src/org/xbill/DNS/SIG0.java


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79

// Copyright (c) 2001-2004 Brian Wellington (bwelling@xbill.org)

package org.xbill.DNS;

import java.security.PrivateKey;
import java.util.Date;

/**
 * Creates SIG(0) transaction signatures.
 *
 * @author Pasi Eronen
 * @author Brian Wellington
 */

public class SIG0 {

/**
 * The default validity period for outgoing SIG(0) signed messages.
 * Can be overriden by the sig0validity option.
 */
private static final short VALIDITY = 300;
    
private
SIG0() { }

/**
 * Sign a message with SIG(0). The DNS key and private key must refer to the
 * same underlying cryptographic key.
 * @param message The message to be signed
 * @param key The DNSKEY record to use as part of signing
 * @param privkey The PrivateKey to use when signing
 * @param previous If this message is a response, the SIG(0) from the query
 */
public static void
signMessage(Message message, KEYRecord key, PrivateKey privkey,
	    SIGRecord previous) throws DNSSEC.DNSSECException
{
	
	int validity = Options.intValue("sig0validity");
	if (validity < 0)
		validity = VALIDITY;

	long now = System.currentTimeMillis();
	Date timeSigned = new Date(now);
	Date timeExpires = new Date(now + validity * 1000);

	SIGRecord sig =  DNSSEC.signMessage(message, previous, key, privkey,
					    timeSigned, timeExpires);
	
	message.addRecord(sig, Section.ADDITIONAL);
}

/**
 * Verify a message using SIG(0).
 * @param message The message to be signed
 * @param b An array containing the message in unparsed form.  This is
 * necessary since SIG(0) signs the message in wire format, and we can't
 * recreate the exact wire format (with the same name compression).
 * @param key The KEY record to verify the signature with.
 * @param previous If this message is a response, the SIG(0) from the query
 */
public static void
verifyMessage(Message message, byte [] b, KEYRecord key, SIGRecord previous)
	throws DNSSEC.DNSSECException
{
	SIGRecord sig = null;
	Record [] additional = message.getSectionArray(Section.ADDITIONAL);
	for (int i = 0; i < additional.length; i++) {
		if (additional[i].getType() != Type.SIG)
			continue;
		if (((SIGRecord) additional[i]).getTypeCovered() != 0)
			continue;
		sig = (SIGRecord) additional[i];
		break;
	}
	DNSSEC.verifyMessage(message, b, sig, previous, key);
}

}