From: Peter van Dijk <peter.van.dijk@powerdns.com>
Date: Thu, 25 Mar 2021 10:47:49 +0000 (+0100)
Subject: auth API cryptokeys: add cds array when configured to do so. Closes #10215
X-Git-Tag: dnsdist-1.6.0-rc1~39^2~3
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2bb1f06cd51a10f63c29bfa2ef309719a5b688cb;p=thirdparty%2Fpdns.git

auth API cryptokeys: add cds array when configured to do so. Closes #10215
---

diff --git a/pdns/ws-auth.cc b/pdns/ws-auth.cc
index a17e05814f..86e2c0ba2c 100644
--- a/pdns/ws-auth.cc
+++ b/pdns/ws-auth.cc
@@ -1095,13 +1095,34 @@ static void apiZoneCryptokeysGET(const DNSName& zonename, int inquireKeyId, Http
         { "bits", value.first.getKey()->getBits() }
     };
 
+    string publishCDS;
+    dk->getPublishCDS(zonename, publishCDS);
+
+    vector<string> digestAlgos;
+    stringtok(digestAlgos, publishCDS, ", ");
+
+    std::set<unsigned int> CDSalgos;
+    for(auto const &digestAlgo : digestAlgos) {
+      CDSalgos.insert(pdns_stou(digestAlgo));
+    }
+
     if (value.second.keyType == DNSSECKeeper::KSK || value.second.keyType == DNSSECKeeper::CSK) {
+      Json::array cdses;
       Json::array dses;
       for(const uint8_t keyid : { DNSSECKeeper::DIGEST_SHA1, DNSSECKeeper::DIGEST_SHA256, DNSSECKeeper::DIGEST_GOST, DNSSECKeeper::DIGEST_SHA384 })
         try {
-          dses.push_back(makeDSFromDNSKey(zonename, value.first.getDNSKEY(), keyid).getZoneRepresentation());
+          string ds = makeDSFromDNSKey(zonename, value.first.getDNSKEY(), keyid).getZoneRepresentation();
+
+          dses.push_back(ds);
+
+          if (CDSalgos.count(keyid)) { cdses.push_back(ds); }
         } catch (...) {}
+
       key["ds"] = dses;
+
+      if (cdses.size()) {
+        key["cds"] = cdses;
+      }
     }
 
     if (inquireSingleKey) {