1 /* 2 * Licensed to the Apache Software Foundation (ASF) under one 3 * or more contributor license agreements. See the NOTICE file 4 * distributed with this work for additional information 5 * regarding copyright ownership. The ASF licenses this file 6 * to you under the Apache License, Version 2.0 (the 7 * "License"); you may not use this file except in compliance 8 * with the License. You may obtain a copy of the License at 9 * 10 * http://www.apache.org/licenses/LICENSE-2.0 11 * 12 * Unless required by applicable law or agreed to in writing, 13 * software distributed under the License is distributed on an 14 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 15 * KIND, either express or implied. See the License for the 16 * specific language governing permissions and limitations 17 * under the License. 18 * 19 */ 20 21 package org.apache.directory.server.dns.io.encoder; 22 23 24 /** 25 * 4.1 SIG RDATA Format 26 * 27 * The RDATA portion of a SIG RR is as shown below. The integrity of 28 * the RDATA information is protected by the signature field. 29 * 30 * 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 31 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 32 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 33 * | type covered | algorithm | labels | 34 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 35 * | original TTL | 36 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 37 * | signature expiration | 38 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 39 * | signature inception | 40 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 41 * | key tag | | 42 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ signer's name + 43 * | / 44 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-/ 45 * / / 46 * / signature / 47 * / / 48 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 49 * 50 * 4.1.1 Type Covered Field 51 * 52 * The "type covered" is the type of the other RRs covered by this SIG. 53 * 54 * 4.1.2 Algorithm Number Field 55 * 56 * This octet is as described in section 3.2. 57 * 58 * 4.1.3 Labels Field 59 * 60 * The "labels" octet is an unsigned count of how many labels there are 61 * in the original SIG RR owner name not counting the null label for 62 * root and not counting any initial "*" for a wildcard. If a secured 63 * retrieval is the result of wild card substitution, it is necessary 64 * for the resolver to use the original form of the name in verifying 65 * the digital signature. This field makes it easy to determine the 66 * original form. 67 * 68 * If, on retrieval, the RR appears to have a longer name than indicated 69 * by "labels", the resolver can tell it is the result of wildcard 70 * substitution. If the RR owner name appears to be shorter than the 71 * labels count, the SIG RR must be considered corrupt and ignored. The 72 * maximum number of labels allowed in the current DNS is 127 but the 73 * entire octet is reserved and would be required should DNS names ever 74 * be expanded to 255 labels. The following table gives some examples. 75 * The value of "labels" is at the top, the retrieved owner name on the 76 * left, and the table entry is the name to use in signature 77 * verification except that "bad" means the RR is corrupt. 78 * 79 * labels= | 0 | 1 | 2 | 3 | 4 | 80 * --------+-----+------+--------+----------+----------+ 81 * .| . | bad | bad | bad | bad | 82 * d.| *. | d. | bad | bad | bad | 83 * c.d.| *. | *.d. | c.d. | bad | bad | 84 * b.c.d.| *. | *.d. | *.c.d. | b.c.d. | bad | 85 * a.b.c.d.| *. | *.d. | *.c.d. | *.b.c.d. | a.b.c.d. | 86 * 87 * 4.1.4 Original TTL Field 88 * 89 * The "original TTL" field is included in the RDATA portion to avoid 90 * (1) authentication problems that caching servers would otherwise 91 * cause by decrementing the real TTL field and (2) security problems 92 * that unscrupulous servers could otherwise cause by manipulating the 93 * real TTL field. This original TTL is protected by the signature 94 * while the current TTL field is not. 95 * 96 * NOTE: The "original TTL" must be restored into the covered RRs when 97 * the signature is verified (see Section 8). This generaly implies 98 * that all RRs for a particular type, name, and class, that is, all the 99 * RRs in any particular RRset, must have the same TTL to start with. 100 * 101 * 4.1.5 Signature Expiration and Inception Fields 102 * 103 * The SIG is valid from the "signature inception" time until the 104 * "signature expiration" time. Both are unsigned numbers of seconds 105 * since the start of 1 January 1970, GMT, ignoring leap seconds. (See 106 * also Section 4.4.) Ring arithmetic is used as for DNS SOA serial 107 * numbers [RFC 1982] which means that these times can never be more 108 * than about 68 years in the past or the future. This means that these 109 * times are ambiguous modulo ~136.09 years. However there is no 110 * security flaw because keys are required to be changed to new random 111 * keys by [RFC 2541] at least every five years. This means that the 112 * probability that the same key is in use N*136.09 years later should 113 * be the same as the probability that a random guess will work. 114 * 115 * A SIG RR may have an expiration time numerically less than the 116 * inception time if the expiration time is near the 32 bit wrap around 117 * point and/or the signature is long lived. 118 * 119 * (To prevent misordering of network requests to update a zone 120 * dynamically, monotonically increasing "signature inception" times may 121 * be necessary.) 122 * 123 * A secure zone must be considered changed for SOA serial number 124 * purposes not only when its data is updated but also when new SIG RRs 125 * are inserted (ie, the zone or any part of it is re-signed). 126 * 127 * 4.1.6 Key Tag Field 128 * 129 * The "key Tag" is a two octet quantity that is used to efficiently 130 * select between multiple keys which may be applicable and thus check 131 * that a public key about to be used for the computationally expensive 132 * effort to check the signature is possibly valid. For algorithm 1 133 * (MD5/RSA) as defined in [RFC 2537], it is the next to the bottom two 134 * octets of the public key modulus needed to decode the signature 135 * field. That is to say, the most significant 16 of the least 136 * significant 24 bits of the modulus in network (big endian) order. For 137 * all other algorithms, including private algorithms, it is calculated 138 * as a simple checksum of the KEY RR as described in Appendix C. 139 * 140 * 4.1.7 Signer's Name Field 141 * 142 * The "signer's name" field is the domain name of the signer generating 143 * the SIG RR. This is the owner name of the public KEY RR that can be 144 * used to verify the signature. It is frequently the zone which 145 * contained the RRset being authenticated. Which signers should be 146 * authorized to sign what is a significant resolver policy question as 147 * discussed in Section 6. The signer's name may be compressed with 148 * standard DNS name compression when being transmitted over the 149 * network. 150 * 151 * 4.1.8 Signature Field 152 * 153 * The actual signature portion of the SIG RR binds the other RDATA 154 * fields to the RRset of the "type covered" RRs with that owner name 155 * and class. This covered RRset is thereby authenticated. To 156 * accomplish this, a data sequence is constructed as follows: 157 * 158 * data = RDATA | RR(s)... 159 * 160 * where "|" is concatenation, 161 * 162 * RDATA is the wire format of all the RDATA fields in the SIG RR itself 163 * (including the canonical form of the signer's name) before but not 164 * including the signature, and 165 * 166 * RR(s) is the RRset of the RR(s) of the type covered with the same 167 * owner name and class as the SIG RR in canonical form and order as 168 * defined in Section 8. 169 * 170 * How this data sequence is processed into the signature is algorithm 171 * dependent. These algorithm dependent formats and procedures are 172 * described in separate documents (Section 3.2). 173 * 174 * SIGs SHOULD NOT be included in a zone for any "meta-type" such as 175 * ANY, AXFR, etc. (but see section 5.6.2 with regard to IXFR). 176 * 177 * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a> 178 */ 179 public class SignatureRecordEncoder 180 { 181 }