summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorWillem Toorop <willem@nlnetlabs.nl>2015-09-28 16:51:21 +0200
committerWillem Toorop <willem@nlnetlabs.nl>2015-09-28 16:51:21 +0200
commit4af2f38d50451023b61aa3a41297a3e6d54d123d (patch)
treedf3e0653c0c1a3e39d3a84278de65272f9d64096
parentc66e31189574ec4a22a44bf1d6cc922cd0b820b4 (diff)
downloadldns-4af2f38d50451023b61aa3a41297a3e6d54d123d.tar.gz
-U option to ldns-signzone to sign with every algo
-rw-r--r--dnssec_sign.c91
-rw-r--r--examples/ldns-signzone.c6
-rw-r--r--ldns/dnssec_sign.h1
3 files changed, 71 insertions, 27 deletions
diff --git a/dnssec_sign.c b/dnssec_sign.c
index 4f605461..137bba94 100644
--- a/dnssec_sign.c
+++ b/dnssec_sign.c
@@ -1023,39 +1023,78 @@ ldns_dnssec_zone_create_rrsigs(ldns_dnssec_zone *zone,
/** If there are KSKs use only them and mark ZSKs unused */
static void
-ldns_key_list_filter_for_dnskey(ldns_key_list *key_list)
+ldns_key_list_filter_for_dnskey(ldns_key_list *key_list, int flags)
{
- int saw_ksk = 0;
+ bool algos[256] = { false };
+ ldns_signing_algorithm saw_ksk = 0;
+ ldns_key *key;
size_t i;
- for(i=0; i<ldns_key_list_key_count(key_list); i++)
- if((ldns_key_flags(ldns_key_list_key(key_list, i))&LDNS_KEY_SEP_KEY)) {
- saw_ksk = 1;
- break;
- }
- if(!saw_ksk)
+
+ if (!ldns_key_list_key_count(key_list))
return;
- for(i=0; i<ldns_key_list_key_count(key_list); i++)
- if(!(ldns_key_flags(ldns_key_list_key(key_list, i))&LDNS_KEY_SEP_KEY))
- ldns_key_set_use(ldns_key_list_key(key_list, i), 0);
+
+ for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
+ key = ldns_key_list_key(key_list, i);
+ if ((ldns_key_flags(key) & LDNS_KEY_SEP_KEY) && !saw_ksk)
+ saw_ksk = ldns_key_algorithm(key);
+ algos[ldns_key_algorithm(key)] = true;
+ }
+ if (!saw_ksk)
+ return;
+ else
+ algos[saw_ksk] = 0;
+
+ for (i =0; i < ldns_key_list_key_count(key_list); i++) {
+ key = ldns_key_list_key(key_list, i);
+ if (!(ldns_key_flags(key) & LDNS_KEY_SEP_KEY)) {
+ /* We have a ZSK.
+ * Still use it if it has a unique algorithm though!
+ */
+ if ((flags & LDNS_SIGN_WITH_ALL_ALGORITHMS) &&
+ algos[ldns_key_algorithm(key)])
+ algos[ldns_key_algorithm(key)] = false;
+ else
+ ldns_key_set_use(key, 0);
+ }
+ }
}
/** If there are no ZSKs use KSK as ZSK */
static void
-ldns_key_list_filter_for_non_dnskey(ldns_key_list *key_list)
+ldns_key_list_filter_for_non_dnskey(ldns_key_list *key_list, int flags)
{
- int saw_zsk = 0;
+ bool algos[256] = { false };
+ ldns_signing_algorithm saw_zsk = 0;
+ ldns_key *key;
size_t i;
- for(i=0; i<ldns_key_list_key_count(key_list); i++)
- if(!(ldns_key_flags(ldns_key_list_key(key_list, i))&LDNS_KEY_SEP_KEY)) {
- saw_zsk = 1;
- break;
- }
- if(!saw_zsk)
+
+ if (!ldns_key_list_key_count(key_list))
+ return;
+
+ for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
+ key = ldns_key_list_key(key_list, i);
+ if (!(ldns_key_flags(key) & LDNS_KEY_SEP_KEY) && !saw_zsk)
+ saw_zsk = ldns_key_algorithm(key);
+ algos[ldns_key_algorithm(key)] = true;
+ }
+ if (!saw_zsk)
return;
- /* else filter all KSKs */
- for(i=0; i<ldns_key_list_key_count(key_list); i++)
- if((ldns_key_flags(ldns_key_list_key(key_list, i))&LDNS_KEY_SEP_KEY))
- ldns_key_set_use(ldns_key_list_key(key_list, i), 0);
+ else
+ algos[saw_zsk] = 0;
+
+ for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
+ key = ldns_key_list_key(key_list, i);
+ if((ldns_key_flags(key) & LDNS_KEY_SEP_KEY)) {
+ /* We have a KSK.
+ * Still use it if it has a unique algorithm though!
+ */
+ if ((flags & LDNS_SIGN_WITH_ALL_ALGORITHMS) &&
+ algos[ldns_key_algorithm(key)])
+ algos[ldns_key_algorithm(key)] = false;
+ else
+ ldns_key_set_use(key, 0);
+ }
+ }
}
ldns_status
@@ -1114,10 +1153,10 @@ ldns_dnssec_zone_create_rrsigs_flg( ldns_dnssec_zone *zone
arg);
if(!(flags&LDNS_SIGN_DNSKEY_WITH_ZSK) &&
cur_rrset->type == LDNS_RR_TYPE_DNSKEY)
- ldns_key_list_filter_for_dnskey(key_list);
+ ldns_key_list_filter_for_dnskey(key_list, flags);
if(cur_rrset->type != LDNS_RR_TYPE_DNSKEY)
- ldns_key_list_filter_for_non_dnskey(key_list);
+ ldns_key_list_filter_for_non_dnskey(key_list, flags);
/* TODO: just set count to zero? */
rr_list = ldns_rr_list_new();
@@ -1170,7 +1209,7 @@ ldns_dnssec_zone_create_rrsigs_flg( ldns_dnssec_zone *zone
key_list,
func,
arg);
- ldns_key_list_filter_for_non_dnskey(key_list);
+ ldns_key_list_filter_for_non_dnskey(key_list, flags);
rr_list = ldns_rr_list_new();
ldns_rr_list_push_rr(rr_list, cur_name->nsec);
diff --git a/examples/ldns-signzone.c b/examples/ldns-signzone.c
index c19c8b47..5d693660 100644
--- a/examples/ldns-signzone.c
+++ b/examples/ldns-signzone.c
@@ -39,6 +39,7 @@ usage(FILE *fp, const char *prog) {
fprintf(fp, " -o <domain>\torigin for the zone\n");
fprintf(fp, " -v\t\tprint version and exit\n");
fprintf(fp, " -A\t\tsign DNSKEY with all keys instead of minimal\n");
+ fprintf(fp, " -U\t\tSign with every unique algorithm in the provided keys\n");
fprintf(fp, " -E <name>\tuse <name> as the crypto engine for signing\n");
fprintf(fp, " \tThis can have a lot of extra options, see the manual page for more info\n");
fprintf(fp, " -k <id>,<int>\tuse key id with algorithm int from engine\n");
@@ -378,7 +379,7 @@ main(int argc, char *argv[])
OPENSSL_config(NULL);
- while ((c = getopt(argc, argv, "a:bde:f:i:k:no:ps:t:vAE:K:")) != -1) {
+ while ((c = getopt(argc, argv, "a:bde:f:i:k:no:ps:t:vAUE:K:")) != -1) {
switch (c) {
case 'a':
nsec3_algorithm = (uint8_t) atoi(optarg);
@@ -569,6 +570,9 @@ main(int argc, char *argv[])
printf("Not implemented yet\n");
exit(EXIT_FAILURE);
break;
+ case 'U':
+ signflags |= LDNS_SIGN_WITH_ALL_ALGORITHMS;
+ break;
case 's':
if (strlen(optarg) % 2 != 0) {
fprintf(stderr, "Salt value is not valid hex data, not a multiple of 2 characters\n");
diff --git a/ldns/dnssec_sign.h b/ldns/dnssec_sign.h
index f51c7fb3..8a9ee895 100644
--- a/ldns/dnssec_sign.h
+++ b/ldns/dnssec_sign.h
@@ -13,6 +13,7 @@ extern "C" {
/** Sign flag that makes DNSKEY type signed by all keys, not only by SEP keys*/
#define LDNS_SIGN_DNSKEY_WITH_ZSK 1
+#define LDNS_SIGN_WITH_ALL_ALGORITHMS 2
/**
* Create an empty RRSIG RR (i.e. without the actual signature data)