/**
* Verify a message using SIG(0).
*
* @param message The message to be signed
* @param b An array containing the message in unparsed form. This is necessary since SIG(0) signs
* the message in wire format, and we can't recreate the exact wire format (with the same name
* compression).
* @param key The KEY record to verify the signature with.
* @param previous If this message is a response, the SIG(0) from the query
*/
public static void verifyMessage(Message message, byte[] b, KEYRecord key, SIGRecord previous)
throws DNSSEC.DNSSECException {
SIGRecord sig = null;
Record[] additional = message.getSectionArray(Section.ADDITIONAL);
for (int i = 0; i < additional.length; i++) {
if (additional[i].getType() != Type.SIG) {
continue;
}
if (((SIGRecord) additional[i]).getTypeCovered() != 0) {
continue;
}
sig = (SIGRecord) additional[i];
break;
}
DNSSEC.verifyMessage(message, b, sig, previous, key);
}
/**
* Sign a message with SIG(0). The DNS key and private key must refer to the same underlying
* cryptographic key.
*
* @param message The message to be signed
* @param key The DNSKEY record to use as part of signing
* @param privkey The PrivateKey to use when signing
* @param previous If this message is a response, the SIG(0) from the query
*/
public static void signMessage(
Message message, KEYRecord key, PrivateKey privkey, SIGRecord previous)
throws DNSSEC.DNSSECException {
int validity = Options.intValue("sig0validity");
if (validity < 0) {
validity = VALIDITY;
}
long now = System.currentTimeMillis();
Date timeSigned = new Date(now);
Date timeExpires = new Date(now + validity * 1000);
SIGRecord sig = DNSSEC.signMessage(message, previous, key, privkey, timeSigned, timeExpires);
message.addRecord(sig, Section.ADDITIONAL);
}