addKey(name, true, algorithm);
}
-bool getSignerFor(DNSSECKeeper& dk, const std::string& qname, std::string &signer)
+bool getSignerFor(DNSSECKeeper& dk, const std::string& qname, std::string &signer, uint8_t& algorithm)
{
signer=qname;
+ DNSSECPrivateKey dpk;
do {
- if(dk.haveActiveKSKFor(signer))
+ if(dk.haveActiveKSKFor(signer, &dpk)) {
+ algorithm = dpk.d_algorithm;
return true;
+ }
} while(chopOff(signer));
return false;
}
rrc.d_originalttl=signTTL;
rrc.d_siginception=getCurrentInception();;
rrc.d_sigexpire = rrc.d_siginception + 14*86400; // XXX should come from zone metadata
-
+
rrc.d_tag=0;
- if(!getSignerFor(dk, signQName, rrc.d_signer)) {
+ if(!getSignerFor(dk, signQName, rrc.d_signer, rrc.d_algorithm)) {
cerr<<"No signer known for '"<<signQName<<"'\n";
return -1;
}
unsigned char signature[mpi_size(&rc.getContext().N)];
- int ret=rsa_pkcs1_sign(&rc.getContext(), RSA_PRIVATE, SIG_RSA_SHA1, 20, (unsigned char*) realhash.c_str(), signature);
+ int ret=rsa_pkcs1_sign(&rc.getContext(), RSA_PRIVATE,
+ rrc.d_algorithm < 8 ? SIG_RSA_SHA1 : SIG_RSA_SHA256,
+ rrc.d_algorithm < 8 ? 20 : 32,
+ (unsigned char*) realhash.c_str(), signature);
if(ret!=0) {
cerr<<"signing returned: "<<ret<<endl;
toHash.append(rdata);
}
// cerr<<"toHash: "<<makeHexDump(toHash)<<endl;
- unsigned char hash[20];
- sha1((unsigned char*)toHash.c_str(), toHash.length(), hash);
- return string((char*)hash, 20);
+
+ if(rrc.d_algorithm <= 7 ) {
+ unsigned char hash[20];
+ sha1((unsigned char*)toHash.c_str(), toHash.length(), hash);
+ return string((char*)hash, sizeof(hash));
+ } else {
+ unsigned char hash[32];
+ sha2((unsigned char*)toHash.c_str(), toHash.length(), hash, 0);
+ return string((char*)hash, sizeof(hash));
+ }
}
DSRecordContent makeDSFromDNSKey(const std::string& qname, const DNSKEYRecordContent& drc, int digest)
sha1((unsigned char*)toHash.c_str(), toHash.length(), hash);
if(!times--)
break;
- toHash.assign((char*)hash, 20);
+ toHash.assign((char*)hash, sizeof(hash));
toHash.append(salt);
}
- return string((char*)hash, 20);
+ return string((char*)hash, sizeof(hash));
}
DNSKEYRecordContent DNSSECPrivateKey::getDNSKEY() const
{
class RSAContext;
class DNSSECKeeper;
-bool getSignerFor(DNSSECKeeper& dk, const std::string& keyrepodir, const std::string& qname, std::string &signer);
+bool getSignerFor(DNSSECKeeper& dk, const std::string& keyrepodir, const std::string& qname, std::string &signer, uint8_t& algorithm);
DNSKEYRecordContent getDNSKEYFor(DNSSECKeeper& dk, const std::string& keyrepodir, const std::string& qname, bool withKSK, RSAContext* rc);
void fillOutRRSIG(DNSSECKeeper& dk, const std::string& signQName, RRSIGRecordContent& rrc, const std::string& hash, vector<shared_ptr<DNSRecordContent> >& toSign, bool withKSK=false);
uint32_t getCurrentInception();
projects / pdns / commitdiff