/** If there are KSKs use only them and mark ZSKs unused */
static void
-ldns_key_list_filter_for_dnskey(ldns_key_list *key_list)
+ldns_key_list_filter_for_dnskey(ldns_key_list *key_list, int flags)
{
- int saw_ksk = 0;
+ bool algos[256] = { false };
+ ldns_signing_algorithm saw_ksk = 0;
+ ldns_key *key;
size_t i;
- for(i=0; i<ldns_key_list_key_count(key_list); i++)
- if((ldns_key_flags(ldns_key_list_key(key_list, i))&LDNS_KEY_SEP_KEY)) {
- saw_ksk = 1;
- break;
- }
- if(!saw_ksk)
+
+ if (!ldns_key_list_key_count(key_list))
return;
- for(i=0; i<ldns_key_list_key_count(key_list); i++)
- if(!(ldns_key_flags(ldns_key_list_key(key_list, i))&LDNS_KEY_SEP_KEY))
- ldns_key_set_use(ldns_key_list_key(key_list, i), 0);
+
+ for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
+ key = ldns_key_list_key(key_list, i);
+ if ((ldns_key_flags(key) & LDNS_KEY_SEP_KEY) && !saw_ksk)
+ saw_ksk = ldns_key_algorithm(key);
+ algos[ldns_key_algorithm(key)] = true;
+ }
+ if (!saw_ksk)
+ return;
+ else
+ algos[saw_ksk] = 0;
+
+ for (i =0; i < ldns_key_list_key_count(key_list); i++) {
+ key = ldns_key_list_key(key_list, i);
+ if (!(ldns_key_flags(key) & LDNS_KEY_SEP_KEY)) {
+ /* We have a ZSK.
+ * Still use it if it has a unique algorithm though!
+ */
+ if ((flags & LDNS_SIGN_WITH_ALL_ALGORITHMS) &&
+ algos[ldns_key_algorithm(key)])
+ algos[ldns_key_algorithm(key)] = false;
+ else
+ ldns_key_set_use(key, 0);
+ }
+ }
}
/** If there are no ZSKs use KSK as ZSK */
static void
-ldns_key_list_filter_for_non_dnskey(ldns_key_list *key_list)
+ldns_key_list_filter_for_non_dnskey(ldns_key_list *key_list, int flags)
{
- int saw_zsk = 0;
+ bool algos[256] = { false };
+ ldns_signing_algorithm saw_zsk = 0;
+ ldns_key *key;
size_t i;
- for(i=0; i<ldns_key_list_key_count(key_list); i++)
- if(!(ldns_key_flags(ldns_key_list_key(key_list, i))&LDNS_KEY_SEP_KEY)) {
- saw_zsk = 1;
- break;
- }
- if(!saw_zsk)
+
+ if (!ldns_key_list_key_count(key_list))
+ return;
+
+ for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
+ key = ldns_key_list_key(key_list, i);
+ if (!(ldns_key_flags(key) & LDNS_KEY_SEP_KEY) && !saw_zsk)
+ saw_zsk = ldns_key_algorithm(key);
+ algos[ldns_key_algorithm(key)] = true;
+ }
+ if (!saw_zsk)
return;
- /* else filter all KSKs */
- for(i=0; i<ldns_key_list_key_count(key_list); i++)
- if((ldns_key_flags(ldns_key_list_key(key_list, i))&LDNS_KEY_SEP_KEY))
- ldns_key_set_use(ldns_key_list_key(key_list, i), 0);
+ else
+ algos[saw_zsk] = 0;
+
+ for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
+ key = ldns_key_list_key(key_list, i);
+ if((ldns_key_flags(key) & LDNS_KEY_SEP_KEY)) {
+ /* We have a KSK.
+ * Still use it if it has a unique algorithm though!
+ */
+ if ((flags & LDNS_SIGN_WITH_ALL_ALGORITHMS) &&
+ algos[ldns_key_algorithm(key)])
+ algos[ldns_key_algorithm(key)] = false;
+ else
+ ldns_key_set_use(key, 0);
+ }
+ }
}
ldns_status
arg);
if(!(flags&LDNS_SIGN_DNSKEY_WITH_ZSK) &&
cur_rrset->type == LDNS_RR_TYPE_DNSKEY)
- ldns_key_list_filter_for_dnskey(key_list);
+ ldns_key_list_filter_for_dnskey(key_list, flags);
if(cur_rrset->type != LDNS_RR_TYPE_DNSKEY)
- ldns_key_list_filter_for_non_dnskey(key_list);
+ ldns_key_list_filter_for_non_dnskey(key_list, flags);
/* TODO: just set count to zero? */
rr_list = ldns_rr_list_new();
key_list,
func,
arg);
- ldns_key_list_filter_for_non_dnskey(key_list);
+ ldns_key_list_filter_for_non_dnskey(key_list, flags);
rr_list = ldns_rr_list_new();
ldns_rr_list_push_rr(rr_list, cur_name->nsec);
fprintf(fp, " -o <domain>\torigin for the zone\n");
fprintf(fp, " -v\t\tprint version and exit\n");
fprintf(fp, " -A\t\tsign DNSKEY with all keys instead of minimal\n");
+ fprintf(fp, " -U\t\tSign with every unique algorithm in the provided keys\n");
fprintf(fp, " -E <name>\tuse <name> as the crypto engine for signing\n");
fprintf(fp, " \tThis can have a lot of extra options, see the manual page for more info\n");
fprintf(fp, " -k <id>,<int>\tuse key id with algorithm int from engine\n");
OPENSSL_config(NULL);
- while ((c = getopt(argc, argv, "a:bde:f:i:k:no:ps:t:vAE:K:")) != -1) {
+ while ((c = getopt(argc, argv, "a:bde:f:i:k:no:ps:t:vAUE:K:")) != -1) {
switch (c) {
case 'a':
nsec3_algorithm = (uint8_t) atoi(optarg);
printf("Not implemented yet\n");
exit(EXIT_FAILURE);
break;
+ case 'U':
+ signflags |= LDNS_SIGN_WITH_ALL_ALGORITHMS;
+ break;
case 's':
if (strlen(optarg) % 2 != 0) {
fprintf(stderr, "Salt value is not valid hex data, not a multiple of 2 characters\n");
projects / thirdparty / ldns.git / commitdiff
