From: Willem Toorop <willem@nlnetlabs.nl>
Date: Mon, 28 Sep 2015 14:51:21 +0000 (+0200)
Subject: -U option to ldns-signzone to sign with every algo
X-Git-Tag: release-1.7.0-rc1~92
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4af2f38d50451023b61aa3a41297a3e6d54d123d;p=thirdparty%2Fldns.git

-U option to ldns-signzone to sign with every algo
---

diff --git a/dnssec_sign.c b/dnssec_sign.c
index 4f605461..137bba94 100644
--- a/dnssec_sign.c
+++ b/dnssec_sign.c
@@ -1023,39 +1023,78 @@ ldns_dnssec_zone_create_rrsigs(ldns_dnssec_zone *zone,
 
 /** If there are KSKs use only them and mark ZSKs unused */
 static void
-ldns_key_list_filter_for_dnskey(ldns_key_list *key_list)
+ldns_key_list_filter_for_dnskey(ldns_key_list *key_list, int flags)
 {
-	int saw_ksk = 0;
+	bool algos[256] = { false };
+	ldns_signing_algorithm saw_ksk = 0;
+	ldns_key *key;
 	size_t i;
-	for(i=0; i<ldns_key_list_key_count(key_list); i++)
-		if((ldns_key_flags(ldns_key_list_key(key_list, i))&LDNS_KEY_SEP_KEY)) {
-			saw_ksk = 1;
-			break;
-		}
-	if(!saw_ksk)
+
+	if (!ldns_key_list_key_count(key_list))
 		return;
-	for(i=0; i<ldns_key_list_key_count(key_list); i++)
-		if(!(ldns_key_flags(ldns_key_list_key(key_list, i))&LDNS_KEY_SEP_KEY))
-			ldns_key_set_use(ldns_key_list_key(key_list, i), 0);
+
+	for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
+		key = ldns_key_list_key(key_list, i);
+		if ((ldns_key_flags(key) & LDNS_KEY_SEP_KEY) && !saw_ksk)
+			saw_ksk = ldns_key_algorithm(key);
+		algos[ldns_key_algorithm(key)] = true;
+	}
+	if (!saw_ksk)
+		return;
+	else
+		algos[saw_ksk] = 0;
+
+	for (i =0; i < ldns_key_list_key_count(key_list); i++) {
+		key = ldns_key_list_key(key_list, i);
+		if (!(ldns_key_flags(key) & LDNS_KEY_SEP_KEY)) {
+			/* We have a ZSK.
+			 * Still use it if it has a unique algorithm though!
+			 */
+			if ((flags & LDNS_SIGN_WITH_ALL_ALGORITHMS) &&
+			    algos[ldns_key_algorithm(key)])
+				algos[ldns_key_algorithm(key)] = false;
+			else
+				ldns_key_set_use(key, 0);
+		}
+	}
 }
 
 /** If there are no ZSKs use KSK as ZSK */
 static void
-ldns_key_list_filter_for_non_dnskey(ldns_key_list *key_list)
+ldns_key_list_filter_for_non_dnskey(ldns_key_list *key_list, int flags)
 {
-	int saw_zsk = 0;
+	bool algos[256] = { false };
+	ldns_signing_algorithm saw_zsk = 0;
+	ldns_key *key;
 	size_t i;
-	for(i=0; i<ldns_key_list_key_count(key_list); i++)
-		if(!(ldns_key_flags(ldns_key_list_key(key_list, i))&LDNS_KEY_SEP_KEY)) {
-			saw_zsk = 1;
-			break;
-		}
-	if(!saw_zsk)
+	
+	if (!ldns_key_list_key_count(key_list))
+		return;
+
+	for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
+		key = ldns_key_list_key(key_list, i);
+		if (!(ldns_key_flags(key) & LDNS_KEY_SEP_KEY) && !saw_zsk)
+			saw_zsk = ldns_key_algorithm(key);
+		algos[ldns_key_algorithm(key)] = true;
+	}
+	if (!saw_zsk)
 		return;
-	/* else filter all KSKs */
-	for(i=0; i<ldns_key_list_key_count(key_list); i++)
-		if((ldns_key_flags(ldns_key_list_key(key_list, i))&LDNS_KEY_SEP_KEY))
-			ldns_key_set_use(ldns_key_list_key(key_list, i), 0);
+	else
+		algos[saw_zsk] = 0;
+
+	for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
+		key = ldns_key_list_key(key_list, i);
+		if((ldns_key_flags(key) & LDNS_KEY_SEP_KEY)) {
+			/* We have a KSK.
+			 * Still use it if it has a unique algorithm though!
+			 */
+			if ((flags & LDNS_SIGN_WITH_ALL_ALGORITHMS) &&
+			    algos[ldns_key_algorithm(key)])
+				algos[ldns_key_algorithm(key)] = false;
+			else
+				ldns_key_set_use(key, 0);
+		}
+	}
 }
 
 ldns_status
@@ -1114,10 +1153,10 @@ ldns_dnssec_zone_create_rrsigs_flg( ldns_dnssec_zone *zone
 											arg);
 				if(!(flags&LDNS_SIGN_DNSKEY_WITH_ZSK) &&
 					cur_rrset->type == LDNS_RR_TYPE_DNSKEY)
-					ldns_key_list_filter_for_dnskey(key_list);
+					ldns_key_list_filter_for_dnskey(key_list, flags);
 
 				if(cur_rrset->type != LDNS_RR_TYPE_DNSKEY)
-					ldns_key_list_filter_for_non_dnskey(key_list);
+					ldns_key_list_filter_for_non_dnskey(key_list, flags);
 
 				/* TODO: just set count to zero? */
 				rr_list = ldns_rr_list_new();
@@ -1170,7 +1209,7 @@ ldns_dnssec_zone_create_rrsigs_flg( ldns_dnssec_zone *zone
 										key_list,
 										func,
 										arg);
-			ldns_key_list_filter_for_non_dnskey(key_list);
+			ldns_key_list_filter_for_non_dnskey(key_list, flags);
 
 			rr_list = ldns_rr_list_new();
 			ldns_rr_list_push_rr(rr_list, cur_name->nsec);
diff --git a/examples/ldns-signzone.c b/examples/ldns-signzone.c
index c19c8b47..5d693660 100644
--- a/examples/ldns-signzone.c
+++ b/examples/ldns-signzone.c
@@ -39,6 +39,7 @@ usage(FILE *fp, const char *prog) {
 	fprintf(fp, "  -o <domain>\torigin for the zone\n");
 	fprintf(fp, "  -v\t\tprint version and exit\n");
 	fprintf(fp, "  -A\t\tsign DNSKEY with all keys instead of minimal\n");
+	fprintf(fp, "  -U\t\tSign with every unique algorithm in the provided keys\n");
 	fprintf(fp, "  -E <name>\tuse <name> as the crypto engine for signing\n");
 	fprintf(fp, "           \tThis can have a lot of extra options, see the manual page for more info\n");
 	fprintf(fp, "  -k <id>,<int>\tuse key id with algorithm int from engine\n");
@@ -378,7 +379,7 @@ main(int argc, char *argv[])
 
 	OPENSSL_config(NULL);
 
-	while ((c = getopt(argc, argv, "a:bde:f:i:k:no:ps:t:vAE:K:")) != -1) {
+	while ((c = getopt(argc, argv, "a:bde:f:i:k:no:ps:t:vAUE:K:")) != -1) {
 		switch (c) {
 		case 'a':
 			nsec3_algorithm = (uint8_t) atoi(optarg);
@@ -569,6 +570,9 @@ main(int argc, char *argv[])
 			printf("Not implemented yet\n");
 			exit(EXIT_FAILURE);
 			break;
+		case 'U':
+			signflags |= LDNS_SIGN_WITH_ALL_ALGORITHMS;
+			break;
 		case 's':
 			if (strlen(optarg) % 2 != 0) {
 				fprintf(stderr, "Salt value is not valid hex data, not a multiple of 2 characters\n");
diff --git a/ldns/dnssec_sign.h b/ldns/dnssec_sign.h
index f51c7fb3..8a9ee895 100644
--- a/ldns/dnssec_sign.h
+++ b/ldns/dnssec_sign.h
@@ -13,6 +13,7 @@ extern "C" {
 
 /** Sign flag that makes DNSKEY type signed by all keys, not only by SEP keys*/
 #define LDNS_SIGN_DNSKEY_WITH_ZSK 1
+#define LDNS_SIGN_WITH_ALL_ALGORITHMS 2 
 
 /**
  * Create an empty RRSIG RR (i.e. without the actual signature data)