[dnssec] Add DigestComparisonFailedException

MiniDNS · Jun 9, 2024 · cae24db · cae24db
1 parent acce771
commit cae24db
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 2 deletions.
diff --git a/minidns-dnssec/src/main/java/org/minidns/dnssec/DnssecValidationFailedException.java b/minidns-dnssec/src/main/java/org/minidns/dnssec/DnssecValidationFailedException.java
@@ -13,9 +13,11 @@
 import org.minidns.dnsmessage.DnsMessage;
 import org.minidns.dnsmessage.Question;
 import org.minidns.record.Data;
+import org.minidns.record.DelegatingDnssecRR;
 import org.minidns.record.Record;
 
 import java.io.IOException;
+import java.math.BigInteger;
 import java.security.spec.InvalidKeySpecException;
 import java.util.List;
 
@@ -101,4 +103,50 @@ public DnsMessage getResponse() {
             return response;
         }
     }
+
+    public static final class DigestComparisonFailedException extends DnssecValidationFailedException {
+
+        /**
+        *
+        */
+       private static final long serialVersionUID = 1L;
+
+       private final Record<? extends Data> record;
+       private final DelegatingDnssecRR ds;
+       private final byte[] digest;
+       private final String digestHex;
+
+       private DigestComparisonFailedException(String message, Record<? extends Data> record, DelegatingDnssecRR ds, byte[] digest, String digestHex) {
+           super(message);
+           this.record = record;
+           this.ds = ds;
+           this.digest = digest;
+           this.digestHex = digestHex;
+       }
+
+       public Record<? extends Data> getRecord() {
+           return record;
+       }
+
+       public DelegatingDnssecRR getDelegaticDnssecRr() {
+           return ds;
+       }
+
+       public byte[] getDigest() {
+           return digest.clone();
+       }
+
+       public String getDigestHex() {
+           return digestHex;
+       }
+
+       public static DigestComparisonFailedException from(Record<? extends Data> record, DelegatingDnssecRR ds, byte[] digest) {
+           BigInteger digestBigInteger = new BigInteger(1, digest);
+           String digestHex = digestBigInteger.toString(16).toUpperCase();
+
+           String message = "Digest for " + record + " does not match. Digest of delegating DNSSEC RR " + ds + " is '"
+                   + ds.getDigestHex() + "' while we calculated '" + digestHex + "'";
+           return new DigestComparisonFailedException(message, record, ds, digest, digestHex);
+       }
+    }
 }
diff --git a/minidns-dnssec/src/main/java/org/minidns/dnssec/Verifier.java b/minidns-dnssec/src/main/java/org/minidns/dnssec/Verifier.java
@@ -16,6 +16,7 @@
 import org.minidns.dnssec.DnssecUnverifiedReason.AlgorithmExceptionThrownReason;
 import org.minidns.dnssec.DnssecUnverifiedReason.AlgorithmNotSupportedReason;
 import org.minidns.dnssec.DnssecUnverifiedReason.NSECDoesNotMatchReason;
+import org.minidns.dnssec.DnssecValidationFailedException.DigestComparisonFailedException;
 import org.minidns.dnssec.algorithms.AlgorithmMap;
 import org.minidns.record.DNSKEY;
 import org.minidns.record.Data;
@@ -57,8 +58,7 @@ public static DnssecUnverifiedReason verify(Record<DNSKEY> dnskeyRecord, Delegat
         }
 
         if (!ds.digestEquals(digest)) {
-            // TODO: Add 'ds' and 'digest' to this exception, and rename the exception to "DigestComparisionFailedException".
-            throw new DnssecValidationFailedException(dnskeyRecord, "SEP is not properly signed by parent DS!");
+            throw DigestComparisonFailedException.from(dnskeyRecord, ds, digest);
         }
         return null;
     }