auth API cryptokeys: add cds array when configured to do so. Closes #10215

diff --git a/pdns/ws-auth.cc b/pdns/ws-auth.cc
index a17e05814fa9ab8ba35ed3e122cba40d34d5ad2c..86e2c0ba2c8111f122c118d4e665092134962c11 100644 (file)
--- a/pdns/ws-auth.cc
+++ b/pdns/ws-auth.cc
@@ -1095,13 +1095,34 @@ static void apiZoneCryptokeysGET(const DNSName& zonename, int inquireKeyId, Http
         { "bits", value.first.getKey()->getBits() }
     };
 
+    string publishCDS;
+    dk->getPublishCDS(zonename, publishCDS);
+
+    vector<string> digestAlgos;
+    stringtok(digestAlgos, publishCDS, ", ");
+
+    std::set<unsigned int> CDSalgos;
+    for(auto const &digestAlgo : digestAlgos) {
+      CDSalgos.insert(pdns_stou(digestAlgo));
+    }
+
     if (value.second.keyType == DNSSECKeeper::KSK || value.second.keyType == DNSSECKeeper::CSK) {
+      Json::array cdses;
       Json::array dses;
       for(const uint8_t keyid : { DNSSECKeeper::DIGEST_SHA1, DNSSECKeeper::DIGEST_SHA256, DNSSECKeeper::DIGEST_GOST, DNSSECKeeper::DIGEST_SHA384 })
         try {
-          dses.push_back(makeDSFromDNSKey(zonename, value.first.getDNSKEY(), keyid).getZoneRepresentation());
+          string ds = makeDSFromDNSKey(zonename, value.first.getDNSKEY(), keyid).getZoneRepresentation();
+
+          dses.push_back(ds);
+
+          if (CDSalgos.count(keyid)) { cdses.push_back(ds); }
         } catch (...) {}
+
       key["ds"] = dses;
+
+      if (cdses.size()) {
+        key["cds"] = cdses;
+      }
     }
 
     if (inquireSingleKey) {