Search in sources :

Example 1 with NoSignaturesReason

use of org.minidns.dnssec.UnverifiedReason.NoSignaturesReason in project minidns by MiniDNS.

the class DNSSECClient method verifyAnswer.

private Set<UnverifiedReason> verifyAnswer(DNSMessage dnsMessage) throws IOException {
    Question q = dnsMessage.questions.get(0);
    List<Record<? extends Data>> answers = dnsMessage.answerSection;
    List<Record<? extends Data>> toBeVerified = dnsMessage.copyAnswers();
    VerifySignaturesResult verifiedSignatures = verifySignatures(q, answers, toBeVerified);
    Set<UnverifiedReason> result = verifiedSignatures.reasons;
    if (!result.isEmpty()) {
        return result;
    }
    // Keep SEPs separated, we only need one valid SEP.
    boolean sepSignatureValid = false;
    Set<UnverifiedReason> sepReasons = new HashSet<>();
    for (Iterator<Record<? extends Data>> iterator = toBeVerified.iterator(); iterator.hasNext(); ) {
        Record<DNSKEY> record = iterator.next().ifPossibleAs(DNSKEY.class);
        if (record == null) {
            continue;
        }
        // Verify all DNSKEYs as if it was a SEP. If we find a single SEP we are safe.
        Set<UnverifiedReason> reasons = verifySecureEntryPoint(q, record);
        if (reasons.isEmpty()) {
            sepSignatureValid = true;
        } else {
            sepReasons.addAll(reasons);
        }
        if (!verifiedSignatures.sepSignaturePresent) {
            LOGGER.finer("SEP key is not self-signed.");
        }
        iterator.remove();
    }
    if (verifiedSignatures.sepSignaturePresent && !sepSignatureValid) {
        result.addAll(sepReasons);
    }
    if (verifiedSignatures.sepSignatureRequired && !verifiedSignatures.sepSignaturePresent) {
        result.add(new NoSecureEntryPointReason(q.name.ace));
    }
    if (!toBeVerified.isEmpty()) {
        if (toBeVerified.size() != answers.size()) {
            throw new DNSSECValidationFailedException(q, "Only some records are signed!");
        } else {
            result.add(new NoSignaturesReason(q));
        }
    }
    return result;
}
Also used : Data(org.minidns.record.Data) DNSKEY(org.minidns.record.DNSKEY) NoSignaturesReason(org.minidns.dnssec.UnverifiedReason.NoSignaturesReason) Question(org.minidns.dnsmessage.Question) Record(org.minidns.record.Record) NoSecureEntryPointReason(org.minidns.dnssec.UnverifiedReason.NoSecureEntryPointReason) HashSet(java.util.HashSet)

Example 2 with NoSignaturesReason

use of org.minidns.dnssec.UnverifiedReason.NoSignaturesReason in project minidns by MiniDNS.

the class DNSSECClient method verifySignatures.

private VerifySignaturesResult verifySignatures(Question q, Collection<Record<? extends Data>> reference, List<Record<? extends Data>> toBeVerified) throws IOException {
    final Date now = new Date();
    final List<RRSIG> outdatedRrSigs = new LinkedList<>();
    VerifySignaturesResult result = new VerifySignaturesResult();
    final List<Record<RRSIG>> rrsigs = new ArrayList<>(toBeVerified.size());
    for (Record<? extends Data> recordToBeVerified : toBeVerified) {
        Record<RRSIG> record = recordToBeVerified.ifPossibleAs(RRSIG.class);
        if (record == null)
            continue;
        RRSIG rrsig = record.payloadData;
        if (rrsig.signatureExpiration.compareTo(now) < 0 || rrsig.signatureInception.compareTo(now) > 0) {
            // This RRSIG is out of date, but there might be one that is not.
            outdatedRrSigs.add(rrsig);
            continue;
        }
        rrsigs.add(record);
    }
    if (rrsigs.isEmpty()) {
        if (!outdatedRrSigs.isEmpty()) {
            result.reasons.add(new NoActiveSignaturesReason(q, outdatedRrSigs));
        } else {
            result.reasons.add(new NoSignaturesReason(q));
        }
        return result;
    }
    for (Record<RRSIG> sigRecord : rrsigs) {
        RRSIG rrsig = sigRecord.payloadData;
        List<Record<? extends Data>> records = new ArrayList<>(reference.size());
        for (Record<? extends Data> record : reference) {
            if (record.type == rrsig.typeCovered && record.name.equals(sigRecord.name)) {
                records.add(record);
            }
        }
        Set<UnverifiedReason> reasons = verifySignedRecords(q, rrsig, records);
        result.reasons.addAll(reasons);
        if (q.name.equals(rrsig.signerName) && rrsig.typeCovered == TYPE.DNSKEY) {
            for (Iterator<Record<? extends Data>> iterator = records.iterator(); iterator.hasNext(); ) {
                Record<DNSKEY> dnsKeyRecord = iterator.next().ifPossibleAs(DNSKEY.class);
                // dnsKeyRecord should never be null here.
                DNSKEY dnskey = dnsKeyRecord.payloadData;
                // DNSKEYs are verified separately, so don't mark them verified now.
                iterator.remove();
                if (dnskey.getKeyTag() == rrsig.keyTag) {
                    result.sepSignaturePresent = true;
                }
            }
            // DNSKEY's should be signed by a SEP
            result.sepSignatureRequired = true;
        }
        if (!isParentOrSelf(sigRecord.name.ace, rrsig.signerName.ace)) {
            LOGGER.finer("Records at " + sigRecord.name + " are cross-signed with a key from " + rrsig.signerName);
        } else {
            toBeVerified.removeAll(records);
        }
        toBeVerified.remove(sigRecord);
    }
    return result;
}
Also used : ArrayList(java.util.ArrayList) Data(org.minidns.record.Data) NoActiveSignaturesReason(org.minidns.dnssec.UnverifiedReason.NoActiveSignaturesReason) DNSKEY(org.minidns.record.DNSKEY) Date(java.util.Date) LinkedList(java.util.LinkedList) NoSignaturesReason(org.minidns.dnssec.UnverifiedReason.NoSignaturesReason) Record(org.minidns.record.Record) RRSIG(org.minidns.record.RRSIG)

Aggregations

NoSignaturesReason (org.minidns.dnssec.UnverifiedReason.NoSignaturesReason)2 DNSKEY (org.minidns.record.DNSKEY)2 Data (org.minidns.record.Data)2 Record (org.minidns.record.Record)2 ArrayList (java.util.ArrayList)1 Date (java.util.Date)1 HashSet (java.util.HashSet)1 LinkedList (java.util.LinkedList)1 Question (org.minidns.dnsmessage.Question)1 NoActiveSignaturesReason (org.minidns.dnssec.UnverifiedReason.NoActiveSignaturesReason)1 NoSecureEntryPointReason (org.minidns.dnssec.UnverifiedReason.NoSecureEntryPointReason)1 RRSIG (org.minidns.record.RRSIG)1