Home | History | Annotate | Download | only in DNS 
      1 // Copyright (c) 2001-2004 Brian Wellington (bwelling (at) xbill.org)
      2 
      3 package org.xbill.DNS;
      4 
      5 import java.security.PrivateKey;
      6 import java.util.Date;
      7 
      8 /**
      9  * Creates SIG(0) transaction signatures.
     10  *
     11  * @author Pasi Eronen
     12  * @author Brian Wellington
     13  */
     14 
     15 public class SIG0 {
     16 
     17 /**
     18  * The default validity period for outgoing SIG(0) signed messages.
     19  * Can be overriden by the sig0validity option.
     20  */
     21 private static final short VALIDITY = 300;
     22 
     23 private
     24 SIG0() { }
     25 
     26 /**
     27  * Sign a message with SIG(0). The DNS key and private key must refer to the
     28  * same underlying cryptographic key.
     29  * @param message The message to be signed
     30  * @param key The DNSKEY record to use as part of signing
     31  * @param privkey The PrivateKey to use when signing
     32  * @param previous If this message is a response, the SIG(0) from the query
     33  */
     34 public static void
     35 signMessage(Message message, KEYRecord key, PrivateKey privkey,
     36 	    SIGRecord previous) throws DNSSEC.DNSSECException
     37 {
     38 
     39 	int validity = Options.intValue("sig0validity");
     40 	if (validity < 0)
     41 		validity = VALIDITY;
     42 
     43 	long now = System.currentTimeMillis();
     44 	Date timeSigned = new Date(now);
     45 	Date timeExpires = new Date(now + validity * 1000);
     46 
     47 	SIGRecord sig =  DNSSEC.signMessage(message, previous, key, privkey,
     48 					    timeSigned, timeExpires);
     49 
     50 	message.addRecord(sig, Section.ADDITIONAL);
     51 }
     52 
     53 /**
     54  * Verify a message using SIG(0).
     55  * @param message The message to be signed
     56  * @param b An array containing the message in unparsed form.  This is
     57  * necessary since SIG(0) signs the message in wire format, and we can't
     58  * recreate the exact wire format (with the same name compression).
     59  * @param key The KEY record to verify the signature with.
     60  * @param previous If this message is a response, the SIG(0) from the query
     61  */
     62 public static void
     63 verifyMessage(Message message, byte [] b, KEYRecord key, SIGRecord previous)
     64 	throws DNSSEC.DNSSECException
     65 {
     66 	SIGRecord sig = null;
     67 	Record [] additional = message.getSectionArray(Section.ADDITIONAL);
     68 	for (int i = 0; i < additional.length; i++) {
     69 		if (additional[i].getType() != Type.SIG)
     70 			continue;
     71 		if (((SIGRecord) additional[i]).getTypeCovered() != 0)
     72 			continue;
     73 		sig = (SIGRecord) additional[i];
     74 		break;
     75 	}
     76 	DNSSEC.verifyMessage(message, b, sig, previous, key);
     77 }
     78 
     79 }
     80