Search in sources :

Example 6 with CNAMERecord

use of org.xbill.DNS.CNAMERecord in project nhin-d by DirectProject.

the class DNSCertificateStore method lookupDNS.

protected Collection<X509Certificate> lookupDNS(String name) {
    String domain;
    String lookupName = name.replace('@', '.');
    Collection<X509Certificate> retVal = new ArrayList<X509Certificate>();
    // get the domain of the address
    int index;
    if ((index = name.indexOf("@")) > -1)
        domain = name.substring(index + 1);
    else
        domain = name;
    try {
        // try the configured servers first
        Lookup lu = new Lookup(new Name(lookupName), Type.CERT);
        // default retries is 3, limite to 2
        lu.setResolver(createExResolver(servers.toArray(new String[servers.size()]), retries, timeout));
        lu.setSearchPath((String[]) null);
        Record[] retRecords = null;
        try {
            retRecords = lu.run();
        } catch (Exception e) {
            LOGGER.warn("Error using recusive DNS CERT lookup for name " + lookupName + "\r\nFalling back to looking up NS record for a targeted search", e);
        }
        if (retRecords == null || retRecords.length == 0) {
            Name tempDomain;
            // try to find the resource's name server records
            // the address may be an alias so check if there is a CNAME record
            lu = new Lookup(new Name(lookupName), Type.CNAME);
            lu.setResolver(createExResolver(servers.toArray(new String[servers.size()]), retries, timeout));
            lu.setSearchPath((String[]) null);
            retRecords = lu.run();
            if (retRecords != null && retRecords.length > 0) {
                CNAMERecord cnameRect = (CNAMERecord) retRecords[0];
                tempDomain = cnameRect.getTarget();
            } else
                // not a CNAME						
                tempDomain = new Name(domain);
            // look for a name server records
            while (tempDomain.labels() > 1) {
                lu = new Lookup(tempDomain, Type.NS);
                lu.setResolver(createExResolver(servers.toArray(new String[servers.size()]), retries, timeout));
                lu.setSearchPath((String[]) null);
                retRecords = lu.run();
                if (retRecords != null && retRecords.length > 0)
                    break;
                tempDomain = new Name(tempDomain.toString().substring((tempDomain.toString().indexOf(".") + 1)));
            }
            if (retRecords == null || retRecords.length == 0)
                // can't find a name server... bail
                return retVal;
            String[] remoteServers = new String[retRecords.length];
            for (int i = 0; i < remoteServers.length - 0; ++i) {
                remoteServers[i] = ((NSRecord) retRecords[i]).getTarget().toString();
            }
            // search the name servers for the cert
            lu = new Lookup(new Name(lookupName), Type.CERT);
            ExtendedResolver remoteResolver = createExResolver(remoteServers, 2, 3);
            if (remoteResolver.getResolvers().length > 0) {
                lu.setResolver(remoteResolver);
                lu.setSearchPath((String[]) null);
                // CLEAR THE CACHE!!!  We are seeing instances where an NXRRSET is cached because
                // a DNS provider is trying to handle a request that it should be delegating
                // The purpose of bypassing the DNS provider and going directly to the NS server
                // is to avoid issues like this
                /*
					 * Change of heart on clearing the DNS cache.  Covering up the NXRRSET hides potential issues
					 * with incorrect DNS configuration.  It is important that NXRRSET issues are discovered and corrected
					 * so all participants in the community participate in a consistent manner.
					 */
                //lu.setCache(new Cache(DClass.IN));
                retRecords = lu.run();
            } else {
                // null out NS records
                retRecords = null;
            }
        }
        if (retRecords != null) {
            retVal = new ArrayList<X509Certificate>();
            for (Record rec : retRecords) {
                if (rec instanceof CERTRecord) {
                    CERTRecord certRec = (CERTRecord) rec;
                    switch(certRec.getCertType()) {
                        case CERTRecord.PKIX:
                            {
                                Certificate certToAdd = convertPKIXRecordToCert(certRec);
                                if (// may not be an X509Cert
                                certToAdd != null && certToAdd instanceof X509Certificate)
                                    retVal.add((X509Certificate) certToAdd);
                                break;
                            }
                        case CERTRecord.URI:
                            {
                                Certificate certToAdd = convertIPKIXRecordToCert(certRec);
                                if (// may not be an X509Cert
                                certToAdd != null && certToAdd instanceof X509Certificate)
                                    retVal.add((X509Certificate) certToAdd);
                                break;
                            }
                        default:
                            {
                                LOGGER.warn("Unknown CERT type " + certRec.getCertType() + " encountered for lookup name" + lookupName);
                            }
                    }
                }
            }
        } else if (// if this is an email address, do the search again and the host level
        domain.length() < name.length())
            retVal = lookupDNS(domain);
    } catch (Exception e) {
        e.printStackTrace();
        throw new NHINDException("", e);
    }
    // add or update the local cert store
    if (retVal != null && retVal.size() > 0 && localStoreDelegate != null) {
        for (X509Certificate cert : retVal) {
            if (localStoreDelegate != null) {
                if (localStoreDelegate.contains(cert))
                    localStoreDelegate.update(cert);
                else
                    localStoreDelegate.add(cert);
            }
        }
        try {
            if (cache != null)
                cache.put(name, retVal);
        } catch (CacheException e) {
        /*
				 * TODO: handle exception
				 */
        }
    }
    return retVal;
}
Also used : ExtendedResolver(org.xbill.DNS.ExtendedResolver) CacheException(org.apache.jcs.access.exception.CacheException) ArrayList(java.util.ArrayList) NHINDException(org.nhindirect.stagent.NHINDException) X509Certificate(java.security.cert.X509Certificate) CacheException(org.apache.jcs.access.exception.CacheException) NHINDException(org.nhindirect.stagent.NHINDException) UnsupportedEncodingException(java.io.UnsupportedEncodingException) MalformedURLException(java.net.MalformedURLException) UnknownHostException(java.net.UnknownHostException) Name(org.xbill.DNS.Name) CNAMERecord(org.xbill.DNS.CNAMERecord) CERTRecord(org.xbill.DNS.CERTRecord) Lookup(org.xbill.DNS.Lookup) CNAMERecord(org.xbill.DNS.CNAMERecord) CERTRecord(org.xbill.DNS.CERTRecord) NSRecord(org.xbill.DNS.NSRecord) Record(org.xbill.DNS.Record) NSRecord(org.xbill.DNS.NSRecord) X509Certificate(java.security.cert.X509Certificate) Certificate(java.security.cert.Certificate)

Aggregations

CNAMERecord (org.xbill.DNS.CNAMERecord)6 ArrayList (java.util.ArrayList)5 NSRecord (org.xbill.DNS.NSRecord)5 ARecord (org.xbill.DNS.ARecord)4 MXRecord (org.xbill.DNS.MXRecord)4 Name (org.xbill.DNS.Name)4 X509Certificate (java.security.cert.X509Certificate)3 CERTRecord (org.xbill.DNS.CERTRecord)3 Record (org.xbill.DNS.Record)3 IOException (java.io.IOException)2 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)2 CertificateEncodingException (javax.security.cert.CertificateEncodingException)2 ServiceException (org.nhindirect.common.rest.exceptions.ServiceException)2 Certificate (org.nhindirect.config.model.Certificate)2 DNSRecord (org.nhindirect.config.model.DNSRecord)2 DNSEntryForm (org.nhindirect.config.ui.form.DNSEntryForm)2 AAAARecord (org.xbill.DNS.AAAARecord)2 Message (org.xbill.DNS.Message)2 RRset (org.xbill.DNS.RRset)2 SOARecord (org.xbill.DNS.SOARecord)2