Search in sources :

Example 1 with NoSecureEntryPointReason

use of org.minidns.dnssec.UnverifiedReason.NoSecureEntryPointReason in project minidns by MiniDNS.

the class DNSSECClient method verifyAnswer.

private Set<UnverifiedReason> verifyAnswer(DNSMessage dnsMessage) throws IOException {
    Question q = dnsMessage.questions.get(0);
    List<Record<? extends Data>> answers = dnsMessage.answerSection;
    List<Record<? extends Data>> toBeVerified = dnsMessage.copyAnswers();
    VerifySignaturesResult verifiedSignatures = verifySignatures(q, answers, toBeVerified);
    Set<UnverifiedReason> result = verifiedSignatures.reasons;
    if (!result.isEmpty()) {
        return result;
    }
    // Keep SEPs separated, we only need one valid SEP.
    boolean sepSignatureValid = false;
    Set<UnverifiedReason> sepReasons = new HashSet<>();
    for (Iterator<Record<? extends Data>> iterator = toBeVerified.iterator(); iterator.hasNext(); ) {
        Record<DNSKEY> record = iterator.next().ifPossibleAs(DNSKEY.class);
        if (record == null) {
            continue;
        }
        // Verify all DNSKEYs as if it was a SEP. If we find a single SEP we are safe.
        Set<UnverifiedReason> reasons = verifySecureEntryPoint(q, record);
        if (reasons.isEmpty()) {
            sepSignatureValid = true;
        } else {
            sepReasons.addAll(reasons);
        }
        if (!verifiedSignatures.sepSignaturePresent) {
            LOGGER.finer("SEP key is not self-signed.");
        }
        iterator.remove();
    }
    if (verifiedSignatures.sepSignaturePresent && !sepSignatureValid) {
        result.addAll(sepReasons);
    }
    if (verifiedSignatures.sepSignatureRequired && !verifiedSignatures.sepSignaturePresent) {
        result.add(new NoSecureEntryPointReason(q.name.ace));
    }
    if (!toBeVerified.isEmpty()) {
        if (toBeVerified.size() != answers.size()) {
            throw new DNSSECValidationFailedException(q, "Only some records are signed!");
        } else {
            result.add(new NoSignaturesReason(q));
        }
    }
    return result;
}
Also used : Data(org.minidns.record.Data) DNSKEY(org.minidns.record.DNSKEY) NoSignaturesReason(org.minidns.dnssec.UnverifiedReason.NoSignaturesReason) Question(org.minidns.dnsmessage.Question) Record(org.minidns.record.Record) NoSecureEntryPointReason(org.minidns.dnssec.UnverifiedReason.NoSecureEntryPointReason) HashSet(java.util.HashSet)

Aggregations

HashSet (java.util.HashSet)1 Question (org.minidns.dnsmessage.Question)1 NoSecureEntryPointReason (org.minidns.dnssec.UnverifiedReason.NoSecureEntryPointReason)1 NoSignaturesReason (org.minidns.dnssec.UnverifiedReason.NoSignaturesReason)1 DNSKEY (org.minidns.record.DNSKEY)1 Data (org.minidns.record.Data)1 Record (org.minidns.record.Record)1