return retkeyset;
}
-bool DNSSECKeeper::checkKeys(const DNSName& zone)
+bool DNSSECKeeper::checkKeys(const DNSName& zone, vector<string>* errorMessages)
{
vector<DNSBackend::KeyData> dbkeyset;
d_keymetadb->getDomainKeys(zone, dbkeyset);
+ bool retval = true;
for(const DNSBackend::KeyData &keydata : dbkeyset) {
DNSKEYRecordContent dkrc;
shared_ptr<DNSCryptoKeyEngine> dke(DNSCryptoKeyEngine::makeFromISCString(dkrc, keydata.content));
- if (!dke->checkKey()) {
- return false;
- }
+ retval = dke->checkKey(errorMessages) && retval;
}
- return true;
+ return retval;
}
bool DNSSECKeeper::getPreRRSIGs(UeberBackend& db, const DNSName& signer, const DNSName& qname,
bool removeKey(const DNSName& zname, unsigned int id);
bool activateKey(const DNSName& zname, unsigned int id);
bool deactivateKey(const DNSName& zname, unsigned int id);
- bool checkKeys(const DNSName& zname);
+ bool checkKeys(const DNSName& zname, vector<string>* errorMessages = nullptr);
bool getNSEC3PARAM(const DNSName& zname, NSEC3PARAMRecordContent* n3p=0, bool* narrow=0);
bool checkNSEC3PARAM(const NSEC3PARAMRecordContent& ns3p, string& msg);
#include <openssl/rand.h>
#include <openssl/rsa.h>
#include <openssl/opensslv.h>
+#include <openssl/err.h>
#include "opensslsigners.hh"
#include "dnssecinfra.hh"
#include "dnsseckeeper.hh"
std::string getPublicKeyString() const override;
void fromISCMap(DNSKEYRecordContent& drc, std::map<std::string, std::string>& stormap) override;
void fromPublicKeyString(const std::string& content) override;
- bool checkKey() const override;
+ bool checkKey(vector<string> *errorMessages) const override;
static std::shared_ptr<DNSCryptoKeyEngine> maker(unsigned int algorithm)
{
void OpenSSLRSADNSCryptoKeyEngine::create(unsigned int bits)
{
- // When changing the bitsizes, also edit them in ::checkKey and pdnsutil.cc
+ // When changing the bitsizes, also edit them in ::checkKey
if ((d_algorithm == DNSSECKeeper::RSASHA1 || d_algorithm == DNSSECKeeper::RSASHA1NSEC3SHA1) && (bits < 512 || bits > 4096)) {
/* RFC3110 */
throw runtime_error(getName()+" RSASHA1 key generation failed for invalid bits size " + std::to_string(bits));
d_key = key;
}
-bool OpenSSLRSADNSCryptoKeyEngine::checkKey() const
+bool OpenSSLRSADNSCryptoKeyEngine::checkKey(vector<string> *errorMessages) const
{
- // When changing the bitsizes, also edit them in ::create and pdnsutil.cc
- if ((d_algorithm == DNSSECKeeper::RSASHA1 || d_algorithm == DNSSECKeeper::RSASHA1NSEC3SHA1) && (getBits() < 512 || getBits()> 4096)) {
- return false;
- }
- if (d_algorithm == DNSSECKeeper::RSASHA256 && (getBits() < 512 || getBits() > 4096)) {
- return false;
+ bool retval = true;
+ // When changing the bitsizes, also edit them in ::create
+ if ((d_algorithm == DNSSECKeeper::RSASHA1 || d_algorithm == DNSSECKeeper::RSASHA1NSEC3SHA1 || d_algorithm == DNSSECKeeper::RSASHA256) && (getBits() < 512 || getBits()> 4096)) {
+ retval = false;
+ if (errorMessages != nullptr) {
+ errorMessages->push_back("key is " + std::to_string(getBits()) + " bytes, should be between 512 and 4096");
+ }
}
if (d_algorithm == DNSSECKeeper::RSASHA512 && (getBits() < 1024 || getBits() > 4096)) {
- return false;
+ retval = false;
+ if (errorMessages != nullptr) {
+ errorMessages->push_back("key is " + std::to_string(getBits()) + " bytes, should be between 1024 and 4096");
+ }
}
- return (RSA_check_key(d_key) == 1);
+ if (RSA_check_key(d_key) != 1) {
+ retval = false;
+ if (errorMessages != nullptr) {
+ errorMessages->push_back(ERR_reason_error_string(ERR_get_error()));
+ }
+ }
+ return retval;
}
void OpenSSLRSADNSCryptoKeyEngine::fromPublicKeyString(const std::string& input)
std::string getPublicKeyString() const override;
void fromISCMap(DNSKEYRecordContent& drc, std::map<std::string, std::string>& stormap) override;
void fromPublicKeyString(const std::string& content) override;
- bool checkKey() const override;
+ bool checkKey(vector<string> *errorMessages) const override;
static std::shared_ptr<DNSCryptoKeyEngine> maker(unsigned int algorithm)
{
EC_POINT_free(pub_key);
}
-bool OpenSSLECDSADNSCryptoKeyEngine::checkKey() const
+bool OpenSSLECDSADNSCryptoKeyEngine::checkKey(vector<string> *errorMessages) const
{
- return (EC_KEY_check_key(d_eckey) == 1);
+ bool retval = true;
+ if (EC_KEY_check_key(d_eckey) != 1) {
+ retval = false;
+ if (errorMessages != nullptr) {
+ errorMessages->push_back(ERR_reason_error_string(ERR_get_error()));
+ }
+ }
+ return retval;
}
void OpenSSLECDSADNSCryptoKeyEngine::fromPublicKeyString(const std::string& input)
bool isSecure=dk.isSecuredZone(zone);
bool presigned=dk.isPresigned(zone);
- bool validKeys=dk.checkKeys(zone);
+ vector<string> checkKeyErrors;
+ bool validKeys=dk.checkKeys(zone, &checkKeyErrors);
uint64_t numerrors=0, numwarnings=0;
if (!validKeys) {
numerrors++;
cout<<"[Error] zone '" << zone << "' has at least one invalid DNS Private Key." << endl;
- vector<DNSBackend::KeyData> dbkeyset;
- B.getDomainKeys(zone, dbkeyset);
-
- for(const DNSBackend::KeyData &keydata : dbkeyset) {
- DNSKEYRecordContent dkrc;
- shared_ptr<DNSCryptoKeyEngine> dke(DNSCryptoKeyEngine::makeFromISCString(dkrc, keydata.content));
- string msg;
- if ((dke->getAlgorithm() == DNSSECKeeper::RSASHA1 || dke->getAlgorithm() == DNSSECKeeper::RSASHA1NSEC3SHA1) && (dke->getBits() < 512 || dke->getBits() > 4096)) {
- msg = "512 and 4096";
- }
- if (dke->getAlgorithm() == DNSSECKeeper::RSASHA256 && (dke->getBits() < 512 || dke->getBits() > 4096)) {
- msg = "512 and 4096";
- }
- if (dke->getAlgorithm() == DNSSECKeeper::RSASHA512 && (dke->getBits() < 1024 || dke->getBits() > 4096)) {
- msg = "1024 and 4096";
- }
- if (!msg.empty()) {
- cout<<"[Error] zone '" << zone << "' key with algorithm " << DNSSECKeeper::algorithm2name(dke->getAlgorithm()) << " has a keysize of " << dke->getBits() << ", which is not between " << msg << endl;
- }
+ for (const auto &msg : checkKeyErrors) {
+ cout<<"\t"<<msg<<endl;
}
}
projects / thirdparty / pdns.git / commitdiff
