1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
|
#--
#Copyright 2007 Nominet UK
#
#Licensed under the Apache License, Version 2.0 (the "License");
#you may not use this file except in compliance with the License.
#You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
#Unless required by applicable law or agreed to in writing, software
#distributed under the License is distributed on an "AS IS" BASIS,
#WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#See the License for the specific language governing permissions and
#limitations under the License.
#++
module Dnsruby
class RR
# (RFC4034, section 3)
#DNSSEC uses public key cryptography to sign and authenticate DNS
#resource record sets (RRsets). Digital signatures are stored in
#RRSIG resource records and are used in the DNSSEC authentication
#process described in [RFC4035]. A validator can use these RRSIG RRs
#to authenticate RRsets from the zone. The RRSIG RR MUST only be used
#to carry verification material (digital signatures) used to secure
#DNS operations.
#
#An RRSIG record contains the signature for an RRset with a particular
#name, class, and type. The RRSIG RR specifies a validity interval
#for the signature and uses the Algorithm, the Signer's Name, and the
#Key Tag to identify the DNSKEY RR containing the public key that a
#validator can use to verify the signature.
class RRSIG < RR
ClassValue = nil #:nodoc: all
TypeValue = Types::RRSIG #:nodoc: all
# 3.1. RRSIG RDATA Wire Format
#
# The RDATA for an RRSIG RR consists of a 2 octet Type Covered field, a
# 1 octet Algorithm field, a 1 octet Labels field, a 4 octet Original
# TTL field, a 4 octet Signature Expiration field, a 4 octet Signature
# Inception field, a 2 octet Key tag, the Signer's Name field, and the
# Signature field.
#
# 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
# 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
# | Type Covered | Algorithm | Labels |
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
# | Original TTL |
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
# | Signature Expiration |
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
# | Signature Inception |
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
# | Key Tag | /
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Signer's Name /
# / /
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
# / /
# / Signature /
# / /
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
#The type covered by this RRSIG
attr_reader :type_covered
#The algorithm used for this RRSIG
#See Dnsruby::Algorithms for permitted values
attr_reader :algorithm
#The number of labels in the original RRSIG RR owner name
#Can be used to determine if name was synthesised from a wildcard.
attr_accessor :labels
#The TTL of the covered RRSet as it appears in the authoritative zone
attr_accessor :original_ttl
#The signature expiration
attr_accessor :expiration
#The signature inception
attr_accessor :inception
#The key tag value of the DNSKEY RR that validates this signature
attr_accessor :key_tag
#identifies the owner name of the DNSKEY RR that a validator is
#supposed to use to validate this signature
attr_reader :signers_name
#contains the cryptographic signature that covers
#the RRSIG RDATA (excluding the Signature field) and the RRset
#specified by the RRSIG owner name, RRSIG class, and RRSIG Type
#Covered field
attr_accessor :signature
def init_defaults
@algorithm=Algorithms.RSASHA1
@type_covered = Types::A
@original_ttl = 3600
@inception = Time.now.to_i
@expiration = Time.now.to_i
@key_tag = 0
@labels = 0
self.signers_name="."
@signature = "\0"
end
def algorithm=(a)
if (a.instance_of?String)
if (a.to_i > 0)
a = a.to_i
end
end
begin
alg = Algorithms.new(a)
@algorithm = alg
rescue ArgumentError => e
raise DecodeError.new(e)
end
end
def type_covered=(t)
begin
type = Types.new(t)
@type_covered = type
rescue ArgumentError => e
raise DecodeError.new(e)
end
end
def signers_name=(s)
begin
name = Name.create(s)
@signers_name = name
rescue ArgumentError => e
raise DecodeError.new(e)
end
end
def from_data(data) #:nodoc: all
type_covered, algorithm, @labels, @original_ttl, expiration, inception,
@key_tag, signers_name, @signature = data
@expiration = expiration
@inception = inception
self.type_covered=(type_covered)
self.signers_name=(signers_name)
self.algorithm=(algorithm)
end
def from_string(input)
if (input.length > 0)
data = input.split(" ")
self.type_covered=(data[0])
self.algorithm=(data[1])
self.labels=data[2].to_i
self.original_ttl=data[3].to_i
self.expiration=get_time(data[4])
# Brackets may also be present
index = 5
end_index = data.length - 1
if (data[index]=="(")
index = 6
end_index = data.length - 2
end
self.inception=get_time(data[index])
self.key_tag=data[index+1].to_i
self.signers_name=(data[index+2])
# signature can include whitespace - include all text
# until we come to " )" at the end, and then gsub
# the white space out
buf=""
(index+3..end_index).each {|i|
if (comment_index = data[i].index(";"))
buf += data[i].slice(0, comment_index)
# @TODO@ We lose the comments here - we should really keep them for when we write back to string format?
break
else
buf += data[i]
end
}
buf.gsub!(/\n/, "")
buf.gsub!(/ /, "")
#self.signature=Base64.decode64(buf)
self.signature=buf.unpack("m*")[0]
end
end
def RRSIG.get_time(input)
if (input.kind_of?Fixnum)
return input
end
# RFC 4034, section 3.2
#The Signature Expiration Time and Inception Time field values MUST be
# represented either as an unsigned decimal integer indicating seconds
# since 1 January 1970 00:00:00 UTC, or in the form YYYYMMDDHHmmSS in
# UTC, where:
#
# YYYY is the year (0001-9999, but see Section 3.1.5);
# MM is the month number (01-12);
# DD is the day of the month (01-31);
# HH is the hour, in 24 hour notation (00-23);
# mm is the minute (00-59); and
# SS is the second (00-59).
#
# Note that it is always possible to distinguish between these two
# formats because the YYYYMMDDHHmmSS format will always be exactly 14
# digits, while the decimal representation of a 32-bit unsigned integer
# can never be longer than 10 digits.
if (input.length == 10)
return input.to_i
elsif (input.length == 14)
year = input[0,4]
mon=input[4,2]
day=input[6,2]
hour=input[8,2]
min=input[10,2]
sec=input[12,2]
# @TODO@ REPLACE THIS BY LOCAL CODE - Time.gm DOG SLOW!
return Time.gm(year, mon, day, hour, min, sec).to_i
else
raise DecodeError.new("RRSIG : Illegal time value #{input} - see RFC 4034 section 3.2")
end
end
def get_time(input)
return RRSIG.get_time(input)
end
def format_time(time)
return Time.at(time).gmtime.strftime("%Y%m%d%H%M%S")
end
def rdata_to_string #:nodoc: all
if (@type_covered!=nil)
# signature = Base64.encode64(@signature) # .gsub(/\n/, "")
signature = [@signature].pack("m*").gsub(/\n/, "")
# @TODO@ Display the expiration and inception as
return "#{@type_covered.string} #{@algorithm.string} #{@labels} #{@original_ttl} " +
"#{format_time(@expiration)} ( #{format_time(@inception)} " +
"#{@key_tag} #{@signers_name.to_s(true)} #{signature} )"
else
return ""
end
end
def encode_rdata(msg, canonical=false) #:nodoc: all
# 2 octets, then 2 sets of 1 octet
msg.put_pack('ncc', @type_covered.to_i, @algorithm.to_i, @labels)
msg.put_pack("NNN", @original_ttl, @expiration, @inception)
msg.put_pack("n", @key_tag)
msg.put_name(@signers_name, canonical, false)
msg.put_bytes(@signature)
end
def self.decode_rdata(msg) #:nodoc: all
type_covered, algorithm, labels = msg.get_unpack('ncc')
original_ttl, expiration, inception = msg.get_unpack('NNN')
key_tag, = msg.get_unpack('n')
signers_name = msg.get_name
signature = msg.get_bytes
return self.new(
[type_covered, algorithm, labels, original_ttl, expiration,
inception, key_tag, signers_name, signature])
end
def sig_data
#RRSIG_RDATA is the wire format of the RRSIG RDATA fields
#with the Signer's Name field in canonical form and
#the Signature field excluded;
data = MessageEncoder.new { |msg|
msg.put_pack('ncc', @type_covered.to_i, @algorithm.to_i, @labels)
msg.put_pack("NNN", @original_ttl, @expiration, @inception)
msg.put_pack("n", @key_tag)
msg.put_name(@signers_name, true)
}.to_s
return data
end
end
end
end
|
