Example 6 with RRSIG
use of org.minidns.record.RRSIG in project minidns by MiniDNS.
the class DNSSECClient method verifySignatures.
private VerifySignaturesResult verifySignatures(Question q, Collection<Record<? extends Data>> reference, List<Record<? extends Data>> toBeVerified) throws IOException {
final Date now = new Date();
final List<RRSIG> outdatedRrSigs = new LinkedList<>();
VerifySignaturesResult result = new VerifySignaturesResult();
final List<Record<RRSIG>> rrsigs = new ArrayList<>(toBeVerified.size());
for (Record<? extends Data> recordToBeVerified : toBeVerified) {
Record<RRSIG> record = recordToBeVerified.ifPossibleAs(RRSIG.class);
if (record == null)
continue;
RRSIG rrsig = record.payloadData;
if (rrsig.signatureExpiration.compareTo(now) < 0 || rrsig.signatureInception.compareTo(now) > 0) {
// This RRSIG is out of date, but there might be one that is not.
outdatedRrSigs.add(rrsig);
continue;
}
rrsigs.add(record);
}
if (rrsigs.isEmpty()) {
if (!outdatedRrSigs.isEmpty()) {
result.reasons.add(new NoActiveSignaturesReason(q, outdatedRrSigs));
} else {
result.reasons.add(new NoSignaturesReason(q));
}
return result;
}
for (Record<RRSIG> sigRecord : rrsigs) {
RRSIG rrsig = sigRecord.payloadData;
List<Record<? extends Data>> records = new ArrayList<>(reference.size());
for (Record<? extends Data> record : reference) {
if (record.type == rrsig.typeCovered && record.name.equals(sigRecord.name)) {
records.add(record);
}
}
Set<UnverifiedReason> reasons = verifySignedRecords(q, rrsig, records);
result.reasons.addAll(reasons);
if (q.name.equals(rrsig.signerName) && rrsig.typeCovered == TYPE.DNSKEY) {
for (Iterator<Record<? extends Data>> iterator = records.iterator(); iterator.hasNext(); ) {
Record<DNSKEY> dnsKeyRecord = iterator.next().ifPossibleAs(DNSKEY.class);
// dnsKeyRecord should never be null here.
DNSKEY dnskey = dnsKeyRecord.payloadData;
// DNSKEYs are verified separately, so don't mark them verified now.
iterator.remove();
if (dnskey.getKeyTag() == rrsig.keyTag) {
result.sepSignaturePresent = true;
}
}
// DNSKEY's should be signed by a SEP
result.sepSignatureRequired = true;
}
if (!isParentOrSelf(sigRecord.name.ace, rrsig.signerName.ace)) {
LOGGER.finer("Records at " + sigRecord.name + " are cross-signed with a key from " + rrsig.signerName);
} else {
toBeVerified.removeAll(records);
}
toBeVerified.remove(sigRecord);
}
return result;
}
Also used :
ArrayList(java.util.ArrayList)
Data(org.minidns.record.Data)
NoActiveSignaturesReason(org.minidns.dnssec.UnverifiedReason.NoActiveSignaturesReason)
DNSKEY(org.minidns.record.DNSKEY)
Date(java.util.Date)
LinkedList(java.util.LinkedList)
NoSignaturesReason(org.minidns.dnssec.UnverifiedReason.NoSignaturesReason)
Record(org.minidns.record.Record)
RRSIG(org.minidns.record.RRSIG)
Aggregations
RRSIG (org.minidns.record.RRSIG)6
Date (java.util.Date)5
Test (org.junit.Test)4
DNSMessage (org.minidns.dnsmessage.DNSMessage)4
Record (org.minidns.record.Record)3
Data (org.minidns.record.Data)2
SimpleDateFormat (java.text.SimpleDateFormat)1
ArrayList (java.util.ArrayList)1
LinkedList (java.util.LinkedList)1
NoActiveSignaturesReason (org.minidns.dnssec.UnverifiedReason.NoActiveSignaturesReason)1
NoSignaturesReason (org.minidns.dnssec.UnverifiedReason.NoSignaturesReason)1
EDNS (org.minidns.edns.EDNS)1
DNSKEY (org.minidns.record.DNSKEY)1
DS (org.minidns.record.DS)1
