ecosystem, but this avoid extra dependencies
|
// converters in the ecosystem, but this avoid extra dependencies
|
||||||
private static final byte[] HEX_ARRAY = "0123456789ABCDEF".getBytes(StandardCharsets.US_ASCII);
|
private static final byte[] HEX_ARRAY = "0123456789ABCDEF".getBytes(StandardCharsets.US_ASCII);
|
||||||
|
|
||||||
public static String toHex(byte[] bytes) {
|
public static String toHex(byte[] bytes) {
|
||||||
byte[] hexChars = new byte[bytes.length * 2];
|
byte[] hexChars = new byte[bytes.length * 2];
|
||||||
for (int j = 0; j < bytes.length; j++) {
|
for (int j = 0; j < bytes.length; j++) {
|
||||||
|
@ -241,7 +241,7 @@ public class DnsSecVerifier {
|
|||||||
|
|
||||||
byte[] sig = sigrec.getSignature();
|
byte[] sig = sigrec.getSignature();
|
||||||
|
|
||||||
if (algs.baseType(sigrec.getAlgorithm()) == DnsKeyAlgorithm.BaseAlgorithm.DSA) {
|
if (algs.baseType(sigrec.getAlgorithm()) == DnsKeyAlgorithm.DSA) {
|
||||||
sig = SignUtils.convertDSASignature(sig);
|
sig = SignUtils.convertDSASignature(sig);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -68,15 +68,21 @@ public class JCEDnsSecSigner {
|
|||||||
/**
|
/**
|
||||||
* Cryptographically generate a new DNSSEC key.
|
* Cryptographically generate a new DNSSEC key.
|
||||||
*
|
*
|
||||||
* @param owner the KEY RR's owner name.
|
* @param owner
|
||||||
* @param ttl the KEY RR's TTL.
|
* the KEY RR's owner name.
|
||||||
* @param dclass the KEY RR's DNS class.
|
* @param ttl
|
||||||
* @param algorithm the DNSSEC algorithm (RSASHA258, RSASHA512,
|
* the KEY RR's TTL.
|
||||||
* ECDSAP256,
|
* @param dclass
|
||||||
* etc.)
|
* the KEY RR's DNS class.
|
||||||
* @param flags any flags for the KEY RR.
|
* @param algorithm
|
||||||
* @param keysize the size of the key to generate.
|
* the DNSSEC algorithm (RSASHA258, RSASHA512,
|
||||||
* @param useLargeExponent if generating an RSA key, use the large exponent.
|
* ECDSAP256, etc.)
|
||||||
|
* @param flags
|
||||||
|
* any flags for the KEY RR.
|
||||||
|
* @param keysize
|
||||||
|
* the size of the key to generate.
|
||||||
|
* @param useLargeExponent
|
||||||
|
* if generating an RSA key, use the large exponent.
|
||||||
* @return a DnsKeyPair with the public and private keys populated.
|
* @return a DnsKeyPair with the public and private keys populated.
|
||||||
*/
|
*/
|
||||||
public DnsKeyPair generateKey(Name owner, long ttl, int dclass, int algorithm,
|
public DnsKeyPair generateKey(Name owner, long ttl, int dclass, int algorithm,
|
||||||
@ -107,25 +113,29 @@ public class JCEDnsSecSigner {
|
|||||||
/**
|
/**
|
||||||
* Sign an RRset.
|
* Sign an RRset.
|
||||||
*
|
*
|
||||||
* @param rrset the RRset to sign -- any existing signatures are ignored.
|
* @param rrset
|
||||||
* @param keypars a list of DnsKeyPair objects containing private keys.
|
* the RRset to sign -- any existing signatures are ignored.
|
||||||
* @param start the inception time for the resulting RRSIG records.
|
* @param keypars
|
||||||
* @param expire the expiration time for the resulting RRSIG records.
|
* a list of DnsKeyPair objects containing private keys.
|
||||||
|
* @param start
|
||||||
|
* the inception time for the resulting RRSIG records.
|
||||||
|
* @param expire
|
||||||
|
* the expiration time for the resulting RRSIG records.
|
||||||
* @return a list of RRSIGRecord objects.
|
* @return a list of RRSIGRecord objects.
|
||||||
*/
|
*/
|
||||||
public List<RRSIGRecord> signRRset(RRset rrset, List<DnsKeyPair> keypairs, Instant start,
|
public List<RRSIGRecord> signRRset(RRset rrset, List<DnsKeyPair> keypairs, Instant start,
|
||||||
Instant expire) throws IOException,
|
Instant expire) throws IOException,
|
||||||
GeneralSecurityException {
|
GeneralSecurityException {
|
||||||
if (rrset == null || keypairs == null)
|
if (rrset == null || keypairs == null)
|
||||||
return new ArrayList<>();
|
return null;
|
||||||
|
|
||||||
// default start to now, expire to start + 1 second.
|
// default start to now, expire to start + 1 second.
|
||||||
if (start == null)
|
if (start == null)
|
||||||
start = Instant.now();
|
start = Instant.now();
|
||||||
if (expire == null)
|
if (expire == null)
|
||||||
expire = start.plusSeconds(1);
|
expire = start.plusSeconds(1);
|
||||||
if (keypairs.isEmpty())
|
if (keypairs.size() == 0)
|
||||||
return new ArrayList<>();
|
return null;
|
||||||
|
|
||||||
if (mVerboseSigning) {
|
if (mVerboseSigning) {
|
||||||
log.info("Signing RRset:");
|
log.info("Signing RRset:");
|
||||||
@ -133,9 +143,9 @@ public class JCEDnsSecSigner {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// first, pre-calculate the RRset bytes.
|
// first, pre-calculate the RRset bytes.
|
||||||
byte[] rrsetData = SignUtils.generateCanonicalRRsetData(rrset, 0, 0);
|
byte[] rrset_data = SignUtils.generateCanonicalRRsetData(rrset, 0, 0);
|
||||||
|
|
||||||
ArrayList<RRSIGRecord> sigs = new ArrayList<>(keypairs.size());
|
ArrayList<RRSIGRecord> sigs = new ArrayList<RRSIGRecord>(keypairs.size());
|
||||||
|
|
||||||
// for each keypair, sign the RRset.
|
// for each keypair, sign the RRset.
|
||||||
for (DnsKeyPair pair : keypairs) {
|
for (DnsKeyPair pair : keypairs) {
|
||||||
@ -145,13 +155,13 @@ public class JCEDnsSecSigner {
|
|||||||
|
|
||||||
RRSIGRecord presig = SignUtils.generatePreRRSIG(rrset, keyrec, start, expire,
|
RRSIGRecord presig = SignUtils.generatePreRRSIG(rrset, keyrec, start, expire,
|
||||||
rrset.getTTL());
|
rrset.getTTL());
|
||||||
byte[] signData = SignUtils.generateSigData(rrsetData, presig);
|
byte[] sign_data = SignUtils.generateSigData(rrset_data, presig);
|
||||||
|
|
||||||
if (mVerboseSigning) {
|
if (mVerboseSigning) {
|
||||||
log.info("Canonical pre-signature data to sign with key "
|
log.info("Canonical pre-signature data to sign with key "
|
||||||
+ keyrec.getName().toString() + "/" + keyrec.getAlgorithm() + "/"
|
+ keyrec.getName().toString() + "/" + keyrec.getAlgorithm() + "/"
|
||||||
+ keyrec.getFootprint() + ":");
|
+ keyrec.getFootprint() + ":");
|
||||||
log.info(hexdump.dump(null, signData));
|
log.info(hexdump.dump(null, sign_data));
|
||||||
}
|
}
|
||||||
|
|
||||||
Signature signer = pair.getSigner();
|
Signature signer = pair.getSigner();
|
||||||
@ -164,7 +174,7 @@ public class JCEDnsSecSigner {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// sign the data.
|
// sign the data.
|
||||||
signer.update(signData);
|
signer.update(sign_data);
|
||||||
byte[] sig = signer.sign();
|
byte[] sig = signer.sign();
|
||||||
|
|
||||||
if (mVerboseSigning) {
|
if (mVerboseSigning) {
|
||||||
@ -174,7 +184,7 @@ public class JCEDnsSecSigner {
|
|||||||
|
|
||||||
DnsKeyAlgorithm algs = DnsKeyAlgorithm.getInstance();
|
DnsKeyAlgorithm algs = DnsKeyAlgorithm.getInstance();
|
||||||
// Convert to RFC 2536 format, if necessary.
|
// Convert to RFC 2536 format, if necessary.
|
||||||
if (algs.baseType(pair.getDNSKEYAlgorithm()) == DnsKeyAlgorithm.BaseAlgorithm.DSA) {
|
if (algs.baseType(pair.getDNSKEYAlgorithm()) == DnsKeyAlgorithm.DSA) {
|
||||||
DSAPublicKey pk = (DSAPublicKey) pair.getPublic();
|
DSAPublicKey pk = (DSAPublicKey) pair.getPublic();
|
||||||
sig = SignUtils.convertDSASignature(pk.getParams(), sig);
|
sig = SignUtils.convertDSASignature(pk.getParams(), sig);
|
||||||
}
|
}
|
||||||
@ -196,9 +206,12 @@ public class JCEDnsSecSigner {
|
|||||||
/**
|
/**
|
||||||
* Create a completely self-signed DNSKEY RRset.
|
* Create a completely self-signed DNSKEY RRset.
|
||||||
*
|
*
|
||||||
* @param keypairs the public & private keypairs to use in the keyset.
|
* @param keypairs
|
||||||
* @param start the RRSIG inception time.
|
* the public & private keypairs to use in the keyset.
|
||||||
* @param expire the RRSIG expiration time.
|
* @param start
|
||||||
|
* the RRSIG inception time.
|
||||||
|
* @param expire
|
||||||
|
* the RRSIG expiration time.
|
||||||
* @return a signed RRset.
|
* @return a signed RRset.
|
||||||
*/
|
*/
|
||||||
public RRset makeKeySet(List<DnsKeyPair> keypairs, Instant start, Instant expire)
|
public RRset makeKeySet(List<DnsKeyPair> keypairs, Instant start, Instant expire)
|
||||||
@ -223,55 +236,67 @@ public class JCEDnsSecSigner {
|
|||||||
/**
|
/**
|
||||||
* Conditionally sign an RRset and add it to the toList.
|
* Conditionally sign an RRset and add it to the toList.
|
||||||
*
|
*
|
||||||
* @param toList the list to which we are adding the processed RRsets.
|
* @param toList
|
||||||
* @param zonename the zone apex name.
|
* the list to which we are adding the processed RRsets.
|
||||||
* @param rrset the RRset under consideration.
|
* @param zonename
|
||||||
* @param kskpairs the List of KSKs..
|
* the zone apex name.
|
||||||
* @param zskpairs the List of zone keys.
|
* @param rrset
|
||||||
* @param start the RRSIG inception time.
|
* the RRset under consideration.
|
||||||
* @param expire the RRSIG expiration time.
|
* @param kskpairs
|
||||||
* @param fullySignKeyset if true, sign the zone apex keyset with both KSKs
|
* the List of KSKs..
|
||||||
* and ZSKs.
|
* @param zskpairs
|
||||||
* @param lastCut the name of the last delegation point encountered.
|
* the List of zone keys.
|
||||||
|
* @param start
|
||||||
|
* the RRSIG inception time.
|
||||||
|
* @param expire
|
||||||
|
* the RRSIG expiration time.
|
||||||
|
* @param fullySignKeyset
|
||||||
|
* if true, sign the zone apex keyset with both KSKs and
|
||||||
|
* ZSKs.
|
||||||
|
* @param last_cut
|
||||||
|
* the name of the last delegation point encountered.
|
||||||
*
|
*
|
||||||
* @return the name of the new last_cut.
|
* @return the name of the new last_cut.
|
||||||
*/
|
*/
|
||||||
private Name addRRset(List<Record> toList, Name zonename, RRset rrset,
|
private Name addRRset(List<Record> toList, Name zonename, RRset rrset,
|
||||||
List<DnsKeyPair> kskpairs, List<DnsKeyPair> zskpairs, Instant start,
|
List<DnsKeyPair> kskpairs, List<DnsKeyPair> zskpairs, Instant start,
|
||||||
Instant expire, boolean fullySignKeyset, Name lastCut,
|
Instant expire, boolean fullySignKeyset, Name last_cut,
|
||||||
Name lastDname) throws IOException, GeneralSecurityException {
|
Name last_dname) throws IOException, GeneralSecurityException {
|
||||||
// add the records themselves
|
// add the records themselves
|
||||||
rrset.rrs().forEach(toList::add);
|
rrset.rrs().forEach(record -> {
|
||||||
|
toList.add(record);
|
||||||
|
});
|
||||||
|
|
||||||
int type = SignUtils.recordSecType(zonename, rrset.getName(), rrset.getType(),
|
int type = SignUtils.recordSecType(zonename, rrset.getName(), rrset.getType(),
|
||||||
lastCut, lastDname);
|
last_cut, last_dname);
|
||||||
|
|
||||||
// we don't sign non-normal sets (delegations, glue, invalid).
|
// we don't sign non-normal sets (delegations, glue, invalid).
|
||||||
if (type == SignUtils.RR_DELEGATION) {
|
if (type == SignUtils.RR_DELEGATION) {
|
||||||
return rrset.getName();
|
return rrset.getName();
|
||||||
}
|
}
|
||||||
if (type == SignUtils.RR_GLUE || type == SignUtils.RR_INVALID) {
|
if (type == SignUtils.RR_GLUE || type == SignUtils.RR_INVALID) {
|
||||||
return lastCut;
|
return last_cut;
|
||||||
}
|
}
|
||||||
|
|
||||||
// check for the zone apex keyset.
|
// check for the zone apex keyset.
|
||||||
if (rrset.getName().equals(zonename) && rrset.getType() == Type.DNSKEY && kskpairs != null && !kskpairs.isEmpty()) {
|
if (rrset.getName().equals(zonename) && rrset.getType() == Type.DNSKEY) {
|
||||||
// if we have ksks, sign the keyset with them, otherwise we will just sign
|
// if we have ksks, sign the keyset with them, otherwise we will just sign
|
||||||
// them with the zsks.
|
// them with the zsks.
|
||||||
|
if (kskpairs != null && kskpairs.size() > 0) {
|
||||||
List<RRSIGRecord> sigs = signRRset(rrset, kskpairs, start, expire);
|
List<RRSIGRecord> sigs = signRRset(rrset, kskpairs, start, expire);
|
||||||
toList.addAll(sigs);
|
toList.addAll(sigs);
|
||||||
|
|
||||||
// If we aren't going to sign with all the keys, bail out now.
|
// If we aren't going to sign with all the keys, bail out now.
|
||||||
if (!fullySignKeyset)
|
if (!fullySignKeyset)
|
||||||
return lastCut;
|
return last_cut;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// otherwise, we are OK to sign this set.
|
// otherwise, we are OK to sign this set.
|
||||||
List<RRSIGRecord> sigs = signRRset(rrset, zskpairs, start, expire);
|
List<RRSIGRecord> sigs = signRRset(rrset, zskpairs, start, expire);
|
||||||
toList.addAll(sigs);
|
toList.addAll(sigs);
|
||||||
|
|
||||||
return lastCut;
|
return last_cut;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Various NSEC/NSEC3 generation modes
|
// Various NSEC/NSEC3 generation modes
|
||||||
@ -286,31 +311,49 @@ public class JCEDnsSecSigner {
|
|||||||
* Opt-Out, etc.) External users of this class are expected to use the
|
* Opt-Out, etc.) External users of this class are expected to use the
|
||||||
* appropriate public signZone* methods instead of this.
|
* appropriate public signZone* methods instead of this.
|
||||||
*
|
*
|
||||||
* @param zonename The name of the zone
|
* @param zonename
|
||||||
* @param records The records comprising the zone. They do not have to
|
* The name of the zone
|
||||||
* be in any particular order, as this method will
|
* @param records
|
||||||
* order them as necessary.
|
* The records comprising the zone. They do not have to
|
||||||
* @param kskpairs The key pairs designated as "key signing keys"
|
* be in any
|
||||||
* @param zskpairs The key pairs designated as "zone signing keys"
|
* particular order, as this method will order them as
|
||||||
* @param start The RRSIG inception time
|
* necessary.
|
||||||
* @param expire The RRSIG expiration time
|
* @param kskpairs
|
||||||
* @param fullySignKeyset If true, all keys (ksk or zsk) will sign the DNSKEY
|
* The key pairs designated as "key signing keys"
|
||||||
* RRset. If false, only the ksks will sign it.
|
* @param zskpairs
|
||||||
* @param dsDigestAlg The hash algorithm to use for generating DS records
|
* The key pairs designated as "zone signing keys"
|
||||||
|
* @param start
|
||||||
|
* The RRSIG inception time
|
||||||
|
* @param expire
|
||||||
|
* The RRSIG expiration time
|
||||||
|
* @param fullySignKeyset
|
||||||
|
* If true, all keys (ksk or zsk) will sign the DNSKEY
|
||||||
|
* RRset. If
|
||||||
|
* false, only the ksks will sign it.
|
||||||
|
* @param ds_digest_alg
|
||||||
|
* The hash algorithm to use for generating DS records
|
||||||
* (DSRecord.SHA1_DIGEST_ID, e.g.)
|
* (DSRecord.SHA1_DIGEST_ID, e.g.)
|
||||||
* @param mode The NSEC/NSEC3 generation mode: NSEC_MODE,
|
* @param mode
|
||||||
* NSEC3_MODE, NSEC3_OPTOUT_MODE, etc.
|
* The NSEC/NSEC3 generation mode: NSEC_MODE, NSEC3_MODE,
|
||||||
* @param includedNames When using an Opt-In/Opt-Out mode, the names listed
|
* NSEC3_OPTOUT_MODE, etc.
|
||||||
* here will be included in the NSEC/NSEC3 chain
|
* @param includedNames
|
||||||
* regardless
|
* When using an Opt-In/Opt-Out mode, the names listed
|
||||||
* @param salt When using an NSEC3 mode, use this salt.
|
* here will be
|
||||||
* @param iterations When using an NSEC3 mode, use this number of
|
* included in the NSEC/NSEC3 chain regardless
|
||||||
|
* @param salt
|
||||||
|
* When using an NSEC3 mode, use this salt.
|
||||||
|
* @param iterations
|
||||||
|
* When using an NSEC3 mode, use this number of
|
||||||
* iterations
|
* iterations
|
||||||
* @param beConservative If true, then only turn on the Opt-In flag when
|
* @param beConservative
|
||||||
* there are insecure delegations in the span.
|
* If true, then only turn on the Opt-In flag when there
|
||||||
* Currently this only works for NSEC_EXP_OPT_IN mode.
|
* are insecure
|
||||||
* @param nsec3paramttl The TTL to use for the generated NSEC3PARAM record.
|
* delegations in the span. Currently this only works for
|
||||||
* Negative values will use the SOA TTL.
|
* NSEC_EXP_OPT_IN mode.
|
||||||
|
* @param nsec3paramttl
|
||||||
|
* The TTL to use for the generated NSEC3PARAM record.
|
||||||
|
* Negative
|
||||||
|
* values will use the SOA TTL.
|
||||||
* @return an ordered list of {@link org.xbill.DNS.Record} objects,
|
* @return an ordered list of {@link org.xbill.DNS.Record} objects,
|
||||||
* representing the signed zone.
|
* representing the signed zone.
|
||||||
*
|
*
|
||||||
@ -320,7 +363,7 @@ public class JCEDnsSecSigner {
|
|||||||
private List<Record> signZone(Name zonename, List<Record> records,
|
private List<Record> signZone(Name zonename, List<Record> records,
|
||||||
List<DnsKeyPair> kskpairs, List<DnsKeyPair> zskpairs,
|
List<DnsKeyPair> kskpairs, List<DnsKeyPair> zskpairs,
|
||||||
Instant start, Instant expire, boolean fullySignKeyset,
|
Instant start, Instant expire, boolean fullySignKeyset,
|
||||||
int dsDigestAlg, int mode, List<Name> includedNames,
|
int ds_digest_alg, int mode, List<Name> includedNames,
|
||||||
byte[] salt, int iterations, long nsec3paramttl,
|
byte[] salt, int iterations, long nsec3paramttl,
|
||||||
boolean beConservative) throws IOException,
|
boolean beConservative) throws IOException,
|
||||||
GeneralSecurityException {
|
GeneralSecurityException {
|
||||||
@ -337,7 +380,7 @@ public class JCEDnsSecSigner {
|
|||||||
|
|
||||||
// Generate DS records. This replaces any non-zone-apex DNSKEY RRs with DS
|
// Generate DS records. This replaces any non-zone-apex DNSKEY RRs with DS
|
||||||
// RRs.
|
// RRs.
|
||||||
SignUtils.generateDSRecords(zonename, records, dsDigestAlg);
|
SignUtils.generateDSRecords(zonename, records, ds_digest_alg);
|
||||||
|
|
||||||
// Generate the NSEC or NSEC3 records based on 'mode'
|
// Generate the NSEC or NSEC3 records based on 'mode'
|
||||||
switch (mode) {
|
switch (mode) {
|
||||||
@ -355,8 +398,6 @@ public class JCEDnsSecSigner {
|
|||||||
SignUtils.generateOptInNSECRecords(zonename, records, includedNames,
|
SignUtils.generateOptInNSECRecords(zonename, records, includedNames,
|
||||||
beConservative);
|
beConservative);
|
||||||
break;
|
break;
|
||||||
default:
|
|
||||||
throw new NoSuchAlgorithmException("Unknown NSEC/NSEC3 mode: " + mode);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Re-sort so we can assemble into rrsets.
|
// Re-sort so we can assemble into rrsets.
|
||||||
@ -364,9 +405,9 @@ public class JCEDnsSecSigner {
|
|||||||
|
|
||||||
// Assemble into RRsets and sign.
|
// Assemble into RRsets and sign.
|
||||||
RRset rrset = new RRset();
|
RRset rrset = new RRset();
|
||||||
ArrayList<Record> signedRecords = new ArrayList<>();
|
ArrayList<Record> signed_records = new ArrayList<Record>();
|
||||||
Name lastCut = null;
|
Name last_cut = null;
|
||||||
Name lastDname = null;
|
Name last_dname = null;
|
||||||
|
|
||||||
for (ListIterator<Record> i = records.listIterator(); i.hasNext();) {
|
for (ListIterator<Record> i = records.listIterator(); i.hasNext();) {
|
||||||
Record r = i.next();
|
Record r = i.next();
|
||||||
@ -389,38 +430,48 @@ public class JCEDnsSecSigner {
|
|||||||
|
|
||||||
// add the RRset to the list of signed_records, regardless of
|
// add the RRset to the list of signed_records, regardless of
|
||||||
// whether or not we actually end up signing the set.
|
// whether or not we actually end up signing the set.
|
||||||
lastCut = addRRset(signedRecords, zonename, rrset, kskpairs, zskpairs, start,
|
last_cut = addRRset(signed_records, zonename, rrset, kskpairs, zskpairs, start,
|
||||||
expire, fullySignKeyset, lastCut, lastDname);
|
expire, fullySignKeyset, last_cut, last_dname);
|
||||||
if (rrset.getType() == Type.DNAME)
|
if (rrset.getType() == Type.DNAME)
|
||||||
lastDname = rrset.getName();
|
last_dname = rrset.getName();
|
||||||
|
|
||||||
rrset.clear();
|
rrset.clear();
|
||||||
rrset.addRR(r);
|
rrset.addRR(r);
|
||||||
}
|
}
|
||||||
|
|
||||||
// add the last RR set
|
// add the last RR set
|
||||||
addRRset(signedRecords, zonename, rrset, kskpairs, zskpairs, start, expire,
|
addRRset(signed_records, zonename, rrset, kskpairs, zskpairs, start, expire,
|
||||||
fullySignKeyset, lastCut, lastDname);
|
fullySignKeyset, last_cut, last_dname);
|
||||||
|
|
||||||
return signedRecords;
|
return signed_records;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Given a zone, sign it using standard NSEC records.
|
* Given a zone, sign it using standard NSEC records.
|
||||||
*
|
*
|
||||||
* @param zonename The name of the zone.
|
* @param zonename
|
||||||
* @param records The records comprising the zone. They do not have to
|
* The name of the zone.
|
||||||
* be in any particular order, as this method will
|
* @param records
|
||||||
* order them as necessary.
|
* The records comprising the zone. They do not have to
|
||||||
* @param kskpairs The key pairs that are designated as "key signing
|
* be in any
|
||||||
|
* particular order, as this method will order them as
|
||||||
|
* necessary.
|
||||||
|
* @param kskpairs
|
||||||
|
* The key pairs that are designated as "key signing
|
||||||
* keys".
|
* keys".
|
||||||
* @param zskpairs This key pairs that are designated as "zone signing
|
* @param zskpairs
|
||||||
|
* This key pairs that are designated as "zone signing
|
||||||
* keys".
|
* keys".
|
||||||
* @param start The RRSIG inception time.
|
* @param start
|
||||||
* @param expire The RRSIG expiration time.
|
* The RRSIG inception time.
|
||||||
* @param fullySignKeyset Sign the zone apex keyset with all available keys
|
* @param expire
|
||||||
* (instead of just the key signing keys).
|
* The RRSIG expiration time.
|
||||||
* @param dsDigestAlg The digest algorithm to use when generating DS
|
* @param fullySignKeyset
|
||||||
|
* Sign the zone apex keyset with all available keys
|
||||||
|
* (instead of just
|
||||||
|
* the key signing keys).
|
||||||
|
* @param ds_digest_alg
|
||||||
|
* The digest algorithm to use when generating DS
|
||||||
* records.
|
* records.
|
||||||
*
|
*
|
||||||
* @return an ordered list of {@link org.xbill.DNS.Record} objects,
|
* @return an ordered list of {@link org.xbill.DNS.Record} objects,
|
||||||
@ -429,42 +480,58 @@ public class JCEDnsSecSigner {
|
|||||||
public List<Record> signZone(Name zonename, List<Record> records,
|
public List<Record> signZone(Name zonename, List<Record> records,
|
||||||
List<DnsKeyPair> kskpairs, List<DnsKeyPair> zskpairs,
|
List<DnsKeyPair> kskpairs, List<DnsKeyPair> zskpairs,
|
||||||
Instant start, Instant expire, boolean fullySignKeyset,
|
Instant start, Instant expire, boolean fullySignKeyset,
|
||||||
int dsDigestAlg) throws IOException,
|
int ds_digest_alg) throws IOException,
|
||||||
GeneralSecurityException {
|
GeneralSecurityException {
|
||||||
return signZone(zonename, records, kskpairs, zskpairs, start, expire,
|
return signZone(zonename, records, kskpairs, zskpairs, start, expire,
|
||||||
fullySignKeyset, dsDigestAlg, NSEC_MODE, null, null, 0, 0, false);
|
fullySignKeyset, ds_digest_alg, NSEC_MODE, null, null, 0, 0, false);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Given a zone, sign it using NSEC3 records.
|
* Given a zone, sign it using NSEC3 records.
|
||||||
*
|
*
|
||||||
* @param signer A signer (utility) object used to actually sign
|
* @param signer
|
||||||
* stuff.
|
* A signer (utility) object used to actually sign stuff.
|
||||||
* @param zonename The name of the zone being signed.
|
* @param zonename
|
||||||
* @param records The records comprising the zone. They do not have to
|
* The name of the zone being signed.
|
||||||
* be in any particular order, as this method will
|
* @param records
|
||||||
* order them as necessary.
|
* The records comprising the zone. They do not have to
|
||||||
* @param kskpairs The key pairs that are designated as "key signing
|
* be in any
|
||||||
|
* particular order, as this method will order them as
|
||||||
|
* necessary.
|
||||||
|
* @param kskpairs
|
||||||
|
* The key pairs that are designated as "key signing
|
||||||
* keys".
|
* keys".
|
||||||
* @param zskpairs This key pairs that are designated as "zone signing
|
* @param zskpairs
|
||||||
|
* This key pairs that are designated as "zone signing
|
||||||
* keys".
|
* keys".
|
||||||
* @param start The RRSIG inception time.
|
* @param start
|
||||||
* @param expire The RRSIG expiration time.
|
* The RRSIG inception time.
|
||||||
* @param fullySignKeyset If true then the DNSKEY RRset will be signed by all
|
* @param expire
|
||||||
* available keys, if false, only the key signing keys.
|
* The RRSIG expiration time.
|
||||||
* @param useOptOut If true, insecure delegations will be omitted from
|
* @param fullySignKeyset
|
||||||
* the NSEC3 chain, and all NSEC3 records will have the
|
* If true then the DNSKEY RRset will be signed by all
|
||||||
* Opt-Out flag set.
|
* available
|
||||||
* @param includedNames A list of names to include in the NSEC3 chain
|
* keys, if false, only the key signing keys.
|
||||||
|
* @param useOptOut
|
||||||
|
* If true, insecure delegations will be omitted from the
|
||||||
|
* NSEC3
|
||||||
|
* chain, and all NSEC3 records will have the Opt-Out
|
||||||
|
* flag set.
|
||||||
|
* @param includedNames
|
||||||
|
* A list of names to include in the NSEC3 chain
|
||||||
* regardless.
|
* regardless.
|
||||||
* @param salt The salt to use for the NSEC3 hashing. null means no
|
* @param salt
|
||||||
|
* The salt to use for the NSEC3 hashing. null means no
|
||||||
* salt.
|
* salt.
|
||||||
* @param iterations The number of iterations to use for the NSEC3
|
* @param iterations
|
||||||
* hashing.
|
* The number of iterations to use for the NSEC3 hashing.
|
||||||
* @param dsDigestAlg The digest algorithm to use when generating DS
|
* @param ds_digest_alg
|
||||||
|
* The digest algorithm to use when generating DS
|
||||||
* records.
|
* records.
|
||||||
* @param nsec3paramttl The TTL to use for the generated NSEC3PARAM record.
|
* @param nsec3paramttl
|
||||||
* Negative values will use the SOA TTL.
|
* The TTL to use for the generated NSEC3PARAM record.
|
||||||
|
* Negative
|
||||||
|
* values will use the SOA TTL.
|
||||||
* @return an ordered list of {@link org.xbill.DNS.Record} objects,
|
* @return an ordered list of {@link org.xbill.DNS.Record} objects,
|
||||||
* representing the signed zone.
|
* representing the signed zone.
|
||||||
*
|
*
|
||||||
@ -475,16 +542,16 @@ public class JCEDnsSecSigner {
|
|||||||
List<DnsKeyPair> kskpairs, List<DnsKeyPair> zskpairs,
|
List<DnsKeyPair> kskpairs, List<DnsKeyPair> zskpairs,
|
||||||
Instant start, Instant expire, boolean fullySignKeyset,
|
Instant start, Instant expire, boolean fullySignKeyset,
|
||||||
boolean useOptOut, List<Name> includedNames,
|
boolean useOptOut, List<Name> includedNames,
|
||||||
byte[] salt, int iterations, int dsDigestAlg,
|
byte[] salt, int iterations, int ds_digest_alg,
|
||||||
long nsec3paramttl) throws IOException,
|
long nsec3paramttl) throws IOException,
|
||||||
GeneralSecurityException {
|
GeneralSecurityException {
|
||||||
if (useOptOut) {
|
if (useOptOut) {
|
||||||
return signZone(zonename, records, kskpairs, zskpairs, start, expire,
|
return signZone(zonename, records, kskpairs, zskpairs, start, expire,
|
||||||
fullySignKeyset, dsDigestAlg, NSEC3_OPTOUT_MODE, includedNames,
|
fullySignKeyset, ds_digest_alg, NSEC3_OPTOUT_MODE, includedNames,
|
||||||
salt, iterations, nsec3paramttl, false);
|
salt, iterations, nsec3paramttl, false);
|
||||||
} else {
|
} else {
|
||||||
return signZone(zonename, records, kskpairs, zskpairs, start, expire,
|
return signZone(zonename, records, kskpairs, zskpairs, start, expire,
|
||||||
fullySignKeyset, dsDigestAlg, NSEC3_MODE, null, salt, iterations,
|
fullySignKeyset, ds_digest_alg, NSEC3_MODE, null, salt, iterations,
|
||||||
nsec3paramttl, false);
|
nsec3paramttl, false);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -493,25 +560,37 @@ public class JCEDnsSecSigner {
|
|||||||
* Given a zone, sign it using experimental Opt-In NSEC records (see RFC
|
* Given a zone, sign it using experimental Opt-In NSEC records (see RFC
|
||||||
* 4956).
|
* 4956).
|
||||||
*
|
*
|
||||||
* @param zonename the name of the zone.
|
* @param zonename
|
||||||
* @param records the records comprising the zone. They do not
|
* the name of the zone.
|
||||||
* have to be in any particular order, as this
|
* @param records
|
||||||
* method will order them as necessary.
|
* the records comprising the zone. They do not have
|
||||||
* @param kskpairs the key pairs that are designated as "key
|
* to be in any
|
||||||
|
* particular order, as this method will order them
|
||||||
|
* as necessary.
|
||||||
|
* @param kskpairs
|
||||||
|
* the key pairs that are designated as "key signing
|
||||||
|
* keys".
|
||||||
|
* @param zskpairs
|
||||||
|
* this key pairs that are designated as "zone
|
||||||
* signing keys".
|
* signing keys".
|
||||||
* @param zskpairs this key pairs that are designated as "zone
|
* @param start
|
||||||
* signing keys".
|
* the RRSIG inception time.
|
||||||
* @param start the RRSIG inception time.
|
* @param expire
|
||||||
* @param expire the RRSIG expiration time.
|
* the RRSIG expiration time.
|
||||||
* @param useConservativeOptIn if true, Opt-In NSEC records will only be
|
* @param useConservativeOptIn
|
||||||
* generated if there are insecure, unsigned
|
* if true, Opt-In NSEC records will only be
|
||||||
* delegations in the span.
|
* generated if there are
|
||||||
* @param fullySignKeyset sign the zone apex keyset with all available
|
* insecure, unsigned delegations in the span.
|
||||||
|
* @param fullySignKeyset
|
||||||
|
* sign the zone apex keyset with all available
|
||||||
* keys.
|
* keys.
|
||||||
* @param dsDigestAlg The digest algorithm to use when generating DS
|
* @param ds_digest_alg
|
||||||
|
* The digest algorithm to use when generating DS
|
||||||
* records.
|
* records.
|
||||||
* @param nsecIncludeNames names that are to be included in the NSEC chain
|
* @param NSECIncludeNames
|
||||||
* regardless. This may be null.
|
* names that are to be included in the NSEC chain
|
||||||
|
* regardless. This
|
||||||
|
* may be null.
|
||||||
* @return an ordered list of {@link org.xbill.DNS.Record} objects,
|
* @return an ordered list of {@link org.xbill.DNS.Record} objects,
|
||||||
* representing the signed zone.
|
* representing the signed zone.
|
||||||
*/
|
*/
|
||||||
@ -519,12 +598,12 @@ public class JCEDnsSecSigner {
|
|||||||
List<DnsKeyPair> kskpairs, List<DnsKeyPair> zskpairs,
|
List<DnsKeyPair> kskpairs, List<DnsKeyPair> zskpairs,
|
||||||
Instant start, Instant expire,
|
Instant start, Instant expire,
|
||||||
boolean useConservativeOptIn,
|
boolean useConservativeOptIn,
|
||||||
boolean fullySignKeyset, List<Name> nsecIncludeNames,
|
boolean fullySignKeyset, List<Name> NSECIncludeNames,
|
||||||
int dsDigestAlg) throws IOException,
|
int ds_digest_alg) throws IOException,
|
||||||
GeneralSecurityException {
|
GeneralSecurityException {
|
||||||
|
|
||||||
return signZone(zonename, records, kskpairs, zskpairs, start, expire,
|
return signZone(zonename, records, kskpairs, zskpairs, start, expire,
|
||||||
fullySignKeyset, dsDigestAlg, NSEC_EXP_OPT_IN, nsecIncludeNames,
|
fullySignKeyset, ds_digest_alg, NSEC_EXP_OPT_IN, NSECIncludeNames,
|
||||||
null, 0, 0, useConservativeOptIn);
|
null, 0, 0, useConservativeOptIn);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -33,7 +33,6 @@ import org.xbill.DNS.Type;
|
|||||||
|
|
||||||
public class RecordComparator implements Comparator<Record> {
|
public class RecordComparator implements Comparator<Record> {
|
||||||
public RecordComparator() {
|
public RecordComparator() {
|
||||||
// nothing to initialize
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -66,15 +65,15 @@ public class RecordComparator implements Comparator<Record> {
|
|||||||
}
|
}
|
||||||
|
|
||||||
private int compareRDATA(Record a, Record b) {
|
private int compareRDATA(Record a, Record b) {
|
||||||
byte[] aRdata = a.rdataToWireCanonical();
|
byte[] a_rdata = a.rdataToWireCanonical();
|
||||||
byte[] bRdata = b.rdataToWireCanonical();
|
byte[] b_rdata = b.rdataToWireCanonical();
|
||||||
|
|
||||||
for (int i = 0; i < aRdata.length && i < bRdata.length; i++) {
|
for (int i = 0; i < a_rdata.length && i < b_rdata.length; i++) {
|
||||||
int n = (aRdata[i] & 0xFF) - (bRdata[i] & 0xFF);
|
int n = (a_rdata[i] & 0xFF) - (b_rdata[i] & 0xFF);
|
||||||
if (n != 0)
|
if (n != 0)
|
||||||
return n;
|
return n;
|
||||||
}
|
}
|
||||||
return (aRdata.length - bRdata.length);
|
return (a_rdata.length - b_rdata.length);
|
||||||
}
|
}
|
||||||
|
|
||||||
public int compare(Record a, Record b) {
|
public int compare(Record a, Record b) {
|
||||||
@ -89,27 +88,27 @@ public class RecordComparator implements Comparator<Record> {
|
|||||||
if (res != 0)
|
if (res != 0)
|
||||||
return res;
|
return res;
|
||||||
|
|
||||||
int aType = a.getType();
|
int a_type = a.getType();
|
||||||
int bType = b.getType();
|
int b_type = b.getType();
|
||||||
int sigType = 0;
|
int sig_type = 0;
|
||||||
|
|
||||||
if (aType == Type.RRSIG) {
|
if (a_type == Type.RRSIG) {
|
||||||
aType = ((RRSIGRecord) a).getTypeCovered();
|
a_type = ((RRSIGRecord) a).getTypeCovered();
|
||||||
if (bType != Type.RRSIG)
|
if (b_type != Type.RRSIG)
|
||||||
sigType = 1;
|
sig_type = 1;
|
||||||
}
|
}
|
||||||
if (bType == Type.RRSIG) {
|
if (b_type == Type.RRSIG) {
|
||||||
bType = ((RRSIGRecord) b).getTypeCovered();
|
b_type = ((RRSIGRecord) b).getTypeCovered();
|
||||||
if (a.getType() != Type.RRSIG)
|
if (a.getType() != Type.RRSIG)
|
||||||
sigType = -1;
|
sig_type = -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
res = compareTypes(aType, bType);
|
res = compareTypes(a_type, b_type);
|
||||||
if (res != 0)
|
if (res != 0)
|
||||||
return res;
|
return res;
|
||||||
|
|
||||||
if (sigType != 0)
|
if (sig_type != 0)
|
||||||
return sigType;
|
return sig_type;
|
||||||
|
|
||||||
return compareRDATA(a, b);
|
return compareRDATA(a, b);
|
||||||
}
|
}
|
||||||
|
File diff suppressed because it is too large
Load Diff
@ -37,7 +37,7 @@ public class TypeMap {
|
|||||||
private Set<Integer> typeSet;
|
private Set<Integer> typeSet;
|
||||||
|
|
||||||
public TypeMap() {
|
public TypeMap() {
|
||||||
this.typeSet = new HashSet<>();
|
this.typeSet = new HashSet<Integer>();
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Add the given type to the typemap. */
|
/** Add the given type to the typemap. */
|
||||||
@ -78,20 +78,20 @@ public class TypeMap {
|
|||||||
TypeMap typemap = new TypeMap();
|
TypeMap typemap = new TypeMap();
|
||||||
|
|
||||||
int page;
|
int page;
|
||||||
int byteLength;
|
int byte_length;
|
||||||
|
|
||||||
while (m < map.length) {
|
while (m < map.length) {
|
||||||
page = map[m++];
|
page = map[m++];
|
||||||
byteLength = map[m++];
|
byte_length = map[m++];
|
||||||
|
|
||||||
for (int i = 0; i < byteLength; i++) {
|
for (int i = 0; i < byte_length; i++) {
|
||||||
for (int j = 0; j < 8; j++) {
|
for (int j = 0; j < 8; j++) {
|
||||||
if (((map[m + i] & 0xFF) & (1 << (7 - j))) != 0) {
|
if ((map[m + i] & (1 << (7 - j))) != 0) {
|
||||||
typemap.set((page << 8) + (i * 8) + j);
|
typemap.set((page << 8) + (i * 8) + j);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
m += byteLength;
|
m += byte_length;
|
||||||
}
|
}
|
||||||
|
|
||||||
return typemap;
|
return typemap;
|
||||||
@ -115,7 +115,7 @@ public class TypeMap {
|
|||||||
int[] types = getTypes();
|
int[] types = getTypes();
|
||||||
Arrays.sort(types);
|
Arrays.sort(types);
|
||||||
|
|
||||||
StringBuilder sb = new StringBuilder();
|
StringBuffer sb = new StringBuffer();
|
||||||
|
|
||||||
for (int i = 0; i < types.length; i++) {
|
for (int i = 0; i < types.length; i++) {
|
||||||
if (i > 0)
|
if (i > 0)
|
||||||
@ -129,16 +129,16 @@ public class TypeMap {
|
|||||||
protected static void mapToWire(DNSOutput out, int[] types, int base, int start, int end) {
|
protected static void mapToWire(DNSOutput out, int[] types, int base, int start, int end) {
|
||||||
// calculate the length of this map by looking at the largest
|
// calculate the length of this map by looking at the largest
|
||||||
// typecode in this section.
|
// typecode in this section.
|
||||||
int maxType = types[end - 1] & 0xFF;
|
int max_type = types[end - 1] & 0xFF;
|
||||||
int mapLength = (maxType / 8) + 1;
|
int map_length = (max_type / 8) + 1;
|
||||||
|
|
||||||
// write the map "header" -- the base and the length of the map.
|
// write the map "header" -- the base and the length of the map.
|
||||||
out.writeU8(base & 0xFF);
|
out.writeU8(base & 0xFF);
|
||||||
out.writeU8(mapLength & 0xFF);
|
out.writeU8(map_length & 0xFF);
|
||||||
|
|
||||||
// allocate a temporary scratch space for caculating the actual
|
// allocate a temporary scratch space for caculating the actual
|
||||||
// bitmap.
|
// bitmap.
|
||||||
byte[] map = new byte[mapLength];
|
byte[] map = new byte[map_length];
|
||||||
|
|
||||||
// for each type in our sub-array, set its corresponding bit in the map.
|
// for each type in our sub-array, set its corresponding bit in the map.
|
||||||
for (int i = start; i < end; i++) {
|
for (int i = start; i < end; i++) {
|
||||||
@ -179,7 +179,7 @@ public class TypeMap {
|
|||||||
}
|
}
|
||||||
|
|
||||||
public int[] getTypes() {
|
public int[] getTypes() {
|
||||||
Integer[] a = typeSet.toArray(integerArray);
|
Integer[] a = (Integer[]) typeSet.toArray(integerArray);
|
||||||
|
|
||||||
int[] res = new int[a.length];
|
int[] res = new int[a.length];
|
||||||
for (int i = 0; i < res.length; i++) {
|
for (int i = 0; i < res.length; i++) {
|
||||||
@ -189,8 +189,8 @@ public class TypeMap {
|
|||||||
return res;
|
return res;
|
||||||
}
|
}
|
||||||
|
|
||||||
public static int[] fromWireToTypes(byte[] wireFmt) {
|
public static int[] fromWireToTypes(byte[] wire_fmt) {
|
||||||
return TypeMap.fromBytes(wireFmt).getTypes();
|
return TypeMap.fromBytes(wire_fmt).getTypes();
|
||||||
}
|
}
|
||||||
|
|
||||||
public static byte[] fromTypesToWire(int[] types) {
|
public static byte[] fromTypesToWire(int[] types) {
|
||||||
|
@ -39,10 +39,6 @@ import org.xbill.DNS.Type;
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
public class ZoneUtils {
|
public class ZoneUtils {
|
||||||
|
|
||||||
private ZoneUtils() {
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Load a zone file.
|
* Load a zone file.
|
||||||
*
|
*
|
||||||
@ -57,10 +53,19 @@ public class ZoneUtils {
|
|||||||
* if something goes wrong reading the zone file.
|
* if something goes wrong reading the zone file.
|
||||||
*/
|
*/
|
||||||
public static List<Record> readZoneFile(String zonefile, Name origin) throws IOException {
|
public static List<Record> readZoneFile(String zonefile, Name origin) throws IOException {
|
||||||
ArrayList<Record> records = new ArrayList<>();
|
ArrayList<Record> records = new ArrayList<Record>();
|
||||||
try (Master m = zonefile.equals("-") ? new Master(System.in) : new Master(zonefile, origin)) {
|
Master m;
|
||||||
|
try {
|
||||||
|
if (zonefile.equals("-")) {
|
||||||
|
m = new Master(System.in);
|
||||||
|
} else {
|
||||||
|
m = new Master(zonefile, origin);
|
||||||
|
}
|
||||||
|
|
||||||
Record r = null;
|
Record r = null;
|
||||||
|
|
||||||
while ((r = m.nextRecord()) != null) {
|
while ((r = m.nextRecord()) != null) {
|
||||||
|
|
||||||
records.add(r);
|
records.add(r);
|
||||||
}
|
}
|
||||||
} catch (IOException e) {
|
} catch (IOException e) {
|
||||||
@ -115,7 +120,7 @@ public class ZoneUtils {
|
|||||||
}
|
}
|
||||||
|
|
||||||
public static List<Record> findRRs(List<Record> records, Name name, int type) {
|
public static List<Record> findRRs(List<Record> records, Name name, int type) {
|
||||||
List<Record> res = new ArrayList<>();
|
List<Record> res = new ArrayList<Record>();
|
||||||
for (Record r : records) {
|
for (Record r : records) {
|
||||||
if (r.getName().equals(name) && r.getType() == type) {
|
if (r.getName().equals(name) && r.getType() == type) {
|
||||||
res.add(r);
|
res.add(r);
|
||||||
|
@ -88,12 +88,10 @@ public class ZoneVerifier {
|
|||||||
public boolean equals(Object o) {
|
public boolean equals(Object o) {
|
||||||
return super.equals(o);
|
return super.equals(o);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public int hashCode() {
|
public int hashCode() {
|
||||||
return super.hashCode();
|
return super.hashCode();
|
||||||
}
|
}
|
||||||
|
|
||||||
boolean getMark() {
|
boolean getMark() {
|
||||||
return mIsMarked;
|
return mIsMarked;
|
||||||
}
|
}
|
||||||
@ -150,8 +148,7 @@ public class ZoneVerifier {
|
|||||||
/**
|
/**
|
||||||
* Add a record to the various maps.
|
* Add a record to the various maps.
|
||||||
*
|
*
|
||||||
* @return true if the RR was added, false if it wasn't (because it was a
|
* @return true if the RR was added, false if it wasn't (because it was a duplicate)
|
||||||
* duplicate)
|
|
||||||
*/
|
*/
|
||||||
private boolean addRR(Record r) {
|
private boolean addRR(Record r) {
|
||||||
Name n = r.getName();
|
Name n = r.getName();
|
||||||
@ -209,7 +206,7 @@ public class ZoneVerifier {
|
|||||||
* Given an unsorted list of records, load the node and rrset maps, as well as
|
* Given an unsorted list of records, load the node and rrset maps, as well as
|
||||||
* determine the NSEC3 parameters and signing type.
|
* determine the NSEC3 parameters and signing type.
|
||||||
*
|
*
|
||||||
* @param records an unsorted list of {@link org.xbill.DNS.Record} objects.
|
* @param records
|
||||||
* @return the number of errors encountered.
|
* @return the number of errors encountered.
|
||||||
*/
|
*/
|
||||||
private int calculateNodes(List<Record> records) {
|
private int calculateNodes(List<Record> records) {
|
||||||
@ -254,7 +251,7 @@ public class ZoneVerifier {
|
|||||||
* Given a name, typeset, and name of the last zone cut, determine the node
|
* Given a name, typeset, and name of the last zone cut, determine the node
|
||||||
* type.
|
* type.
|
||||||
*/
|
*/
|
||||||
private NodeType determineNodeType(Name n, Set<Integer> typeset, Name lastCut) {
|
private NodeType determineNodeType(Name n, Set<Integer> typeset, Name last_cut) {
|
||||||
// All RRs at the zone apex are normal
|
// All RRs at the zone apex are normal
|
||||||
if (n.equals(mZoneName))
|
if (n.equals(mZoneName))
|
||||||
return NodeType.NORMAL;
|
return NodeType.NORMAL;
|
||||||
@ -266,7 +263,7 @@ public class ZoneVerifier {
|
|||||||
}
|
}
|
||||||
// If the node is below a zone cut (either a delegation or DNAME), it is
|
// If the node is below a zone cut (either a delegation or DNAME), it is
|
||||||
// glue.
|
// glue.
|
||||||
if (lastCut != null && n.subdomain(lastCut) && !n.equals(lastCut)) {
|
if (last_cut != null && n.subdomain(last_cut) && !n.equals(last_cut)) {
|
||||||
return NodeType.GLUE;
|
return NodeType.GLUE;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -297,13 +294,13 @@ public class ZoneVerifier {
|
|||||||
*/
|
*/
|
||||||
private int processNodes() throws NoSuchAlgorithmException, TextParseException {
|
private int processNodes() throws NoSuchAlgorithmException, TextParseException {
|
||||||
int errors = 0;
|
int errors = 0;
|
||||||
Name lastCut = null;
|
Name last_cut = null;
|
||||||
|
|
||||||
for (Map.Entry<Name, Set<Integer>> entry : mNodeMap.entrySet()) {
|
for (Map.Entry<Name, Set<Integer>> entry : mNodeMap.entrySet()) {
|
||||||
Name n = entry.getKey();
|
Name n = entry.getKey();
|
||||||
Set<Integer> typeset = entry.getValue();
|
Set<Integer> typeset = entry.getValue();
|
||||||
|
|
||||||
NodeType ntype = determineNodeType(n, typeset, lastCut);
|
NodeType ntype = determineNodeType(n, typeset, last_cut);
|
||||||
log.finest("Node " + n + " is type " + ntype);
|
log.finest("Node " + n + " is type " + ntype);
|
||||||
|
|
||||||
// we can ignore glue/invalid RRs.
|
// we can ignore glue/invalid RRs.
|
||||||
@ -312,7 +309,7 @@ public class ZoneVerifier {
|
|||||||
|
|
||||||
// record the last zone cut if this node is a zone cut.
|
// record the last zone cut if this node is a zone cut.
|
||||||
if (ntype == NodeType.DELEGATION || typeset.contains(Type.DNAME)) {
|
if (ntype == NodeType.DELEGATION || typeset.contains(Type.DNAME)) {
|
||||||
lastCut = n;
|
last_cut = n;
|
||||||
}
|
}
|
||||||
|
|
||||||
// check all of the RRsets that should be signed
|
// check all of the RRsets that should be signed
|
||||||
|
Loading…
Reference in New Issue
Block a user