Shuyi Chen | d7955ce | 2013-05-22 14:51:55 -0700 | [diff] [blame] | 1 | // Copyright (c) 2001-2004 Brian Wellington (bwelling@xbill.org) |
| 2 | |
| 3 | package org.xbill.DNS; |
| 4 | |
| 5 | import java.security.PrivateKey; |
| 6 | import java.util.Date; |
| 7 | |
| 8 | /** |
| 9 | * Creates SIG(0) transaction signatures. |
| 10 | * |
| 11 | * @author Pasi Eronen |
| 12 | * @author Brian Wellington |
| 13 | */ |
| 14 | |
| 15 | public class SIG0 { |
| 16 | |
| 17 | /** |
| 18 | * The default validity period for outgoing SIG(0) signed messages. |
| 19 | * Can be overriden by the sig0validity option. |
| 20 | */ |
| 21 | private static final short VALIDITY = 300; |
| 22 | |
| 23 | private |
| 24 | SIG0() { } |
| 25 | |
| 26 | /** |
| 27 | * Sign a message with SIG(0). The DNS key and private key must refer to the |
| 28 | * same underlying cryptographic key. |
| 29 | * @param message The message to be signed |
| 30 | * @param key The DNSKEY record to use as part of signing |
| 31 | * @param privkey The PrivateKey to use when signing |
| 32 | * @param previous If this message is a response, the SIG(0) from the query |
| 33 | */ |
| 34 | public static void |
| 35 | signMessage(Message message, KEYRecord key, PrivateKey privkey, |
| 36 | SIGRecord previous) throws DNSSEC.DNSSECException |
| 37 | { |
| 38 | |
| 39 | int validity = Options.intValue("sig0validity"); |
| 40 | if (validity < 0) |
| 41 | validity = VALIDITY; |
| 42 | |
| 43 | long now = System.currentTimeMillis(); |
| 44 | Date timeSigned = new Date(now); |
| 45 | Date timeExpires = new Date(now + validity * 1000); |
| 46 | |
| 47 | SIGRecord sig = DNSSEC.signMessage(message, previous, key, privkey, |
| 48 | timeSigned, timeExpires); |
| 49 | |
| 50 | message.addRecord(sig, Section.ADDITIONAL); |
| 51 | } |
| 52 | |
| 53 | /** |
| 54 | * Verify a message using SIG(0). |
| 55 | * @param message The message to be signed |
| 56 | * @param b An array containing the message in unparsed form. This is |
| 57 | * necessary since SIG(0) signs the message in wire format, and we can't |
| 58 | * recreate the exact wire format (with the same name compression). |
| 59 | * @param key The KEY record to verify the signature with. |
| 60 | * @param previous If this message is a response, the SIG(0) from the query |
| 61 | */ |
| 62 | public static void |
| 63 | verifyMessage(Message message, byte [] b, KEYRecord key, SIGRecord previous) |
| 64 | throws DNSSEC.DNSSECException |
| 65 | { |
| 66 | SIGRecord sig = null; |
| 67 | Record [] additional = message.getSectionArray(Section.ADDITIONAL); |
| 68 | for (int i = 0; i < additional.length; i++) { |
| 69 | if (additional[i].getType() != Type.SIG) |
| 70 | continue; |
| 71 | if (((SIGRecord) additional[i]).getTypeCovered() != 0) |
| 72 | continue; |
| 73 | sig = (SIGRecord) additional[i]; |
| 74 | break; |
| 75 | } |
| 76 | DNSSEC.verifyMessage(message, b, sig, previous, key); |
| 77 | } |
| 78 | |
| 79 | } |