Add options to sign and verify DNSSEC messages at a given time

ibauersachs · ibauersachs · commit 8d79cb339b08 · 2019-10-27T16:56:59.000+01:00
diff --git a/src/main/java/org/xbill/DNS/DNSSEC.java b/src/main/java/org/xbill/DNS/DNSSEC.java
@@ -1178,7 +1178,7 @@ static SIGRecord signMessage(
   }
 
   static void verifyMessage(
-      Message message, byte[] bytes, SIGRecord sig, SIGRecord previous, KEYRecord key)
+      Message message, byte[] bytes, SIGRecord sig, SIGRecord previous, KEYRecord key, Instant now)
       throws DNSSECException {
     if (message.sig0start == 0) {
       throw new NoSignatureException();
@@ -1188,8 +1188,6 @@ static void verifyMessage(
       throw new KeyMismatchException(key, sig);
     }
 
-    Instant now = Instant.now();
-
     if (now.compareTo(sig.getExpire()) > 0) {
       throw new SignatureExpiredException(sig.getExpire(), now);
     }
diff --git a/src/main/java/org/xbill/DNS/SIG0.java b/src/main/java/org/xbill/DNS/SIG0.java
@@ -5,6 +5,7 @@
 import java.security.PrivateKey;
 import java.time.Duration;
 import java.time.Instant;
+import org.xbill.DNS.DNSSEC.DNSSECException;
 
 /**
  * Creates SIG(0) transaction signatures.
@@ -34,6 +35,22 @@ private SIG0() {}
   public static void signMessage(
       Message message, KEYRecord key, PrivateKey privkey, SIGRecord previous)
       throws DNSSEC.DNSSECException {
+    signMessage(message, key, privkey, previous, Instant.now());
+  }
+
+  /**
+   * Sign a message with SIG(0). The DNS key and private key must refer to the same underlying
+   * cryptographic key.
+   *
+   * @param message The message to be signed
+   * @param key The DNSKEY record to use as part of signing
+   * @param privkey The PrivateKey to use when signing
+   * @param previous If this message is a response, the SIG(0) from the query
+   * @param timeSigned The time instant when the message has been signed.
+   */
+  public static void signMessage(
+      Message message, KEYRecord key, PrivateKey privkey, SIGRecord previous, Instant timeSigned)
+      throws DNSSEC.DNSSECException {
 
     int validityOption = Options.intValue("sig0validity");
     Duration validity;
@@ -43,7 +60,6 @@ public static void signMessage(
       validity = Duration.ofSeconds(validityOption);
     }
 
-    Instant timeSigned = Instant.now();
     Instant timeExpires = timeSigned.plus(validity);
 
     SIGRecord sig = DNSSEC.signMessage(message, previous, key, privkey, timeSigned, timeExpires);
@@ -52,7 +68,7 @@ public static void signMessage(
   }
 
   /**
-   * Verify a message using SIG(0).
+   * Verify a message using SIG(0). Uses the current system clock for the date/time.
    *
    * @param message The message to be signed
    * @param b An array containing the message in unparsed form. This is necessary since SIG(0) signs
@@ -62,6 +78,23 @@ public static void signMessage(
    * @param previous If this message is a response, the SIG(0) from the query
    */
   public static void verifyMessage(Message message, byte[] b, KEYRecord key, SIGRecord previous)
+      throws DNSSECException {
+    verifyMessage(message, b, key, previous, Instant.now());
+  }
+
+  /**
+   * Verify a message using SIG(0).
+   *
+   * @param message The message to be signed
+   * @param b An array containing the message in unparsed form. This is necessary since SIG(0) signs
+   *     the message in wire format, and we can't recreate the exact wire format (with the same name
+   *     compression).
+   * @param key The KEY record to verify the signature with.
+   * @param previous If this message is a response, the SIG(0) from the query
+   * @param now the time instant to verify the message.
+   */
+  public static void verifyMessage(
+      Message message, byte[] b, KEYRecord key, SIGRecord previous, Instant now)
       throws DNSSEC.DNSSECException {
     SIGRecord sig = null;
     Record[] additional = message.getSectionArray(Section.ADDITIONAL);
@@ -75,6 +108,6 @@ public static void verifyMessage(Message message, byte[] b, KEYRecord key, SIGRe
       sig = (SIGRecord) record;
       break;
     }
-    DNSSEC.verifyMessage(message, b, sig, previous, key);
+    DNSSEC.verifyMessage(message, b, sig, previous, key, now);
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -1178,7 +1178,7 @@ static SIGRecord signMessage(`
`1178`	`1178`	`}`
`1179`	`1179`
`1180`	`1180`	`static void verifyMessage(`
`1181`		`- Message message, byte[] bytes, SIGRecord sig, SIGRecord previous, KEYRecord key)`
	`1181`	`+ Message message, byte[] bytes, SIGRecord sig, SIGRecord previous, KEYRecord key, Instant now)`
`1182`	`1182`	`throws DNSSECException {`
`1183`	`1183`	`if (message.sig0start == 0) {`
`1184`	`1184`	`throw new NoSignatureException();`
`@@ -1188,8 +1188,6 @@ static void verifyMessage(`
`1188`	`1188`	`throw new KeyMismatchException(key, sig);`
`1189`	`1189`	`}`
`1190`	`1190`
`1191`		`- Instant now = Instant.now();`
`1192`		`-`
`1193`	`1191`	`if (now.compareTo(sig.getExpire()) > 0) {`
`1194`	`1192`	`throw new SignatureExpiredException(sig.getExpire(), now);`
`1195`	`1193`	`}`