From: Remi Gacogne Date: Tue, 29 Nov 2022 11:02:23 +0000 (+0100) Subject: auth: Even better interface for setKey() X-Git-Tag: dnsdist-1.8.0-rc1~98^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F11600%2Fhead;p=thirdparty%2Fpdns.git auth: Even better interface for setKey() --- diff --git a/pdns/dbdnsseckeeper.cc b/pdns/dbdnsseckeeper.cc index 6d8cb13823..98b86173d7 100644 --- a/pdns/dbdnsseckeeper.cc +++ b/pdns/dbdnsseckeeper.cc @@ -110,8 +110,7 @@ bool DNSSECKeeper::addKey(const DNSName& name, bool setSEPBit, int algorithm, in throw runtime_error("The algorithm does not support the given bit size."); } DNSSECPrivateKey dspk; - dspk.setKey(dpk, setSEPBit ? 257 : 256); - dspk.setAlgorithm(algorithm); + dspk.setKey(dpk, setSEPBit ? 257 : 256, algorithm); return addKey(name, dspk, id, active, published) && clearKeyCache(name); } @@ -170,8 +169,7 @@ DNSSECPrivateKey DNSSECKeeper::getKeyById(const DNSName& zname, unsigned int id) DNSKEYRecordContent dkrc; auto key = shared_ptr(DNSCryptoKeyEngine::makeFromISCString(dkrc, kd.content)); DNSSECPrivateKey dpk; - dpk.setKey(key, kd.flags); - dpk.setAlgorithm(dkrc.d_algorithm); + dpk.setKey(key, kd.flags, dkrc.d_algorithm); return dpk; } @@ -583,8 +581,7 @@ DNSSECKeeper::keyset_t DNSSECKeeper::getKeys(const DNSName& zone, bool useCache) DNSKEYRecordContent dkrc; auto key = shared_ptr(DNSCryptoKeyEngine::makeFromISCString(dkrc, kd.content)); DNSSECPrivateKey dpk; - dpk.setKey(key, kd.flags); - dpk.setAlgorithm(dkrc.d_algorithm); + dpk.setKey(key, kd.flags, dkrc.d_algorithm); KeyMetaData kmd; diff --git a/pdns/dnssecinfra.hh b/pdns/dnssecinfra.hh index 9f2888da6f..e8f98a8715 100644 --- a/pdns/dnssecinfra.hh +++ b/pdns/dnssecinfra.hh @@ -149,20 +149,20 @@ struct DNSSECPrivateKey } // be aware that calling setKey() will also set the algorithm - void setKey(std::shared_ptr& key, uint16_t flags) + void setKey(std::shared_ptr& key, uint16_t flags, std::optional algorithm = std::nullopt) { d_key = key; d_flags = flags; - d_algorithm = d_key->getAlgorithm(); + d_algorithm = algorithm ? *algorithm : d_key->getAlgorithm(); computeDNSKEY(); } // be aware that calling setKey() will also set the algorithm - void setKey(std::unique_ptr&& key, uint16_t flags) + void setKey(std::unique_ptr&& key, uint16_t flags, std::optional algorithm = std::nullopt) { d_key = std::move(key); d_flags = flags; - d_algorithm = d_key->getAlgorithm(); + d_algorithm = algorithm ? *algorithm : d_key->getAlgorithm(); computeDNSKEY(); } @@ -178,11 +178,6 @@ struct DNSSECPrivateKey return d_algorithm; } - void setAlgorithm(uint8_t algo) - { - d_algorithm = algo; - } - private: void computeDNSKEY(); diff --git a/pdns/pdnsutil.cc b/pdns/pdnsutil.cc index 811526ea07..14dc785a72 100644 --- a/pdns/pdnsutil.cc +++ b/pdns/pdnsutil.cc @@ -3513,8 +3513,7 @@ try else { flags = 257; // ksk } - dpk.setKey(key, flags); - dpk.setAlgorithm(algo); + dpk.setKey(key, flags, algo); int64_t id; if (!dk.addKey(DNSName(zone), dpk, id)) { @@ -3566,11 +3565,11 @@ try } DNSSECPrivateKey dpk; - dpk.setKey(key, flags); - - if (dpk.getAlgorithm() == DNSSECKeeper::RSASHA1NSEC3SHA1) { - dpk.setAlgorithm(DNSSECKeeper::RSASHA1); + uint8_t algo = key->getAlgorithm(); + if (algo == DNSSECKeeper::RSASHA1NSEC3SHA1) { + algo = DNSSECKeeper::RSASHA1; } + dpk.setKey(key, flags, algo); int64_t id; if (!dk.addKey(DNSName(zone), dpk, id, active, published)) { @@ -3650,8 +3649,7 @@ try } dpk->create(bits); DNSSECPrivateKey dspk; - dspk.setKey(dpk, keyOrZone ? 257 : 256); - dspk.setAlgorithm(algorithm); + dspk.setKey(dpk, keyOrZone ? 257 : 256, algorithm); // print key to stdout cout << "Flags: " << dspk.getFlags() << endl << diff --git a/pdns/recursordist/test-syncres_cc4.cc b/pdns/recursordist/test-syncres_cc4.cc index 24f6bd8e0f..3764a0dd24 100644 --- a/pdns/recursordist/test-syncres_cc4.cc +++ b/pdns/recursordist/test-syncres_cc4.cc @@ -1194,9 +1194,8 @@ BOOST_AUTO_TEST_CASE(test_dnssec_insecure_unknown_ds_algorithm) auto dcke = DNSCryptoKeyEngine::make(DNSSECKeeper::ECDSA256); dcke->create(dcke->getBits()); DNSSECPrivateKey dpk; - dpk.setKey(std::move(dcke), 256); /* Fake algorithm number (private) */ - dpk.setAlgorithm(253); + dpk.setKey(std::move(dcke), 256, 253); DSRecordContent drc = makeDSFromDNSKey(target, dpk.getDNSKEY(), DNSSECKeeper::DIGEST_SHA256); keys[target] = std::pair(dpk, drc); diff --git a/pdns/ws-auth.cc b/pdns/ws-auth.cc index 50d4b99951..4be003cf50 100644 --- a/pdns/ws-auth.cc +++ b/pdns/ws-auth.cc @@ -1307,11 +1307,11 @@ static void apiZoneCryptokeysPOST(const DNSName& zonename, HttpRequest *req, Htt } uint8_t algorithm = dkrc.d_algorithm; - dpk.setKey(dke, flags); // TODO remove in 4.2.0 if (algorithm == DNSSECKeeper::RSASHA1NSEC3SHA1) { - dpk.setAlgorithm(DNSSECKeeper::RSASHA1); + algorithm = DNSSECKeeper::RSASHA1; } + dpk.setKey(dke, flags, algorithm); } catch (std::runtime_error& error) { throw ApiException("Key could not be parsed. Make sure your key format is correct.");