Search in sources :

Example 1 with NoActiveSignaturesReason

use of org.minidns.dnssec.UnverifiedReason.NoActiveSignaturesReason in project minidns by MiniDNS.

the class DNSSECClient method verifySignatures.

private VerifySignaturesResult verifySignatures(Question q, Collection<Record<? extends Data>> reference, List<Record<? extends Data>> toBeVerified) throws IOException {
    final Date now = new Date();
    final List<RRSIG> outdatedRrSigs = new LinkedList<>();
    VerifySignaturesResult result = new VerifySignaturesResult();
    final List<Record<RRSIG>> rrsigs = new ArrayList<>(toBeVerified.size());
    for (Record<? extends Data> recordToBeVerified : toBeVerified) {
        Record<RRSIG> record = recordToBeVerified.ifPossibleAs(RRSIG.class);
        if (record == null)
            continue;
        RRSIG rrsig = record.payloadData;
        if (rrsig.signatureExpiration.compareTo(now) < 0 || rrsig.signatureInception.compareTo(now) > 0) {
            // This RRSIG is out of date, but there might be one that is not.
            outdatedRrSigs.add(rrsig);
            continue;
        }
        rrsigs.add(record);
    }
    if (rrsigs.isEmpty()) {
        if (!outdatedRrSigs.isEmpty()) {
            result.reasons.add(new NoActiveSignaturesReason(q, outdatedRrSigs));
        } else {
            result.reasons.add(new NoSignaturesReason(q));
        }
        return result;
    }
    for (Record<RRSIG> sigRecord : rrsigs) {
        RRSIG rrsig = sigRecord.payloadData;
        List<Record<? extends Data>> records = new ArrayList<>(reference.size());
        for (Record<? extends Data> record : reference) {
            if (record.type == rrsig.typeCovered && record.name.equals(sigRecord.name)) {
                records.add(record);
            }
        }
        Set<UnverifiedReason> reasons = verifySignedRecords(q, rrsig, records);
        result.reasons.addAll(reasons);
        if (q.name.equals(rrsig.signerName) && rrsig.typeCovered == TYPE.DNSKEY) {
            for (Iterator<Record<? extends Data>> iterator = records.iterator(); iterator.hasNext(); ) {
                Record<DNSKEY> dnsKeyRecord = iterator.next().ifPossibleAs(DNSKEY.class);
                // dnsKeyRecord should never be null here.
                DNSKEY dnskey = dnsKeyRecord.payloadData;
                // DNSKEYs are verified separately, so don't mark them verified now.
                iterator.remove();
                if (dnskey.getKeyTag() == rrsig.keyTag) {
                    result.sepSignaturePresent = true;
                }
            }
            // DNSKEY's should be signed by a SEP
            result.sepSignatureRequired = true;
        }
        if (!isParentOrSelf(sigRecord.name.ace, rrsig.signerName.ace)) {
            LOGGER.finer("Records at " + sigRecord.name + " are cross-signed with a key from " + rrsig.signerName);
        } else {
            toBeVerified.removeAll(records);
        }
        toBeVerified.remove(sigRecord);
    }
    return result;
}
Also used : ArrayList(java.util.ArrayList) Data(org.minidns.record.Data) NoActiveSignaturesReason(org.minidns.dnssec.UnverifiedReason.NoActiveSignaturesReason) DNSKEY(org.minidns.record.DNSKEY) Date(java.util.Date) LinkedList(java.util.LinkedList) NoSignaturesReason(org.minidns.dnssec.UnverifiedReason.NoSignaturesReason) Record(org.minidns.record.Record) RRSIG(org.minidns.record.RRSIG)

Aggregations

ArrayList (java.util.ArrayList)1 Date (java.util.Date)1 LinkedList (java.util.LinkedList)1 NoActiveSignaturesReason (org.minidns.dnssec.UnverifiedReason.NoActiveSignaturesReason)1 NoSignaturesReason (org.minidns.dnssec.UnverifiedReason.NoSignaturesReason)1 DNSKEY (org.minidns.record.DNSKEY)1 Data (org.minidns.record.Data)1 RRSIG (org.minidns.record.RRSIG)1 Record (org.minidns.record.Record)1