public void testSIG0() throws Exception { Name sig0zoneName = new Name("sig0.invalid."); Name sig0hostName = new Name("sometext.sig0.invalid."); KeyPairGenerator rsagen = KeyPairGenerator.getInstance("RSA"); KeyPair rsapair = rsagen.generateKeyPair(); PrivateKey privKey = rsapair.getPrivate(); PublicKey pubKey = rsapair.getPublic(); KEYRecord keyRecord = new KEYRecord(sig0zoneName, DClass.IN, 0, KEYRecord.Flags.HOST, KEYRecord.Protocol.DNSSEC, DNSSEC.Algorithm.RSASHA1, pubKey); TXTRecord txtRecord = new TXTRecord(sig0hostName, DClass.IN, 0, "Hello World!"); Update updateMessage = new Update(sig0zoneName); updateMessage.add(txtRecord); SIG0.signMessage(updateMessage, keyRecord, privKey, null); Message message = new Message(updateMessage.toWire()); SIG0.verifyMessage(message, message.toWire(), keyRecord, null); }
/** * Determines if the algorithm is supported. * * @param alg The algorithm to check. * @return True when the algorithm is supported, false otherwise. */ static boolean isAlgorithmSupported(int alg) { switch (alg) { case Algorithm.RSAMD5: return false; // obsoleted by rfc6944 case Algorithm.DSA: case Algorithm.DSA_NSEC3_SHA1: case Algorithm.RSASHA1: case Algorithm.RSA_NSEC3_SHA1: case Algorithm.RSASHA256: case Algorithm.RSASHA512: case Algorithm.ECDSAP256SHA256: case Algorithm.ECDSAP384SHA384: return true; default: return false; } }
@Test public void testModifiedSignature() throws IOException { Name query = Name.fromString("www.ingotronic.ch."); // prepare a faked, unsigned response message that must have a signature // to be valid Message message = new Message(); message.addRecord(Record.newRecord(query, Type.A, DClass.IN), Section.QUESTION); message.addRecord(new ARecord(query, Type.A, DClass.IN, InetAddress.getByName(localhost)), Section.ANSWER); message.addRecord(new RRSIGRecord(query, DClass.IN, 0, Type.A, Algorithm.RSASHA256, 5, new Date(System.currentTimeMillis() + 5000), new Date(System.currentTimeMillis() - 5000), 1234, Name.fromString("ingotronic.ch."), new byte[] { 1, 2, 3 }), Section.ANSWER); add("www.ingotronic.ch./A", message); Message response = resolver.send(createMessage("www.ingotronic.ch./A")); assertFalse("AD flag must not be set", response.getHeader().getFlag(Flags.AD)); assertEquals(Rcode.SERVFAIL, response.getRcode()); assertTrue(getReason(response).startsWith("failed.answer.positive:{ www.ingotronic.ch.")); }
@AlwaysOffline @Test public void testFavoriteDigestNotInRRset() throws Exception { Properties config = new Properties(); config.put("org.jitsi.dnssec.digest_preference", "4"); ValUtils v = new ValUtils(); v.init(config); SRRset set = new SRRset(); set.addRR(new DSRecord(Name.root, DClass.IN, 120, 1234, Algorithm.DSA, Digest.SHA1, new byte[] { 1, 2, 3 })); set.addRR(new DSRecord(Name.root, DClass.IN, 120, 1234, Algorithm.DSA, Digest.SHA256, new byte[] { 1, 2, 3 })); int digestId = Whitebox.invokeMethod(v, "favoriteDSDigestID", set); assertEquals(0, digestId); }
@AlwaysOffline @Test public void testOnlyUnsupportedDigestInRRset() throws Exception { ValUtils v = new ValUtils(); SRRset set = new SRRset(); set.addRR(new DSRecord(Name.root, DClass.IN, 120, 1234, Algorithm.DSA, 3 /*GOST*/, new byte[] { 1, 2, 3 })); int digestId = Whitebox.invokeMethod(v, "favoriteDSDigestID", set); assertEquals(0, digestId); }
private boolean validIterations(SRRset nsec, KeyCache keyCache) { SRRset dnskeyRrset = keyCache.find(nsec.getSignerName(), nsec.getDClass()).getRRset(); // for now, we return the maximum iterations based simply on the key // algorithms that may have been used to sign the NSEC3 RRsets. try { for (Iterator<?> i = dnskeyRrset.rrs(); i.hasNext();) { DNSKEYRecord dnskey = (DNSKEYRecord)i.next(); int keysize; switch (dnskey.getAlgorithm()) { case Algorithm.RSAMD5: return false; // obsoleted by rfc6944 case Algorithm.RSASHA1: case Algorithm.RSASHA256: case Algorithm.RSASHA512: case Algorithm.RSA_NSEC3_SHA1: keysize = ((RSAPublicKey)dnskey.getPublicKey()).getModulus().bitLength(); break; case Algorithm.DSA: case Algorithm.DSA_NSEC3_SHA1: keysize = ((DSAPublicKey)dnskey.getPublicKey()).getParams().getP().bitLength(); break; case Algorithm.ECDSAP256SHA256: case Algorithm.ECDSAP384SHA384: keysize = ((ECPublicKey)dnskey.getPublicKey()).getParams().getCurve().getField().getFieldSize(); break; default: return false; } Integer keyIters = this.maxIterations.floorKey(keysize); if (keyIters == null) { keyIters = this.maxIterations.firstKey(); } keyIters = this.maxIterations.get(keyIters); if (((NSEC3Record)nsec.first()).getIterations() > keyIters) { return false; } } return true; } catch (DNSSECException e) { logger.error("Could not get public key from NSEC3 record", e); return false; } }
public RplParser(InputStream data) { this.data = data; for (Field f : Algorithm.class.getFields()) { this.algoStrings.add(f.getName()); } }
private Record parseRecord(String line) throws IOException { try { Master ma = new Master(new ByteArrayInputStream(line.getBytes()), null, 3600); Record r = ma.nextRecord(); if (r.getType() == Type.RRSIG) { RRSIGRecord rr = (RRSIGRecord)r; // unbound directly uses the DER format for DSA signatures // instead of the format specified in rfc2536#section-3 if (rr.getAlgorithm() == Algorithm.DSA && rr.getSignature().length > 41) { Method DSASignaturetoDNS = DNSSEC.class.getDeclaredMethod("DSASignaturetoDNS", byte[].class, int.class); DSASignaturetoDNS.setAccessible(true); byte[] signature = (byte[])DSASignaturetoDNS.invoke(null, rr.getSignature(), 0); RRSIGRecord fixed = new RRSIGRecord(rr.getName(), rr.getDClass(), rr.getTTL(), rr.getTypeCovered(), rr.getAlgorithm(), rr.getOrigTTL(), rr.getExpire(), rr.getTimeSigned(), rr.getFootprint(), rr.getSigner(), signature); Field f = getField(RRSIGRecord.class, "labels"); f.setAccessible(true); f.set(fixed, rr.getLabels()); r = fixed; } } return r; } catch (Exception ex) { if (ex.getMessage() != null && ex.getMessage().contains("expected an integer")) { String[] data = line.split("\\s"); StringBuilder sb = new StringBuilder(); for (int i = 0; i < data.length; i++) { if (this.algoStrings.contains(data[i])) { sb.append(Algorithm.value(data[i])); } else { sb.append(data[i]); } sb.append(' '); } return parseRecord(sb.toString()); } else { throw new IOException(line, ex); } } }
