// Copyright (c) 2001-2004 Brian Wellington (bwelling@xbill.org)
package org.xbill.DNS;
import java.security.PrivateKey;
import java.util.Date;
/**
* Creates SIG(0) transaction signatures.
*
* @author Pasi Eronen
* @author Brian Wellington
*/
public class SIG0 {
/**
* The default validity period for outgoing SIG(0) signed messages.
* Can be overriden by the sig0validity option.
*/
private static final short VALIDITY = 300;
private
SIG0() { }
/**
* Sign a message with SIG(0). The DNS key and private key must refer to the
* same underlying cryptographic key.
* @param message The message to be signed
* @param key The DNSKEY record to use as part of signing
* @param privkey The PrivateKey to use when signing
* @param previous If this message is a response, the SIG(0) from the query
*/
public static void
signMessage(Message message, KEYRecord key, PrivateKey privkey,
SIGRecord previous) throws DNSSEC.DNSSECException
{
int validity = Options.intValue("sig0validity");
if (validity < 0)
validity = VALIDITY;
long now = System.currentTimeMillis();
Date timeSigned = new Date(now);
Date timeExpires = new Date(now + validity * 1000);
SIGRecord sig = DNSSEC.signMessage(message, previous, key, privkey,
timeSigned, timeExpires);
message.addRecord(sig, Section.ADDITIONAL);
}
/**
* Verify a message using SIG(0).
* @param message The message to be signed
* @param b An array containing the message in unparsed form. This is
* necessary since SIG(0) signs the message in wire format, and we can't
* recreate the exact wire format (with the same name compression).
* @param key The KEY record to verify the signature with.
* @param previous If this message is a response, the SIG(0) from the query
*/
public static void
verifyMessage(Message message, byte [] b, KEYRecord key, SIGRecord previous)
throws DNSSEC.DNSSECException
{
SIGRecord sig = null;
Record [] additional = message.getSectionArray(Section.ADDITIONAL);
for (int i = 0; i < additional.length; i++) {
if (additional[i].getType() != Type.SIG)
continue;
if (((SIGRecord) additional[i]).getTypeCovered() != 0)
continue;
sig = (SIGRecord) additional[i];
break;
}
DNSSEC.verifyMessage(message, b, sig, previous, key);
}
}