Class: Dnsruby::RR::RRSIG

Inherits:

Dnsruby::RR

• Object
• Dnsruby::RR
• Dnsruby::RR::RRSIG

Defined in:

lib/dnsruby/resource/RRSIG.rb

Overview

(RFC4034, section 3) DNSSEC uses public key cryptography to sign and authenticate DNS resource record sets (RRsets). Digital signatures are stored in RRSIG resource records and are used in the DNSSEC authentication process described in [RFC4035]. A validator can use these RRSIG RRs to authenticate RRsets from the zone. The RRSIG RR MUST only be used to carry verification material (digital signatures) used to secure DNS operations.

An RRSIG record contains the signature for an RRset with a particular name, class, and type. The RRSIG RR specifies a validity interval for the signature and uses the Algorithm, the Signer’s Name, and the Key Tag to identify the DNSKEY RR containing the public key that a validator can use to verify the signature.

Constant Summary

ClassValue =

:nodoc: all

nil

TypeValue =

:nodoc: all

Types::RRSIG

Constants inherited from Dnsruby::RR

ClassInsensitiveTypes

Instance Attribute Summary

• #algorithm ⇒ Object

  The algorithm used for this RRSIG See Dnsruby::Algorithms for permitted values.

• #expiration ⇒ Object

  The signature expiration.

• #inception ⇒ Object

  The signature inception.

• #key_tag ⇒ Object

  The key tag value of the DNSKEY RR that validates this signature.

• #labels ⇒ Object

  The number of labels in the original RRSIG RR owner name Can be used to determine if name was synthesised from a wildcard.

• #original_ttl ⇒ Object

  The TTL of the covered RRSet as it appears in the authoritative zone.

• #signature ⇒ Object

  contains the cryptographic signature that covers the RRSIG RDATA (excluding the Signature field) and the RRset specified by the RRSIG owner name, RRSIG class, and RRSIG Type Covered field.

• #signers_name ⇒ Object

  identifies the owner name of the DNSKEY RR that a validator is supposed to use to validate this signature.

• #type_covered ⇒ Object

  The type covered by this RRSIG.

Attributes inherited from Dnsruby::RR

#klass, #name, #rdata, #ttl, #type

Class Method Summary

• .decode_rdata(msg) ⇒ Object

  :nodoc: all.

• .get_time(input) ⇒ Object

Instance Method Summary

• #encode_rdata(msg, canonical = false) ⇒ Object

  :nodoc: all.

• #format_time(time) ⇒ Object
• #from_data(data) ⇒ Object

  :nodoc: all.

• #from_string(input) ⇒ Object
• #get_time(input) ⇒ Object
• #init_defaults ⇒ Object
• #rdata_to_string ⇒ Object

  :nodoc: all.

• #sig_data ⇒ Object

Methods inherited from Dnsruby::RR

#<=>, #==, #clone, create, #eql?, find_class, #from_hash, get_class, get_num, #hash, implemented_rrs, new_from_data, new_from_hash, new_from_string, #rdlength, #sameRRset, #to_s

Instance Attribute Details

#algorithm ⇒ Object

The algorithm used for this RRSIG See Dnsruby::Algorithms for permitted values

# File 'lib/dnsruby/resource/RRSIG.rb', line 68

def algorithm
  @algorithm
end

#expiration ⇒ Object

The signature expiration

# File 'lib/dnsruby/resource/RRSIG.rb', line 75

def expiration
  @expiration
end

#inception ⇒ Object

The signature inception

# File 'lib/dnsruby/resource/RRSIG.rb', line 77

def inception
  @inception
end

#key_tag ⇒ Object

The key tag value of the DNSKEY RR that validates this signature

# File 'lib/dnsruby/resource/RRSIG.rb', line 79

def key_tag
  @key_tag
end

#labels ⇒ Object

The number of labels in the original RRSIG RR owner name Can be used to determine if name was synthesised from a wildcard.

# File 'lib/dnsruby/resource/RRSIG.rb', line 71

def labels
  @labels
end

#original_ttl ⇒ Object

The TTL of the covered RRSet as it appears in the authoritative zone

# File 'lib/dnsruby/resource/RRSIG.rb', line 73

def original_ttl
  @original_ttl
end

#signature ⇒ Object

contains the cryptographic signature that covers the RRSIG RDATA (excluding the Signature field) and the RRset specified by the RRSIG owner name, RRSIG class, and RRSIG Type Covered field

# File 'lib/dnsruby/resource/RRSIG.rb', line 88

def signature
  @signature
end

#signers_name ⇒ Object

identifies the owner name of the DNSKEY RR that a validator is supposed to use to validate this signature

# File 'lib/dnsruby/resource/RRSIG.rb', line 82

def signers_name
  @signers_name
end

#type_covered ⇒ Object

The type covered by this RRSIG

# File 'lib/dnsruby/resource/RRSIG.rb', line 65

def type_covered
  @type_covered
end

Class Method Details

.decode_rdata(msg) ⇒ Object

:nodoc: all

# File 'lib/dnsruby/resource/RRSIG.rb', line 250

def self.decode_rdata(msg) #:nodoc: all
  type_covered, algorithm, labels = msg.get_unpack('ncc')
  original_ttl, expiration, inception = msg.get_unpack('NNN')
  key_tag, = msg.get_unpack('n')
  signers_name = msg.get_name
  signature  = msg.get_bytes
  return self.new(
    [type_covered, algorithm, labels, original_ttl, expiration,
      inception, key_tag, signers_name, signature])
end

.get_time(input) ⇒ Object

# File 'lib/dnsruby/resource/RRSIG.rb', line 183

def RRSIG.get_time(input)
  if input.kind_of?(Integer)
    return input
  end
  #  RFC 4034, section 3.2
  # The Signature Expiration Time and Inception Time field values MUST be
  #    represented either as an unsigned decimal integer indicating seconds
  #    since 1 January 1970 00:00:00 UTC, or in the form YYYYMMDDHHmmSS in
  #    UTC, where:
  # 
  #       YYYY is the year (0001-9999, but see Section 3.1.5);
  #       MM is the month number (01-12);
  #       DD is the day of the month (01-31);
  #       HH is the hour, in 24 hour notation (00-23);
  #       mm is the minute (00-59); and
  #       SS is the second (00-59).
  # 
  #    Note that it is always possible to distinguish between these two
  #    formats because the YYYYMMDDHHmmSS format will always be exactly 14
  #    digits, while the decimal representation of a 32-bit unsigned integer
  #    can never be longer than 10 digits.
  if (input.length == 10)
    return input.to_i
  elsif (input.length == 14)
    year = input[0,4]
    mon=input[4,2]
    day=input[6,2]
    hour=input[8,2]
    min=input[10,2]
    sec=input[12,2]
    #  @TODO@ REPLACE THIS BY LOCAL CODE - Time.gm DOG SLOW!
    return Time.gm(year, mon, day, hour, min, sec).to_i
  else
    raise DecodeError.new("RRSIG : Illegal time value #{input} - see RFC 4034 section 3.2")
  end
end

Instance Method Details

#encode_rdata(msg, canonical = false) ⇒ Object

:nodoc: all

# File 'lib/dnsruby/resource/RRSIG.rb', line 241

def encode_rdata(msg, canonical=false) #:nodoc: all
  #  2 octets, then 2 sets of 1 octet
  msg.put_pack('ncc', @type_covered.to_i, @algorithm.to_i, @labels)
  msg.put_pack("NNN", @original_ttl, @expiration, @inception)
  msg.put_pack("n", @key_tag)
  msg.put_name(@signers_name, canonical, false)
  msg.put_bytes(@signature)
end

#format_time(time) ⇒ Object

# File 'lib/dnsruby/resource/RRSIG.rb', line 224

def format_time(time)
  return Time.at(time).gmtime.strftime("%Y%m%d%H%M%S")
end

#from_data(data) ⇒ Object

:nodoc: all

# File 'lib/dnsruby/resource/RRSIG.rb', line 135

def from_data(data) #:nodoc: all
  type_covered, algorithm, @labels, @original_ttl, expiration, inception,
    @key_tag, signers_name, @signature = data
  @expiration = expiration
  @inception = inception
  self.type_covered=(type_covered)
  self.signers_name=(signers_name)
  self.algorithm=(algorithm)
end

#from_string(input) ⇒ Object

# File 'lib/dnsruby/resource/RRSIG.rb', line 145

def from_string(input)
  if (input.length > 0)
    data = input.split(" ")
    self.type_covered=(data[0])
    self.algorithm=(data[1])
    self.labels=data[2].to_i
    self.original_ttl=data[3].to_i
    self.expiration=get_time(data[4])
    #  Brackets may also be present
    index = 5
    end_index = data.length - 1
    if (data[index]=="(")
      index = 6
      end_index = data.length - 2
    end
    self.inception=get_time(data[index])
    self.key_tag=data[index+1].to_i
    self.signers_name=(data[index+2])
    #  signature can include whitespace - include all text
    #  until we come to " )" at the end, and then gsub
    #  the white space out
    buf=""
    (index+3..end_index).each {|i|
      if (comment_index = data[i].index(";"))
        buf += data[i].slice(0, comment_index)
        #  @TODO@ We lose the comments here - we should really keep them for when we write back to string format?
        break
      else
      buf += data[i]
      end
    }
    buf.gsub!(/\n/, "")
    buf.gsub!(/ /, "")
    # self.signature=Base64.decode64(buf)
    self.signature=buf.unpack("m*")[0]
  end
end

#get_time(input) ⇒ Object

# File 'lib/dnsruby/resource/RRSIG.rb', line 220

def get_time(input)
  return RRSIG.get_time(input)
end

#init_defaults ⇒ Object

# File 'lib/dnsruby/resource/RRSIG.rb', line 90

def init_defaults
  @algorithm=Algorithms.RSASHA1
  @type_covered = Types::A
  @original_ttl = 3600
  @inception = Time.now.to_i
  @expiration = Time.now.to_i
  @key_tag = 0
  @labels = 0
  self.signers_name="."
  @signature = "\0"
end

#rdata_to_string ⇒ Object

:nodoc: all

# File 'lib/dnsruby/resource/RRSIG.rb', line 228

def rdata_to_string #:nodoc: all
  if (@type_covered!=nil)
#          signature = Base64.encode64(@signature) # .gsub(/\n/, "")
    signature = [@signature].pack("m*").gsub(/\n/, "")
    #  @TODO@ Display the expiration and inception as
    return "#{@type_covered.string} #{@algorithm.string} #{@labels} #{@original_ttl} " +
      "#{format_time(@expiration)} ( #{format_time(@inception)} " +
      "#{@key_tag} #{@signers_name.to_s(true)} #{signature} )"
  else
    return ""
  end
end

#sig_data ⇒ Object

# File 'lib/dnsruby/resource/RRSIG.rb', line 261

def sig_data
  # RRSIG_RDATA is the wire format of the RRSIG RDATA fields
  # with the Signer's Name field in canonical form and
  # the Signature field excluded;
  data = MessageEncoder.new { |msg|
    msg.put_pack('ncc', @type_covered.to_i, @algorithm.to_i, @labels)
    msg.put_pack("NNN", @original_ttl, @expiration, @inception)
    msg.put_pack("n", @key_tag)
    msg.put_name(@signers_name, true)
  }.to_s
  return data
end