1// Copyright (c) 2001-2004 Brian Wellington (bwelling@xbill.org)
2
3package org.xbill.DNS;
4
5import java.security.PrivateKey;
6import java.util.Date;
7
8/**
9 * Creates SIG(0) transaction signatures.
10 *
11 * @author Pasi Eronen
12 * @author Brian Wellington
13 */
14
15public class SIG0 {
16
17/**
18 * The default validity period for outgoing SIG(0) signed messages.
19 * Can be overriden by the sig0validity option.
20 */
21private static final short VALIDITY = 300;
22
23private
24SIG0() { }
25
26/**
27 * Sign a message with SIG(0). The DNS key and private key must refer to the
28 * same underlying cryptographic key.
29 * @param message The message to be signed
30 * @param key The DNSKEY record to use as part of signing
31 * @param privkey The PrivateKey to use when signing
32 * @param previous If this message is a response, the SIG(0) from the query
33 */
34public static void
35signMessage(Message message, KEYRecord key, PrivateKey privkey,
36	    SIGRecord previous) throws DNSSEC.DNSSECException
37{
38
39	int validity = Options.intValue("sig0validity");
40	if (validity < 0)
41		validity = VALIDITY;
42
43	long now = System.currentTimeMillis();
44	Date timeSigned = new Date(now);
45	Date timeExpires = new Date(now + validity * 1000);
46
47	SIGRecord sig =  DNSSEC.signMessage(message, previous, key, privkey,
48					    timeSigned, timeExpires);
49
50	message.addRecord(sig, Section.ADDITIONAL);
51}
52
53/**
54 * Verify a message using SIG(0).
55 * @param message The message to be signed
56 * @param b An array containing the message in unparsed form.  This is
57 * necessary since SIG(0) signs the message in wire format, and we can't
58 * recreate the exact wire format (with the same name compression).
59 * @param key The KEY record to verify the signature with.
60 * @param previous If this message is a response, the SIG(0) from the query
61 */
62public static void
63verifyMessage(Message message, byte [] b, KEYRecord key, SIGRecord previous)
64	throws DNSSEC.DNSSECException
65{
66	SIGRecord sig = null;
67	Record [] additional = message.getSectionArray(Section.ADDITIONAL);
68	for (int i = 0; i < additional.length; i++) {
69		if (additional[i].getType() != Type.SIG)
70			continue;
71		if (((SIGRecord) additional[i]).getTypeCovered() != 0)
72			continue;
73		sig = (SIGRecord) additional[i];
74		break;
75	}
76	DNSSEC.verifyMessage(message, b, sig, previous, key);
77}
78
79}
80