return retkeyset;
}
+bool DNSSECKeeper::checkKeys(const DNSName& zone)
+{
+ vector<DNSBackend::KeyData> dbkeyset;
+ d_keymetadb->getDomainKeys(zone, 0, dbkeyset);
+
+ for(const DNSBackend::KeyData &keydata : dbkeyset) {
+ DNSKEYRecordContent dkrc;
+ shared_ptr<DNSCryptoKeyEngine> dke(DNSCryptoKeyEngine::makeFromISCString(dkrc, keydata.content));
+ if (!dke->checkKeys()) {
+ return false;
+ }
+ }
+
+ return true;
+}
+
bool DNSSECKeeper::getPreRRSIGs(UeberBackend& db, const DNSName& signer, const DNSName& qname,
const DNSName& wildcardname, const QType& qtype,
DNSResourceRecord::Place signPlace, vector<DNSResourceRecord>& rrsigs, uint32_t signTTL)
isc += sline;
}
fclose(fp);
- return makeFromISCString(drc, isc);
+ DNSCryptoKeyEngine* dke = makeFromISCString(drc, isc);
+ if(!dke->checkKeys()) {
+ delete dke;
+ throw runtime_error("Invalid DNS Private Key in file '"+string(fname));
+ }
+ return dke;
}
DNSCryptoKeyEngine* DNSCryptoKeyEngine::makeFromISCString(DNSKEYRecordContent& drc, const std::string& content)
stormap[toLower(key)]=raw;
}
dckeSign->fromISCMap(dkrc, stormap);
+ if(!dckeSign->checkKeys()) {
+ throw runtime_error("Verification of keys with creator "+dckeCreate->getName()+" with signer "+dckeSign->getName()+" and verifier "+dckeVerify->getName()+" failed");
+ }
}
string message("Hi! How is life?");
throw std::runtime_error("Can't import from PEM string");
}
virtual void fromPublicKeyString(const std::string& content) = 0;
-
+ virtual bool checkKeys() const
+ {
+ return true;
+ }
static DNSCryptoKeyEngine* makeFromISCFile(DNSKEYRecordContent& drc, const char* fname);
static DNSCryptoKeyEngine* makeFromISCString(DNSKEYRecordContent& drc, const std::string& content);
static DNSCryptoKeyEngine* makeFromPEMString(DNSKEYRecordContent& drc, const std::string& raw);
bool removeKey(const DNSName& zname, unsigned int id);
bool activateKey(const DNSName& zname, unsigned int id);
bool deactivateKey(const DNSName& zname, unsigned int id);
+ bool checkKeys(const DNSName& zname);
bool getNSEC3PARAM(const DNSName& zname, NSEC3PARAMRecordContent* n3p=0, bool* narrow=0);
bool setNSEC3PARAM(const DNSName& zname, const NSEC3PARAMRecordContent& n3p, const bool& narrow=false);
std::string getPublicKeyString() const;
void fromISCMap(DNSKEYRecordContent& drc, std::map<std::string, std::string>& stormap);
void fromPublicKeyString(const std::string& content);
+ bool checkKeys() const override;
static DNSCryptoKeyEngine* maker(unsigned int algorithm)
{
throw runtime_error(getName()+" tried to feed an algorithm "+std::to_string(drc.d_algorithm)+" to a "+std::to_string(d_algorithm)+" key");
}
- int ret = RSA_check_key(key);
- if (ret != 1) {
- RSA_free(key);
- throw runtime_error(getName()+" invalid public key");
- }
-
if (d_key)
RSA_free(d_key);
d_key = key;
}
+bool OpenSSLRSADNSCryptoKeyEngine::checkKeys() const
+{
+ return (RSA_check_key(d_key) == 1);
+}
+
void OpenSSLRSADNSCryptoKeyEngine::fromPublicKeyString(const std::string& input)
{
string exponent, modulus;
RSA_free(key);
throw runtime_error(getName()+" error loading n value of public key");
}
- /* we cannot use RSA_check_key(), because it requires the private key information
- to be present. */
+
if (d_key)
RSA_free(d_key);
std::string getPublicKeyString() const;
void fromISCMap(DNSKEYRecordContent& drc, std::map<std::string, std::string>& stormap);
void fromPublicKeyString(const std::string& content);
+ bool checkKeys() const override;
static DNSCryptoKeyEngine* maker(unsigned int algorithm)
{
}
EC_POINT_free(pub_key);
-
- ret = EC_KEY_check_key(d_eckey);
- if (ret != 1) {
- throw runtime_error(getName()+" invalid public key");
- }
-
}
+bool OpenSSLECDSADNSCryptoKeyEngine::checkKeys() const
+{
+ return (EC_KEY_check_key(d_eckey) == 1);
+}
void OpenSSLECDSADNSCryptoKeyEngine::fromPublicKeyString(const std::string& input)
{
}
EC_POINT_free(pub_key);
-
- ret = EC_KEY_check_key(d_eckey);
- if (ret != 1) {
- throw runtime_error(getName()+" invalid public key");
- }
}
bool isSecure=dk.isSecuredZone(zone);
bool presigned=dk.isPresigned(zone);
+ bool validKeys=dk.checkKeys(zone);
DNSResourceRecord rr;
uint64_t numrecords=0, numerrors=0, numwarnings=0;
cout<<"[Error] zone '" << zone.toStringNoDot() << "' has NSEC3 semantics but is too long to have the hash prepended. Zone name is " << zone.wirelength() << " bytes long, whereas the maximum is 222 bytes." << endl;
}
+ if (!validKeys) {
+ numerrors++;
+ cout<<"[Error] zone '" << zone.toStringNoDot() << "' has at least one invalid DNS Private Key." << endl;
+ }
+
// Check for delegation in parent zone
DNSName parent(zone);
while(parent.chopOff()) {