1
// Copyright (c) 1999-2004 Brian Wellington (bwelling@xbill.org)
8
* Constants and functions relating to DNSSEC (algorithm constants).
9
* DNSSEC provides authentication for DNS information. RRsets are
10
* signed by an appropriate key, and a SIG record is added to the set.
11
* A KEY record is obtained from DNS and used to validate the signature,
12
* The KEY record must also be validated or implicitly trusted - to
13
* validate a key requires a series of validations leading to a trusted
14
* key. The key must also be authorized to sign the data.
19
* @author Brian Wellington
24
public static class Algorithm {
25
private Algorithm() {}
27
/** RSA/MD5 public key (deprecated) */
28
public static final int RSAMD5 = 1;
30
/** Diffie Hellman key */
31
public static final int DH = 2;
34
public static final int DSA = 3;
36
/** Elliptic Curve key */
37
public static final int ECC = 4;
39
/** RSA/SHA1 public key */
40
public static final int RSASHA1 = 5;
42
/** Indirect keys; the actual key is elsewhere. */
43
public static final int INDIRECT = 252;
45
/** Private algorithm, specified by domain name */
46
public static final int PRIVATEDNS = 253;
48
/** Private algorithm, specified by OID */
49
public static final int PRIVATEOID = 254;
51
private static Mnemonic algs = new Mnemonic("DNSSEC algorithm",
55
algs.setMaximum(0xFF);
56
algs.setNumericAllowed(true);
58
algs.add(RSAMD5, "RSAMD5");
62
algs.add(RSASHA1, "RSASHA1");
63
algs.add(INDIRECT, "INDIRECT");
64
algs.add(PRIVATEDNS, "PRIVATEDNS");
65
algs.add(PRIVATEOID, "PRIVATEOID");
69
* Converts an algorithm into its textual representation
73
return algs.getText(alg);
77
* Converts a textual representation of an algorithm into its numeric
78
* code. Integers in the range 0..255 are also accepted.
79
* @param s The textual representation of the algorithm
80
* @return The algorithm code, or -1 on error.
84
return algs.getValue(s);
88
public static final int RSAMD5 = Algorithm.RSAMD5;
89
public static final int RSA = Algorithm.RSAMD5;
90
public static final int DH = Algorithm.DH;
91
public static final int DSA = Algorithm.DSA;
92
public static final int RSASHA1 = Algorithm.RSASHA1;
94
public static final int Failed = -1;
95
public static final int Insecure = 0;
96
public static final int Secure = 1;
102
digestSIG(DNSOutput out, SIGBase sig) {
103
out.writeU16(sig.getTypeCovered());
104
out.writeU8(sig.getAlgorithm());
105
out.writeU8(sig.getLabels());
106
out.writeU32(sig.getOrigTTL());
107
out.writeU32(sig.getExpire().getTime() / 1000);
108
out.writeU32(sig.getTimeSigned().getTime() / 1000);
109
out.writeU16(sig.getFootprint());
110
sig.getSigner().toWireCanonical(out);
114
* Creates a byte array containing the concatenation of the fields of the
115
* SIG record and the RRsets to be signed/verified. This does not perform
116
* a cryptographic digest.
117
* @param sig The SIG record used to sign/verify the rrset.
118
* @param rrset The data to be signed/verified.
119
* @return The data to be cryptographically signed or verified.
121
public static byte []
122
digestRRset(RRSIGRecord sig, RRset rrset) {
123
DNSOutput out = new DNSOutput();
126
int size = rrset.size();
127
Record [] records = new Record[size];
129
Iterator it = rrset.rrs();
130
Name name = rrset.getName();
132
int sigLabels = sig.getLabels() + 1; // Add the root label back.
133
if (name.labels() > sigLabels)
134
wild = name.wild(name.labels() - sigLabels);
135
while (it.hasNext()) {
136
Record rec = (Record) it.next();
138
rec = rec.withName(wild);
139
records[--size] = rec;
141
Arrays.sort(records);
142
for (int i = 0; i < records.length; i++)
143
out.writeByteArray(records[i].toWireCanonical());
144
return out.toByteArray();
148
* Creates a byte array containing the concatenation of the fields of the
149
* SIG record and the message to be signed/verified. This does not perform
150
* a cryptographic digest.
151
* @param sig The SIG record used to sign/verify the rrset.
152
* @param msg The message to be signed/verified.
153
* @param previous If this is a response, the signature from the query.
154
* @return The data to be cryptographically signed or verified.
156
public static byte []
157
digestMessage(SIGRecord sig, Message msg, byte [] previous) {
158
DNSOutput out = new DNSOutput();
161
if (previous != null)
162
out.writeByteArray(previous);
165
return out.toByteArray();