001    /*
002     *  Licensed to the Apache Software Foundation (ASF) under one
003     *  or more contributor license agreements.  See the NOTICE file
004     *  distributed with this work for additional information
005     *  regarding copyright ownership.  The ASF licenses this file
006     *  to you under the Apache License, Version 2.0 (the
007     *  "License"); you may not use this file except in compliance
008     *  with the License.  You may obtain a copy of the License at
009     *  
010     *    http://www.apache.org/licenses/LICENSE-2.0
011     *  
012     *  Unless required by applicable law or agreed to in writing,
013     *  software distributed under the License is distributed on an
014     *  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
015     *  KIND, either express or implied.  See the License for the
016     *  specific language governing permissions and limitations
017     *  under the License. 
018     *  
019     */
020    
021    package org.apache.directory.server.dns.io.encoder;
022    
023    
024    /**
025     * 4.1 SIG RDATA Format
026     * 
027     *    The RDATA portion of a SIG RR is as shown below.  The integrity of
028     *    the RDATA information is protected by the signature field.
029     * 
030     *                            1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
031     *        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
032     *       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
033     *       |        type covered           |  algorithm    |     labels    |
034     *       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
035     *       |                         original TTL                          |
036     *       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
037     *       |                      signature expiration                     |
038     *       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
039     *       |                      signature inception                      |
040     *       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
041     *       |            key  tag           |                               |
042     *       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+         signer's name         +
043     *       |                                                               /
044     *       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-/
045     *       /                                                               /
046     *       /                            signature                          /
047     *       /                                                               /
048     *       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
049     * 
050     * 4.1.1 Type Covered Field
051     * 
052     *    The "type covered" is the type of the other RRs covered by this SIG.
053     * 
054     * 4.1.2 Algorithm Number Field
055     * 
056     *    This octet is as described in section 3.2.
057     * 
058     * 4.1.3 Labels Field
059     * 
060     *    The "labels" octet is an unsigned count of how many labels there are
061     *    in the original SIG RR owner name not counting the null label for
062     *    root and not counting any initial "*" for a wildcard.  If a secured
063     *    retrieval is the result of wild card substitution, it is necessary
064     *    for the resolver to use the original form of the name in verifying
065     *    the digital signature.  This field makes it easy to determine the
066     *    original form.
067     * 
068     *    If, on retrieval, the RR appears to have a longer name than indicated
069     *    by "labels", the resolver can tell it is the result of wildcard
070     *    substitution.  If the RR owner name appears to be shorter than the
071     *    labels count, the SIG RR must be considered corrupt and ignored.  The
072     *    maximum number of labels allowed in the current DNS is 127 but the
073     *    entire octet is reserved and would be required should DNS names ever
074     *    be expanded to 255 labels.  The following table gives some examples.
075     *    The value of "labels" is at the top, the retrieved owner name on the
076     *    left, and the table entry is the name to use in signature
077     *    verification except that "bad" means the RR is corrupt.
078     * 
079     *    labels= |  0  |   1  |    2   |      3   |      4   |
080     *    --------+-----+------+--------+----------+----------+
081     *           .|   . | bad  |  bad   |    bad   |    bad   |
082     *          d.|  *. |   d. |  bad   |    bad   |    bad   |
083     *        c.d.|  *. | *.d. |   c.d. |    bad   |    bad   |
084     *      b.c.d.|  *. | *.d. | *.c.d. |   b.c.d. |    bad   |
085     *    a.b.c.d.|  *. | *.d. | *.c.d. | *.b.c.d. | a.b.c.d. |
086     * 
087     * 4.1.4 Original TTL Field
088     * 
089     *    The "original TTL" field is included in the RDATA portion to avoid
090     *    (1) authentication problems that caching servers would otherwise
091     *    cause by decrementing the real TTL field and (2) security problems
092     *    that unscrupulous servers could otherwise cause by manipulating the
093     *    real TTL field.  This original TTL is protected by the signature
094     *    while the current TTL field is not.
095     * 
096     *    NOTE:  The "original TTL" must be restored into the covered RRs when
097     *    the signature is verified (see Section 8).  This generaly implies
098     *    that all RRs for a particular type, name, and class, that is, all the
099     *    RRs in any particular RRset, must have the same TTL to start with.
100     * 
101     * 4.1.5 Signature Expiration and Inception Fields
102     * 
103     *    The SIG is valid from the "signature inception" time until the
104     *    "signature expiration" time.  Both are unsigned numbers of seconds
105     *    since the start of 1 January 1970, GMT, ignoring leap seconds.  (See
106     *    also Section 4.4.)  Ring arithmetic is used as for DNS SOA serial
107     *    numbers [RFC 1982] which means that these times can never be more
108     *    than about 68 years in the past or the future.  This means that these
109     *    times are ambiguous modulo ~136.09 years.  However there is no
110     *    security flaw because keys are required to be changed to new random
111     *    keys by [RFC 2541] at least every five years.  This means that the
112     *    probability that the same key is in use N*136.09 years later should
113     *    be the same as the probability that a random guess will work.
114     * 
115     *    A SIG RR may have an expiration time numerically less than the
116     *    inception time if the expiration time is near the 32 bit wrap around
117     *    point and/or the signature is long lived.
118     * 
119     *    (To prevent misordering of network requests to update a zone
120     *    dynamically, monotonically increasing "signature inception" times may
121     *    be necessary.)
122     * 
123     *    A secure zone must be considered changed for SOA serial number
124     *    purposes not only when its data is updated but also when new SIG RRs
125     *    are inserted (ie, the zone or any part of it is re-signed).
126     * 
127     * 4.1.6 Key Tag Field
128     * 
129     *    The "key Tag" is a two octet quantity that is used to efficiently
130     *    select between multiple keys which may be applicable and thus check
131     *    that a public key about to be used for the computationally expensive
132     *    effort to check the signature is possibly valid.  For algorithm 1
133     *    (MD5/RSA) as defined in [RFC 2537], it is the next to the bottom two
134     *    octets of the public key modulus needed to decode the signature
135     *    field.  That is to say, the most significant 16 of the least
136     *    significant 24 bits of the modulus in network (big endian) order. For
137     *    all other algorithms, including private algorithms, it is calculated
138     *    as a simple checksum of the KEY RR as described in Appendix C.
139     * 
140     * 4.1.7 Signer's Name Field
141     * 
142     *    The "signer's name" field is the domain name of the signer generating
143     *    the SIG RR.  This is the owner name of the public KEY RR that can be
144     *    used to verify the signature.  It is frequently the zone which
145     *    contained the RRset being authenticated.  Which signers should be
146     *    authorized to sign what is a significant resolver policy question as
147     *    discussed in Section 6. The signer's name may be compressed with
148     *    standard DNS name compression when being transmitted over the
149     *    network.
150     * 
151     * 4.1.8 Signature Field
152     * 
153     *    The actual signature portion of the SIG RR binds the other RDATA
154     *    fields to the RRset of the "type covered" RRs with that owner name
155     *    and class.  This covered RRset is thereby authenticated.  To
156     *    accomplish this, a data sequence is constructed as follows:
157     * 
158     *          data = RDATA | RR(s)...
159     * 
160     *    where "|" is concatenation,
161     * 
162     *    RDATA is the wire format of all the RDATA fields in the SIG RR itself
163     *    (including the canonical form of the signer's name) before but not
164     *    including the signature, and
165     * 
166     *    RR(s) is the RRset of the RR(s) of the type covered with the same
167     *    owner name and class as the SIG RR in canonical form and order as
168     *    defined in Section 8.
169     * 
170     *    How this data sequence is processed into the signature is algorithm
171     *    dependent.  These algorithm dependent formats and procedures are
172     *    described in separate documents (Section 3.2).
173     * 
174     *    SIGs SHOULD NOT be included in a zone for any "meta-type" such as
175     *    ANY, AXFR, etc. (but see section 5.6.2 with regard to IXFR).
176     * 
177     * @author <a href="mailto:dev@directory.apache.org">Apache Directory Project</a>
178     * @version $Rev: 501160 $, $Date: 2007-01-29 20:41:33 +0100 (Mon, 29 Jan 2007) $
179     */
180    public class SignatureRecordEncoder
181    {
182    }