Add support for DNSSEC/DANE

This closes the cycle which started with a GSOC 2015 project under the umbrella of the XSF adding DNSSEC/DANE support to MiniDNS. Fixes SMACK-366.
2025-09-09 00:59:39 +02:00 · 2016-10-31 10:45:38 +01:00 · 2016-10-31 10:45:38 +01:00 · a1630d033e
commit a1630d033e
parent 042fe3c72c
18 changed files with 698 additions and 134 deletions
--- a/smack-resolver-minidns/build.gradle
+++ b/smack-resolver-minidns/build.gradle
@ -5,6 +5,6 @@ javax.naming API (e.g. Android)."""

 dependencies {
 	compile project(path: ':smack-core')
-	compile 'de.measite.minidns:minidns:[0.1,0.2)'
+	compile 'de.measite.minidns:minidns-hla:0.2.0-beta1'
 	compile "org.jxmpp:jxmpp-util-cache:$jxmppVersion"
 }
--- a/smack-resolver-minidns/src/main/java/org/jivesoftware/smack/util/dns/minidns/MiniDnsDane.java
+++ b/smack-resolver-minidns/src/main/java/org/jivesoftware/smack/util/dns/minidns/MiniDnsDane.java
@ -0,0 +1,34 @@
+/**
+ *
+ * Copyright 2015-2016 Florian Schmaus
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.jivesoftware.smack.util.dns.minidns;
+
+import org.jivesoftware.smack.util.DNSUtil;
+import org.jivesoftware.smack.util.dns.SmackDaneProvider;
+import org.jivesoftware.smack.util.dns.SmackDaneVerifier;
+
+public class MiniDnsDane implements SmackDaneProvider {
+    public static final MiniDnsDane INSTANCE = new MiniDnsDane();
+
+    @Override
+    public SmackDaneVerifier newInstance() {
+        return new MiniDnsDaneVerifier();
+    }
+
+    public static void setup() {
+        DNSUtil.setDaneProvider(INSTANCE);
+    }
+}
--- a/smack-resolver-minidns/src/main/java/org/jivesoftware/smack/util/dns/minidns/MiniDnsDaneVerifier.java
+++ b/smack-resolver-minidns/src/main/java/org/jivesoftware/smack/util/dns/minidns/MiniDnsDaneVerifier.java
@ -0,0 +1,76 @@
+/**
+ *
+ * Copyright 2015-2016 Florian Schmaus
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.jivesoftware.smack.util.dns.minidns;
+
+import java.io.IOException;
+import java.security.KeyManagementException;
+import java.security.SecureRandom;
+import java.security.cert.CertificateException;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
+
+import org.jivesoftware.smack.util.dns.SmackDaneVerifier;
+
+import de.measite.minidns.dane.DaneVerifier;
+import de.measite.minidns.dane.ExpectingTrustManager;
+
+public class MiniDnsDaneVerifier implements SmackDaneVerifier {
+    private static final Logger LOGGER = Logger.getLogger(MiniDnsDaneVerifier.class.getName());
+
+    private static final DaneVerifier VERIFIER = new DaneVerifier();
+
+    private ExpectingTrustManager expectingTrustManager;
+
+    // Package protected constructor. Use MiniDnsDane.newInstance() to create the verifier.
+    MiniDnsDaneVerifier() {
+    }
+
+    @Override
+    public void init(SSLContext context, KeyManager[] km, X509TrustManager tm, SecureRandom random) throws KeyManagementException {
+        if (expectingTrustManager != null) {
+            throw new IllegalStateException("DaneProvider was initialized before. Use newInstance() instead.");
+        }
+        expectingTrustManager = new ExpectingTrustManager(tm);
+        context.init(km, new TrustManager[]{expectingTrustManager}, random);
+    }
+
+    @Override
+    public void finish(SSLSocket sslSocket) throws CertificateException {
+        if (VERIFIER.verify(sslSocket)) {
+            // DANE verification was the only requirement according to the TLSA RR. We can return here.
+            return;
+        }
+
+        // DANE verification was successful, but according to the TLSA RR we also must perform PKIX validation.
+        if (expectingTrustManager.hasException()) {
+            // PKIX validation has failed. Throw an exception but close the socket first.
+            try {
+                sslSocket.close();
+            } catch (IOException e) {
+                LOGGER.log(Level.FINER, "Closing TLS socket failed", e);
+            }
+            throw expectingTrustManager.getException();
+        }
+    }
+
+}
--- a/smack-resolver-minidns/src/main/java/org/jivesoftware/smack/util/dns/minidns/MiniDnsResolver.java
+++ b/smack-resolver-minidns/src/main/java/org/jivesoftware/smack/util/dns/minidns/MiniDnsResolver.java
@ -16,82 +16,148 @@
 */
 package org.jivesoftware.smack.util.dns.minidns;

+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.util.ArrayList;
 import java.util.LinkedList;
 import java.util.List;

+import org.jivesoftware.smack.ConnectionConfiguration.DnssecMode;
 import org.jivesoftware.smack.initializer.SmackInitializer;
 import org.jivesoftware.smack.util.DNSUtil;
 import org.jivesoftware.smack.util.dns.DNSResolver;
+import org.jivesoftware.smack.util.dns.HostAddress;
 import org.jivesoftware.smack.util.dns.SRVRecord;
-import org.jxmpp.util.cache.ExpirationCache;

-import de.measite.minidns.Client;
 import de.measite.minidns.DNSCache;
-import de.measite.minidns.DNSMessage;
+import de.measite.minidns.DNSMessage.RESPONSE_CODE;
 import de.measite.minidns.Question;
-import de.measite.minidns.Record;
-import de.measite.minidns.Record.CLASS;
-import de.measite.minidns.Record.TYPE;
-import de.measite.minidns.record.Data;
+import de.measite.minidns.cache.LRUCache;
+import de.measite.minidns.dnssec.DNSSECClient;
+import de.measite.minidns.hla.ResolutionUnsuccessfulException;
+import de.measite.minidns.hla.ResolverApi;
+import de.measite.minidns.hla.ResolverResult;
+import de.measite.minidns.record.A;
+import de.measite.minidns.record.AAAA;
 import de.measite.minidns.record.SRV;
+import de.measite.minidns.recursive.ReliableDNSClient;


 /**
- * This implementation uses the <a href="https://github.com/rtreffer/minidns/">minidns</a> implementation for
+ * This implementation uses the <a href="https://github.com/rtreffer/minidns/">MiniDNS</a> implementation for
 * resolving DNS addresses.
 */
-public class MiniDnsResolver implements SmackInitializer, DNSResolver {
+public class MiniDnsResolver extends DNSResolver implements SmackInitializer {

-    private static final long ONE_DAY = 24*60*60*1000;
-    private static final MiniDnsResolver instance = new MiniDnsResolver();
-    private static final ExpirationCache<Question, DNSMessage> cache = new ExpirationCache<Question, DNSMessage>(10, ONE_DAY);
-    private final Client client; 
+    private static final MiniDnsResolver INSTANCE = new MiniDnsResolver();

-    public MiniDnsResolver() {
-        client = new Client(new DNSCache() {
+    private static final DNSCache CACHE = new LRUCache(128);

-            @Override
-            public DNSMessage get(Question question) {
-                return cache.get(question);
-            }
+    private static final ResolverApi DNSSEC_RESOLVER = new ResolverApi(new DNSSECClient(CACHE));

-            @Override
-            public void put(Question question, DNSMessage message) {
-                long expirationTime = ONE_DAY;
-                for (Record record : message.getAnswers()) {
-                    if (record.isAnswer(question)) {
-                        expirationTime = record.getTtl();
-                        break;
-                    }
-                }
-                cache.put(question, message, expirationTime);
-            }
-
-        });
-    }
+    private static final ResolverApi NON_DNSSEC_RESOLVER = new ResolverApi(new ReliableDNSClient(CACHE));

    public static DNSResolver getInstance() {
-        return instance;
+        return INSTANCE;
+    }
+
+    public MiniDnsResolver() {
+        super(true);
    }

    @Override
-    public List<SRVRecord> lookupSRVRecords(String name) {
-        List<SRVRecord> res = new LinkedList<SRVRecord>();
-        DNSMessage message = client.query(name, TYPE.SRV, CLASS.IN);
-        if (message == null) {
-            return res;
+    protected List<SRVRecord> lookupSRVRecords0(final String name, List<HostAddress> failedAddresses, DnssecMode dnssecMode) {
+        final ResolverApi resolver = getResolver(dnssecMode);
+
+        ResolverResult<SRV> result;
+        try {
+            result = resolver.resolve(name, SRV.class);
+        } catch (IOException e) {
+            failedAddresses.add(new HostAddress(name, e));
+            return null;
        }
-        for (Record record : message.getAnswers()) {
-            Data data = record.getPayload();
-            if (!(data instanceof SRV)) {
+
+        // TODO: Use ResolverResult.getResolutionUnsuccessfulException() found in newer MiniDNS versions.
+        if (!result.wasSuccessful()) {
+            ResolutionUnsuccessfulException resolutionUnsuccessfulException = getExceptionFrom(result);
+            failedAddresses.add(new HostAddress(name, resolutionUnsuccessfulException));
+            return null;
+        }
+
+        if (shouldAbortIfNotAuthentic(name, dnssecMode, result, failedAddresses)) {
+            return null;
+        }
+
+        List<SRVRecord> res = new LinkedList<SRVRecord>();
+        for (SRV srv : result.getAnswers()) {
+            String hostname = srv.name.ace;
+            List<InetAddress> hostAddresses = lookupHostAddress0(hostname, failedAddresses, dnssecMode);
+            if (hostAddresses == null) {
                continue;
            }
-            SRV srv = (SRV) data;
-            res.add(new SRVRecord(srv.getName(), srv.getPort(), srv.getPriority(), srv.getWeight()));
+
+            SRVRecord srvRecord = new SRVRecord(hostname, srv.port, srv.priority, srv.weight, hostAddresses);
+            res.add(srvRecord);
        }
+
        return res;
    }

+    @Override
+    protected List<InetAddress> lookupHostAddress0(final String name, List<HostAddress> failedAddresses, DnssecMode dnssecMode) {
+        final ResolverApi resolver = getResolver(dnssecMode);
+
+        final ResolverResult<A> aResult;
+        final ResolverResult<AAAA> aaaaResult;
+
+        try {
+            aResult = resolver.resolve(name, A.class);
+            aaaaResult = resolver.resolve(name, AAAA.class);
+        } catch (IOException e) {
+            failedAddresses.add(new HostAddress(name, e));
+            return null;
+        }
+
+        if (!aResult.wasSuccessful() && !aaaaResult.wasSuccessful()) {
+            // Both results where not successful.
+            failedAddresses.add(new HostAddress(name, getExceptionFrom(aResult)));
+            failedAddresses.add(new HostAddress(name, getExceptionFrom(aaaaResult)));
+            return null;
+        }
+
+        if (shouldAbortIfNotAuthentic(name, dnssecMode, aResult, failedAddresses)
+                        || shouldAbortIfNotAuthentic(name, dnssecMode, aaaaResult, failedAddresses)) {
+            return null;
+        }
+
+        List<InetAddress> inetAddresses = new ArrayList<>(aResult.getAnswers().size()
+                        + aaaaResult.getAnswers().size());
+
+        for (A a : aResult.getAnswers()) {
+            InetAddress inetAddress;
+            try {
+                inetAddress = InetAddress.getByAddress(a.getIp());
+            }
+            catch (UnknownHostException e) {
+                continue;
+            }
+            inetAddresses.add(inetAddress);
+        }
+        for (AAAA aaaa : aaaaResult.getAnswers()) {
+            InetAddress inetAddress;
+            try {
+                inetAddress = InetAddress.getByAddress(name, aaaa.getIp());
+            }
+            catch (UnknownHostException e) {
+                continue;
+            }
+            inetAddresses.add(inetAddress);
+        }
+
+        return inetAddresses;
+    }
+
    public static void setup() {
        DNSUtil.setDNSResolver(getInstance());
    }
@ -99,7 +165,43 @@ public class MiniDnsResolver implements SmackInitializer, DNSResolver {
    @Override
    public List<Exception> initialize() {
        setup();
+        MiniDnsDane.setup();
        return null;
    }

+    private static ResolverApi getResolver(DnssecMode dnssecMode) {
+        if (dnssecMode == DnssecMode.disabled) {
+            return NON_DNSSEC_RESOLVER;
+        } else {
+            return DNSSEC_RESOLVER;
+        }
+    }
+
+    private static boolean shouldAbortIfNotAuthentic(String name, DnssecMode dnssecMode,
+                    ResolverResult<?> result, List<HostAddress> failedAddresses) {
+        switch (dnssecMode) {
+        case needsDnssec:
+        case needsDnssecAndDane:
+            // Check if the result is authentic data, i.e. there a no reasons the result is unverified.
+            // TODO: Use ResolverResult.getDnssecResultNotAuthenticException() of newer MiniDNS versions.
+            if (!result.isAuthenticData()) {
+                Exception exception = new Exception("DNSSEC verification failed: " + result.getUnverifiedReasons().iterator().next().getReasonString());
+                failedAddresses.add(new HostAddress(name, exception));
+                return true;
+            }
+            break;
+        case disabled:
+            break;
+        default:
+            throw new IllegalStateException("Unknown DnssecMode: " + dnssecMode);
+        }
+        return false;
+    }
+
+    private static ResolutionUnsuccessfulException getExceptionFrom(ResolverResult<?> result) {
+        Question question = result.getQuestion();
+        RESPONSE_CODE responseCode = result.getResponseCode();
+        ResolutionUnsuccessfulException resolutionUnsuccessfulException = new ResolutionUnsuccessfulException(question, responseCode);
+        return resolutionUnsuccessfulException;
+    }
 }