index the signature cache on the hash of the public key instead of on the whole key!

git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@1849 d19b8d6e-7fed-0310-83ef-9ca221ded41b

diff --git a/pdns/dnssecinfra.cc b/pdns/dnssecinfra.cc
index 2b8fc64fd1f3f7b88f33b27c5982062cd802af78..92afa221a002fa5d98bc47fb988a535f28a785fb 100644 (file)
--- a/pdns/dnssecinfra.cc
+++ b/pdns/dnssecinfra.cc
@@ -33,6 +33,22 @@ void RSAContext::create(unsigned int bits)
     throw runtime_error("Key generation failed");
 }
 
+std::string RSAContext::getPubKeyHash()
+{
+  unsigned char hash[20];
+  unsigned char N[mpi_size(&d_context.N)];
+  mpi_write_binary(&d_context.N, N, sizeof(N));
+  unsigned char E[mpi_size(&d_context.E)];
+  mpi_write_binary(&d_context.E, E, sizeof(E));
+  
+  sha1_context ctx;
+  sha1_starts(&ctx);
+  sha1_update(&ctx, N, sizeof(N));
+  sha1_update(&ctx, E, sizeof(E));
+  sha1_finish(&ctx, hash);
+  return string((char*)hash, sizeof(hash));
+}
+
 std::string RSAContext::convertToISC(unsigned int algorithm) const
 {
   string ret;

diff --git a/pdns/dnsseckeeper.hh b/pdns/dnsseckeeper.hh
index ad99fe3ec6af61d72131cb15714010ba5f2436c0..8d28508680f2f1d217d3f3ea76f230535e2c4b08 100644 (file)
--- a/pdns/dnsseckeeper.hh
+++ b/pdns/dnsseckeeper.hh
@@ -80,7 +80,7 @@ public:
 
   void create(unsigned int bits);
   std::string convertToISC(unsigned int algorithm) const;
-
+  std::string getPubKeyHash();
 private:
   rsa_context d_context;
 };

diff --git a/pdns/dnssecsigner.cc b/pdns/dnssecsigner.cc
index 4484a67642ccc64dbd159d232021f623e03b5dfc..c8a34fefd146488ae5a7d75168718e47a87bc623 100644 (file)
--- a/pdns/dnssecsigner.cc
+++ b/pdns/dnssecsigner.cc
@@ -120,7 +120,7 @@ void addSignature(DNSSECKeeper& dk, const std::string signQName, const std::stri
 }
 
 static pthread_mutex_t g_signatures_lock = PTHREAD_MUTEX_INITIALIZER;
-static map<pair<RSAContext, string>, string> g_signatures;
+static map<pair<string, string>, string> g_signatures;
 
 void fillOutRRSIG(DNSSECPrivateKey& dpk, const std::string& signQName, RRSIGRecordContent& rrc, vector<shared_ptr<DNSRecordContent> >& toSign) 
 {
@@ -131,15 +131,17 @@ void fillOutRRSIG(DNSSECPrivateKey& dpk, const std::string& signQName, RRSIGReco
   string realhash=getHashForRRSET(signQName, rrc, toSign); // this is what we sign
 
   unsigned char signature[mpi_size(&rc.getContext().N)];
-
+  pair<string, string> lookup(rc.getPubKeyHash(), realhash);
+  
   {
     Lock l(&g_signatures_lock);
-    
-    // this is mindbogglingly inefficient, we store the whole private key as index!
-    if(g_signatures.count(make_pair(rc, realhash))) {
-      rrc.d_signature=g_signatures[make_pair(rc, realhash)];
+    if(g_signatures.count(lookup)) {
+      // cerr<<"Hit!"<<endl;
+      rrc.d_signature=g_signatures[lookup];
       return;
     }
+    else
+      cerr<<"Miss!"<<endl;
   }
   
   int ret=rsa_pkcs1_sign(&rc.getContext(), RSA_PRIVATE, 
@@ -155,5 +157,5 @@ void fillOutRRSIG(DNSSECPrivateKey& dpk, const std::string& signQName, RRSIGReco
   rrc.d_signature.assign((char*)signature, sizeof(signature));
 
   Lock l(&g_signatures_lock);
-  g_signatures[make_pair(rc, realhash)] = rrc.d_signature;
+  g_signatures[lookup] = rrc.d_signature;
 }