From: Bert Hubert <bert.hubert@netherlabs.nl>
Date: Fri, 7 Jan 2011 23:57:48 +0000 (+0000)
Subject: make dnsseckeeper & dnssecinfra code, plus pdnssec, aware of non-RSASHA1 algorithms... 
X-Git-Tag: auth-3.0~412
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=a254438fbdde79e671fd08d685bcdb6c6b140513;p=pdns

make dnsseckeeper & dnssecinfra code, plus pdnssec, aware of non-RSASHA1 algorithms, specifically RSASHA256. Rest of PowerDNSSEC has no clue yet.


git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@1835 d19b8d6e-7fed-0310-83ef-9ca221ded41b
---

diff --git a/pdns/dbdnsseckeeper.cc b/pdns/dbdnsseckeeper.cc
index 8361eda9a..21496de4a 100644
--- a/pdns/dbdnsseckeeper.cc
+++ b/pdns/dbdnsseckeeper.cc
@@ -37,6 +37,7 @@ void DNSSECKeeper::addKey(const std::string& name, bool keyOrZone, int algorithm
     bits = keyOrZone ? 2048 : 1024;
   DNSSECPrivateKey dpk;
   dpk.d_key.create(bits); 
+  dpk.d_algorithm = algorithm;
   addKey(name, keyOrZone, dpk, active);
 }
 
@@ -45,8 +46,7 @@ void DNSSECKeeper::addKey(const std::string& name, bool keyOrZone, const DNSSECP
   DNSBackend::KeyData kd;
   kd.flags = 256 + keyOrZone;
   kd.active = active;
-  kd.content = dpk.d_key.convertToISC(5);
- 
+  kd.content = dpk.d_key.convertToISC(dpk.d_algorithm);
  // now store it
   d_db.addDomainKey(name, kd);
 }
@@ -67,16 +67,13 @@ DNSSECPrivateKey DNSSECKeeper::getKeyById(const std::string& zname, unsigned int
       continue;
     
     DNSSECPrivateKey dpk;
-
-    getRSAKeyFromISCString(&dpk.d_key.getContext(), kd.content);
+    DNSKEYRecordContent dkrc = getRSAKeyFromISCString(&dpk.d_key.getContext(), kd.content);
     dpk.d_flags = kd.flags;
-    dpk.d_algorithm = 5 + 2*getNSEC3PARAM(zname);
+    dpk.d_algorithm = dkrc.d_algorithm;
     
-    KeyMetaData kmd;
-
-    kmd.active = kd.active;
-    kmd.keyOrZone = (kd.flags == 257);
-    kmd.id = kd.id;
+    if(dpk.d_algorithm == 5 && getNSEC3PARAM(zname)) {
+      dpk.d_algorithm += 2;
+    }
     
     return dpk;    
   }
@@ -159,9 +156,11 @@ DNSSECKeeper::keyset_t DNSSECKeeper::getKeys(const std::string& zone, boost::tri
   {
     DNSSECPrivateKey dpk;
 
-    getRSAKeyFromISCString(&dpk.d_key.getContext(), kd.content);
+    DNSKEYRecordContent dkrc=getRSAKeyFromISCString(&dpk.d_key.getContext(), kd.content);
     dpk.d_flags = kd.flags;
-    dpk.d_algorithm = 5 + 2*getNSEC3PARAM(zone);
+    dpk.d_algorithm = dkrc.d_algorithm;
+    if(dpk.d_algorithm == 5 && getNSEC3PARAM(zone))
+      dpk.d_algorithm+=2;
     
     KeyMetaData kmd;
 
diff --git a/pdns/dnssecinfra.cc b/pdns/dnssecinfra.cc
index eec44bfa0..6aba1e020 100644
--- a/pdns/dnssecinfra.cc
+++ b/pdns/dnssecinfra.cc
@@ -46,7 +46,17 @@ std::string RSAContext::convertToISC(unsigned int algorithm) const
     ("Exponent2",&d_context.DQ)
     ("Coefficient",&d_context.QP);
 
-  ret = "Private-key-format: v1.2\nAlgorithm: "+lexical_cast<string>(algorithm)+" (RSASHA1)\n";
+  ret = "Private-key-format: v1.2\nAlgorithm: "+lexical_cast<string>(algorithm);
+  switch(algorithm) {
+    case 5:
+    case 7 :
+      ret+= " (RSASHA1)";
+      break;
+    case 8:
+      ret += " (RSASHA256)";
+      break;
+  }
+  ret += "\n";
 
   BOOST_FOREACH(outputs_t::value_type value, outputs) {
     ret += value.first;
@@ -95,23 +105,25 @@ DNSKEYRecordContent getRSAKeyFromISC(rsa_context* rsa, const char* fname)
       continue;
     if(places.count(key)) {
       if(places[key]) {
-
-	int len=sizeof(decoded);
-	if(base64_decode(decoded, &len, (unsigned char*)value.c_str(), value.length()) < 0) {
-	  cerr<<"Error base64 decoding '"<<value<<"'\n";
-	  exit(1);
-	}
-	//	B64Decode(value, decoded);
-	//	cerr<<key<<" decoded.length(): "<<8*len<<endl;
-	mpi_read_binary(places[key], decoded, len);
-	if(key=="Modulus")
-	  modulus.assign((const char*)decoded,len);
-	if(key=="PublicExponent")
-	  exponent.assign((const char*)decoded,len);
+        int len=sizeof(decoded);
+        if(base64_decode(decoded, &len, (unsigned char*)value.c_str(), value.length()) < 0) {
+          cerr<<"Error base64 decoding '"<<value<<"'\n";
+          exit(1);
+        }
+        //	B64Decode(value, decoded);
+        //	cerr<<key<<" decoded.length(): "<<8*len<<endl;
+        mpi_read_binary(places[key], decoded, len);
+        if(key=="Modulus")
+          modulus.assign((const char*)decoded,len);
+        if(key=="PublicExponent")
+          exponent.assign((const char*)decoded,len);
       }
     }
     else {
-      if(key != "Private-key-format" && key != "Algorithm") 
+      if(key=="Algorithm") {
+        drc.d_algorithm = atoi(value.c_str());
+      }
+      else if(key != "Private-key-format")
         cerr<<"Unknown field '"<<key<<"'\n";
     }
   }
@@ -127,7 +139,6 @@ DNSKEYRecordContent getRSAKeyFromISC(rsa_context* rsa, const char* fname)
   drc.d_key.append(exponent);
   drc.d_key.append(modulus);
   drc.d_protocol=3;
-  drc.d_algorithm = 0; // should not be filled out here..
   fclose(fp);
   return drc;
 }
@@ -175,8 +186,10 @@ DNSKEYRecordContent getRSAKeyFromISCString(rsa_context* rsa, const std::string&
       }
     }
     else {
-      if(key != "Private-key-format" && key != "Algorithm") 
-      cerr<<"Unknown field '"<<key<<"'\n";
+      if(key == "Algorithm") 
+        drc.d_algorithm = atoi(value.c_str());
+      else if(key != "Private-key-format")
+        cerr<<"Unknown field '"<<key<<"'\n";
     }
   }
   rsa->len = ( mpi_msb( &rsa->N ) + 7 ) >> 3; // no clue what this does
@@ -191,7 +204,7 @@ DNSKEYRecordContent getRSAKeyFromISCString(rsa_context* rsa, const std::string&
   drc.d_key.append(exponent);
   drc.d_key.append(modulus);
   drc.d_protocol=3;
-  drc.d_algorithm = 0; // should not be filled out here..
+  
   return drc;
 }
 
diff --git a/pdns/pdnssec.cc b/pdns/pdnssec.cc
index 9349587ac..354dd35be 100644
--- a/pdns/pdnssec.cc
+++ b/pdns/pdnssec.cc
@@ -201,7 +201,8 @@ try
     cerr<<"Usage: \npdnssec [options] [show-zone] [secure-zone] [rectify-zone] [add-zone-key] [deactivate-zone-key] [remove-zone-key] [activate-zone-key]\n";
     cerr<<"         [import-zone-key] [export-zone-key] [set-nsec3] [unset-nsec3] [export-zone-dnskey]\n\n";
     cerr<<"activate-zone-key ZONE KEY-ID   Activate the key with key id KEY-ID in ZONE\n";
-    cerr<<"add-zone-key ZONE [zsk|ksk]     Add a ZSK or KSK to a zone (ZSK only now)\n";
+    cerr<<"add-zone-key ZONE [zsk|ksk] \n";
+    cerr<<"  [bits] [rsasha1|rsasha256]    Add a ZSK or KSK to a zone\n";
     cerr<<"deactivate-zone-key             Dectivate the key with key id KEY-ID in ZONE\n";
     cerr<<"export-zone-dnskey ZONE KEY-ID  Export to stdout the public DNSKEY described\n";
     cerr<<"export-zone-key ZONE KEY-ID     Export to stdout the private key described\n";
@@ -286,21 +287,26 @@ try
     // need to get algorithm, bits & ksk or zsk from commandline
     bool keyOrZone=false;
     int bits=0;
+    int algorithm=5;
     for(unsigned int n=2; n < cmds.size(); ++n) {
       if(pdns_iequals(cmds[n], "zsk"))
         keyOrZone = false;
       else if(pdns_iequals(cmds[n], "ksk"))
         keyOrZone = true;
+      else if(pdns_iequals(cmds[n], "rsasha1"))
+        algorithm=5;
+      else if(pdns_iequals(cmds[n], "rsasha256"))
+        algorithm=8;
       else if(atoi(cmds[n].c_str()))
         bits = atoi(cmds[n].c_str());
       else { 
-        cerr<<"Unknown key flag or size '"<<cmds[n]<<"'"<<endl;
+        cerr<<"Unknown algorithm, key flag or size '"<<cmds[n]<<"'"<<endl;
       }
     }
-    cerr<<"Adding a " << (keyOrZone ? "KSK" : "ZSK")<<endl;
+    cerr<<"Adding a " << (keyOrZone ? "KSK" : "ZSK")<<" with algorithm = "<<algorithm<<endl;
     if(bits)
       cerr<<"Requesting specific key size of "<<bits<<" bits"<<endl;
-    dk.addKey(zone, keyOrZone, 5, bits); 
+    dk.addKey(zone, keyOrZone, algorithm, bits); 
   }
   else if(cmds[0] == "remove-zone-key") {
     const string& zone=cmds[1];