Search in sources :

Example 1 with AlgorithmNotSupportedReason

use of org.minidns.dnssec.UnverifiedReason.AlgorithmNotSupportedReason in project minidns by MiniDNS.

the class Verifier method verify.

public UnverifiedReason verify(Record<DNSKEY> dnskeyRecord, DelegatingDnssecRR ds) {
    DNSKEY dnskey = dnskeyRecord.payloadData;
    DigestCalculator digestCalculator = algorithmMap.getDsDigestCalculator(ds.digestType);
    if (digestCalculator == null) {
        return new AlgorithmNotSupportedReason(ds.digestTypeByte, ds.getType(), dnskeyRecord);
    }
    byte[] dnskeyData = dnskey.toByteArray();
    byte[] dnskeyOwner = dnskeyRecord.name.getBytes();
    byte[] combined = new byte[dnskeyOwner.length + dnskeyData.length];
    System.arraycopy(dnskeyOwner, 0, combined, 0, dnskeyOwner.length);
    System.arraycopy(dnskeyData, 0, combined, dnskeyOwner.length, dnskeyData.length);
    byte[] digest;
    try {
        digest = digestCalculator.digest(combined);
    } catch (Exception e) {
        return new AlgorithmExceptionThrownReason(ds.digestType, "DS", dnskeyRecord, e);
    }
    if (!ds.digestEquals(digest)) {
        throw new DNSSECValidationFailedException(dnskeyRecord, "SEP is not properly signed by parent DS!");
    }
    return null;
}
Also used : AlgorithmExceptionThrownReason(org.minidns.dnssec.UnverifiedReason.AlgorithmExceptionThrownReason) AlgorithmNotSupportedReason(org.minidns.dnssec.UnverifiedReason.AlgorithmNotSupportedReason) DNSKEY(org.minidns.record.DNSKEY) IOException(java.io.IOException)

Example 2 with AlgorithmNotSupportedReason

use of org.minidns.dnssec.UnverifiedReason.AlgorithmNotSupportedReason in project minidns by MiniDNS.

the class Verifier method verifyNsec3.

public UnverifiedReason verifyNsec3(DNSName zone, Record<? extends Data> nsec3record, Question q) {
    NSEC3 nsec3 = (NSEC3) nsec3record.payloadData;
    DigestCalculator digestCalculator = algorithmMap.getNsecDigestCalculator(nsec3.hashAlgorithm);
    if (digestCalculator == null) {
        return new AlgorithmNotSupportedReason(nsec3.hashAlgorithmByte, nsec3.getType(), nsec3record);
    }
    byte[] bytes = nsec3hash(digestCalculator, nsec3.salt, q.name.getBytes(), nsec3.iterations);
    String s = Base32.encodeToString(bytes);
    DNSName computedNsec3Record = DNSName.from(s + "." + zone);
    if (nsec3record.name.equals(computedNsec3Record)) {
        for (TYPE type : nsec3.types) {
            if (type.equals(q.type)) {
                return new NSECDoesNotMatchReason(q, nsec3record);
            }
        }
        return null;
    }
    if (nsecMatches(s, nsec3record.name.getHostpart(), Base32.encodeToString(nsec3.nextHashed))) {
        return null;
    }
    return new NSECDoesNotMatchReason(q, nsec3record);
}
Also used : NSEC3(org.minidns.record.NSEC3) AlgorithmNotSupportedReason(org.minidns.dnssec.UnverifiedReason.AlgorithmNotSupportedReason) NSECDoesNotMatchReason(org.minidns.dnssec.UnverifiedReason.NSECDoesNotMatchReason) DNSName(org.minidns.dnsname.DNSName) TYPE(org.minidns.record.Record.TYPE)

Aggregations

AlgorithmNotSupportedReason (org.minidns.dnssec.UnverifiedReason.AlgorithmNotSupportedReason)2 IOException (java.io.IOException)1 DNSName (org.minidns.dnsname.DNSName)1 AlgorithmExceptionThrownReason (org.minidns.dnssec.UnverifiedReason.AlgorithmExceptionThrownReason)1 NSECDoesNotMatchReason (org.minidns.dnssec.UnverifiedReason.NSECDoesNotMatchReason)1 DNSKEY (org.minidns.record.DNSKEY)1 NSEC3 (org.minidns.record.NSEC3)1 TYPE (org.minidns.record.Record.TYPE)1