From: Jelte Jansen Date: Thu, 8 Sep 2005 09:47:25 +0000 (+0000) Subject: SEP keys are now handled automatically (specify on generation) X-Git-Tag: release-1.0.0~196 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7f4b595acb8b2bdfcba7697dea9889b1d06bd9b9;p=thirdparty%2Fldns.git SEP keys are now handled automatically (specify on generation) updated signzone.c accordingly fixed minor bugs --- diff --git a/Makefile.in b/Makefile.in index f127352e..a8b32291 100644 --- a/Makefile.in +++ b/Makefile.in @@ -48,7 +48,7 @@ LIBDNS_HEADERS = ldns/error.h \ ldns/dns.h \ ldns/zone.h \ ldns/util.h -PROG_SOURCES = mx.c chaos.c keygen.c signzone.c key2ds.c version.c +PROG_SOURCES = mx.c chaos.c keygen.c signzone.c version.c PROG_TARGETS = $(PROG_SOURCES:.c=) LIBDNS_OBJECTS = $(LIBDNS_SOURCES:.c=.o) @@ -68,7 +68,7 @@ LINK_LIB = $(LIBTOOL) --mode=link $(CC) $(CFLAGS) $(LDFLAGS) .PHONY: install uninstall install-doc uninstall-doc .PHONY: install-h uninstall-h install-lib uninstall-lib snapshot release -all: lib +all: lib tools tools: $(PROG_TARGETS) diff --git a/TODO b/TODO index 873a6f14..13f6b515 100644 --- a/TODO +++ b/TODO @@ -1,5 +1,7 @@ Current TODO list +o check todo list :p + What actually doesn't work: --------------------------- o [dnssec] NSEC conversion frm str to host @@ -12,6 +14,7 @@ o manual page for signzone Implementation: --------------- +o really think one last time about the double pointers o str2host on string rdata types needs escapes and surrounding quotes support o check all conversion routines on missing types diff --git a/dnssec.c b/dnssec.c index 5827d1af..0bd268ee 100644 --- a/dnssec.c +++ b/dnssec.c @@ -82,7 +82,6 @@ ldns_status ldns_verify(ldns_rr_list *rrset, ldns_rr_list *rrsig, ldns_rr_list *keys, ldns_rr_list *good_keys) { uint16_t i; - ldns_rr_list *result; /* ldns_rr_list *keys_verified;*/ bool valid; ldns_status verify_result = LDNS_STATUS_ERR; @@ -94,7 +93,6 @@ printf("err 1\n"); valid = false; - result = ldns_rr_list_new(); for (i = 0; i < ldns_rr_list_rr_count(rrsig); i++) { verify_result = ldns_verify_rrsig_keylist(rrset, @@ -289,8 +287,10 @@ ldns_verify_rrsig_keylist(ldns_rr_list *rrset, ldns_rr *rrsig, ldns_rr_list *key ldns_buffer_free(verify_buf); if (ldns_rr_list_rr_count(validkeys) == 0) { /* no keys were added, return last error */ +ldns_rr_list_free(validkeys); return result; } else { +ldns_rr_list_free(validkeys); ldns_rr_list_cat(good_keys, validkeys); return LDNS_STATUS_OK; } @@ -1104,103 +1104,108 @@ ldns_sign_public(ldns_rr_list *rrset, ldns_key_list *keys) b64rdf = NULL; current_key = ldns_key_list_key(keys, key_count); - current_sig = ldns_rr_new_frm_type(LDNS_RR_TYPE_RRSIG); - - /* set the type on the new signature */ - /*orig_ttl = ldns_key_origttl(current_key);*/ - orig_ttl = ldns_rr_ttl(ldns_rr_list_rr(rrset, 0)); - - /* set the ttl from the priv key on the rrset */ - for (i = 0; i < ldns_rr_list_rr_count(rrset); i++) { - ldns_rr_set_ttl( - ldns_rr_list_rr(rrset_clone, i), orig_ttl); - } - - ldns_rr_set_owner(current_sig, - ldns_rdf_clone(ldns_rr_owner(ldns_rr_list_rr(rrset_clone, 0)))); - - /* fill in what we know of the signature */ - - /* set the orig_ttl */ - (void)ldns_rr_rrsig_set_origttl(current_sig, ldns_native2rdf_int32(LDNS_RDF_TYPE_INT32, orig_ttl)); - /* the signers name */ - - (void)ldns_rr_rrsig_set_signame(current_sig, - ldns_rdf_clone(ldns_key_pubkey_owner(current_key))); - /* label count - get it from the first rr in the rr_list */ - (void)ldns_rr_rrsig_set_labels(current_sig, - ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8, ldns_rr_label_count( - ldns_rr_list_rr(rrset_clone, 0)))); - /* inception, expiration */ - /* TODO: is this a good place for default values? */ - now = time(NULL); - if (ldns_key_inception(current_key) != 0) { - (void)ldns_rr_rrsig_set_inception(current_sig, - ldns_native2rdf_int32(LDNS_RDF_TYPE_TIME, ldns_key_inception(current_key))); - } else { - (void)ldns_rr_rrsig_set_inception(current_sig, - ldns_native2rdf_int32(LDNS_RDF_TYPE_TIME, now)); - } - if (ldns_key_expiration(current_key) != 0) { - (void)ldns_rr_rrsig_set_expiration(current_sig, - ldns_native2rdf_int32(LDNS_RDF_TYPE_TIME, ldns_key_expiration(current_key))); - } else { - (void)ldns_rr_rrsig_set_expiration(current_sig, - ldns_native2rdf_int32(LDNS_RDF_TYPE_TIME, now + LDNS_DEFAULT_EXP_TIME)); - } + if ( + ldns_key_flags(current_key) & LDNS_KEY_ZONE_KEY && + (!(ldns_key_flags(current_key) & LDNS_KEY_SEP_KEY) || + ldns_rr_get_type(ldns_rr_list_rr(rrset, 0)) == LDNS_RR_TYPE_DNSKEY) + ) { + current_sig = ldns_rr_new_frm_type(LDNS_RR_TYPE_RRSIG); + + /* set the type on the new signature */ + /*orig_ttl = ldns_key_origttl(current_key);*/ + orig_ttl = ldns_rr_ttl(ldns_rr_list_rr(rrset, 0)); + + /* set the ttl from the priv key on the rrset */ + for (i = 0; i < ldns_rr_list_rr_count(rrset); i++) { + ldns_rr_set_ttl( + ldns_rr_list_rr(rrset_clone, i), orig_ttl); + } - /* key-tag */ - (void)ldns_rr_rrsig_set_keytag(current_sig, - ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16, ldns_key_keytag(current_key))); - - /* algorithm - check the key and substitute that */ - (void)ldns_rr_rrsig_set_algorithm(current_sig, - ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG, ldns_key_algorithm(current_key))); - /* type-covered */ - (void)ldns_rr_rrsig_set_typecovered(current_sig, - ldns_native2rdf_int16(LDNS_RDF_TYPE_TYPE, - ldns_rr_get_type(ldns_rr_list_rr(rrset_clone, 0)))); - /* right now, we have: a key, a semi-sig and an rrset. For - * which we can create the sig and base64 encode that and - * add that to the signature */ - - if (ldns_rrsig2buffer_wire(sign_buf, current_sig) != LDNS_STATUS_OK) { - ldns_buffer_free(sign_buf); - dprintf("%s\n", "couldn't convert to buffer 1"); - /* ERROR */ - return NULL; - } - /* add the rrset in sign_buf */ - if (ldns_rr_list2buffer_wire(sign_buf, rrset_clone) != LDNS_STATUS_OK) { - dprintf("%s\n", "couldn't convert to buffer 2"); - ldns_buffer_free(sign_buf); - return NULL; - } - - switch(ldns_key_algorithm(current_key)) { - case LDNS_SIGN_DSA: - b64rdf = ldns_sign_public_dsa(sign_buf, ldns_key_dsa_key(current_key)); - break; - case LDNS_SIGN_RSASHA1: - b64rdf = ldns_sign_public_rsasha1(sign_buf, ldns_key_rsa_key(current_key)); - break; - case LDNS_SIGN_RSAMD5: - b64rdf = ldns_sign_public_rsamd5(sign_buf, ldns_key_rsa_key(current_key)); - break; - default: - /* do _you_ know this alg? */ - break; - } - if (!b64rdf) { - /* signing went wrong */ - dprintf("%s", "couldn't sign!\n"); - return NULL; - } - ldns_rr_rrsig_set_sig(current_sig, b64rdf); + ldns_rr_set_owner(current_sig, + ldns_rdf_clone(ldns_rr_owner(ldns_rr_list_rr(rrset_clone, 0)))); + + /* fill in what we know of the signature */ + + /* set the orig_ttl */ + (void)ldns_rr_rrsig_set_origttl(current_sig, ldns_native2rdf_int32(LDNS_RDF_TYPE_INT32, orig_ttl)); + /* the signers name */ + + (void)ldns_rr_rrsig_set_signame(current_sig, + ldns_rdf_clone(ldns_key_pubkey_owner(current_key))); + /* label count - get it from the first rr in the rr_list */ + (void)ldns_rr_rrsig_set_labels(current_sig, + ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8, ldns_rr_label_count( + ldns_rr_list_rr(rrset_clone, 0)))); + /* inception, expiration */ + /* TODO: is this a good place for default values? */ + now = time(NULL); + if (ldns_key_inception(current_key) != 0) { + (void)ldns_rr_rrsig_set_inception(current_sig, + ldns_native2rdf_int32(LDNS_RDF_TYPE_TIME, ldns_key_inception(current_key))); + } else { + (void)ldns_rr_rrsig_set_inception(current_sig, + ldns_native2rdf_int32(LDNS_RDF_TYPE_TIME, now)); + } + if (ldns_key_expiration(current_key) != 0) { + (void)ldns_rr_rrsig_set_expiration(current_sig, + ldns_native2rdf_int32(LDNS_RDF_TYPE_TIME, ldns_key_expiration(current_key))); + } else { + (void)ldns_rr_rrsig_set_expiration(current_sig, + ldns_native2rdf_int32(LDNS_RDF_TYPE_TIME, now + LDNS_DEFAULT_EXP_TIME)); + } - /* push the signature to the signatures list */ - ldns_rr_list_push_rr(signatures, current_sig); + /* key-tag */ + (void)ldns_rr_rrsig_set_keytag(current_sig, + ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16, ldns_key_keytag(current_key))); + + /* algorithm - check the key and substitute that */ + (void)ldns_rr_rrsig_set_algorithm(current_sig, + ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG, ldns_key_algorithm(current_key))); + /* type-covered */ + (void)ldns_rr_rrsig_set_typecovered(current_sig, + ldns_native2rdf_int16(LDNS_RDF_TYPE_TYPE, + ldns_rr_get_type(ldns_rr_list_rr(rrset_clone, 0)))); + /* right now, we have: a key, a semi-sig and an rrset. For + * which we can create the sig and base64 encode that and + * add that to the signature */ + + if (ldns_rrsig2buffer_wire(sign_buf, current_sig) != LDNS_STATUS_OK) { + ldns_buffer_free(sign_buf); + dprintf("%s\n", "couldn't convert to buffer 1"); + /* ERROR */ + return NULL; + } + /* add the rrset in sign_buf */ + if (ldns_rr_list2buffer_wire(sign_buf, rrset_clone) != LDNS_STATUS_OK) { + dprintf("%s\n", "couldn't convert to buffer 2"); + ldns_buffer_free(sign_buf); + return NULL; + } + + switch(ldns_key_algorithm(current_key)) { + case LDNS_SIGN_DSA: + b64rdf = ldns_sign_public_dsa(sign_buf, ldns_key_dsa_key(current_key)); + break; + case LDNS_SIGN_RSASHA1: + b64rdf = ldns_sign_public_rsasha1(sign_buf, ldns_key_rsa_key(current_key)); + break; + case LDNS_SIGN_RSAMD5: + b64rdf = ldns_sign_public_rsamd5(sign_buf, ldns_key_rsa_key(current_key)); + break; + default: + /* do _you_ know this alg? */ + break; + } + if (!b64rdf) { + /* signing went wrong */ + dprintf("%s", "couldn't sign!\n"); + return NULL; + } + ldns_rr_rrsig_set_sig(current_sig, b64rdf); + /* push the signature to the signatures list */ + ldns_rr_list_push_rr(signatures, current_sig); + } ldns_buffer_free(sign_buf); /* restart for the next key */ } ldns_rr_list_deep_free(rrset_clone); @@ -1479,7 +1484,7 @@ printf("%s\n", "[ldns_pkt_verify]"); } ldns_zone * -ldns_zone_sign(ldns_zone *zone, ldns_key_list *key_list, ldns_key_list *key_signing_key_list) +ldns_zone_sign(ldns_zone *zone, ldns_key_list *key_list) { /* * Algorithm to be created: @@ -1558,21 +1563,13 @@ ldns_zone_sign(ldns_zone *zone, ldns_key_list *key_list, ldns_key_list *key_sign /* if we have KSKs, use them for DNSKEYS, otherwise make them selfsigned (?) */ - if (cur_rrset_type == LDNS_RR_TYPE_DNSKEY) { - if (key_signing_key_list) { - cur_rrsigs = ldns_sign_public(cur_rrset, key_signing_key_list); - } else { - cur_rrsigs = ldns_sign_public(cur_rrset, key_list); - } - ldns_zone_push_rr_list(signed_zone, cur_rrset); - ldns_zone_push_rr_list(signed_zone, cur_rrsigs); - ldns_rr_list_free(cur_rrsigs); - } else if (cur_rrset_type != LDNS_RR_TYPE_RRSIG && + if (cur_rrset_type != LDNS_RR_TYPE_RRSIG && (ldns_dname_is_subdomain(cur_dname, ldns_rr_owner(ldns_zone_soa(zone))) || ldns_rdf_compare(cur_dname, ldns_rr_owner(ldns_zone_soa(zone))) == 0 ) ) { cur_rrsigs = ldns_sign_public(cur_rrset, key_list); + ldns_zone_push_rr_list(signed_zone, cur_rrset); ldns_zone_push_rr_list(signed_zone, cur_rrsigs); ldns_rr_list_free(cur_rrsigs); diff --git a/host2str.c b/host2str.c index 320c035b..dd27df1b 100644 --- a/host2str.c +++ b/host2str.c @@ -1037,7 +1037,7 @@ ldns_key2buffer_str(ldns_buffer *output, ldns_key *k) ldns_buffer_printf(output,"Private-key-format: v1.2\n"); if (ldns_key_algorithm(k) == LDNS_SIGN_RSAMD5) { ldns_buffer_printf(output,"Algorithm: 1 (RSA)\n"); - } else if (ldns_key_algorithm(k) == LDNS_SIGN_RSAMD5) { + } else if (ldns_key_algorithm(k) == LDNS_SIGN_RSASHA1) { ldns_buffer_printf(output,"Algorithm: 5 (RSASHA1)\n"); } diff --git a/keygen.c b/keygen.c index aeb38b8d..e6eed59a 100644 --- a/keygen.c +++ b/keygen.c @@ -171,6 +171,21 @@ main(int argc, char *argv[]) LDNS_FREE(filename); } + /* TEMP: create PEM format too */ + filename = LDNS_XMALLOC(char, strlen(owner) + 17); + snprintf(filename, strlen(owner) + 16, "K%s+%03u+%05u.pem", owner, algorithm, ldns_key_keytag(key)); + file = fopen(filename, "w"); + if (!file) { + fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno)); + exit(EXIT_FAILURE); + } else { + +PEM_write_DSAPrivateKey(file, key->_key.dsa, NULL, NULL, 0, NULL, NULL); + fclose(file); + LDNS_FREE(filename); + } + + fprintf(stdout, "K%s+%03u+%05u\n", owner, algorithm, ldns_key_keytag(key)); exit(EXIT_SUCCESS); } diff --git a/keys.c b/keys.c index 77024eb7..dac02a3a 100644 --- a/keys.c +++ b/keys.c @@ -47,7 +47,7 @@ ldns_key_new() return NULL; } else { /* some defaults - not sure wether to do this */ - ldns_key_set_flags(newkey, LDNS_KEY_ZONE_KEY_FLAG); + ldns_key_set_flags(newkey, LDNS_KEY_ZONE_KEY); ldns_key_set_origttl(newkey, 0); ldns_key_set_keytag(newkey, 0); ldns_key_set_inception(newkey, 0); @@ -395,7 +395,12 @@ ldns_key_new_frm_algorithm(ldns_signing_algorithm alg, uint16_t size) break; case LDNS_SIGN_DSA: d = DSA_generate_parameters((int)size, NULL, 0, NULL, NULL, NULL, NULL); - DSA_generate_key(d); + if (!d) { + return NULL; + } + if (DSA_generate_key(d) != 1) { + return NULL; + } ldns_key_set_dsa_key(k, d); break; case LDNS_SIGN_HMACMD5: diff --git a/ldns/dns.h b/ldns/dns.h index b2f2b021..3078fe24 100644 --- a/ldns/dns.h +++ b/ldns/dns.h @@ -41,7 +41,7 @@ #define LDNS_IP6ADDRLEN (128/8) #define LDNS_PORT 53 #define LDNS_ROOT_LABEL '\0' -#define LDNS_DEFTTL 3600 +#define LDNS_DEFAULT_TTL 3600 #ifndef LDNS_VERSION #define LDNS_VERSION "0.60" diff --git a/ldns/dnssec.h b/ldns/dnssec.h index 67f6e1f6..efd88116 100644 --- a/ldns/dnssec.h +++ b/ldns/dnssec.h @@ -179,7 +179,7 @@ ldns_status ldns_pkt_verify(ldns_pkt *p, ldns_rr_type t, ldns_rdf *o, ldns_rr_li * \param[in] key_list the list of keys to sign the zone with * \return the signed zone */ -ldns_zone *ldns_zone_sign(ldns_zone *zone, ldns_key_list *key_list, ldns_key_list *key_signing_key_list); +ldns_zone *ldns_zone_sign(ldns_zone *zone, ldns_key_list *key_list); ldns_status ldns_init_random(FILE *fd, uint16_t bytes); diff --git a/ldns/keys.h b/ldns/keys.h index ed7f047a..8536cf66 100644 --- a/ldns/keys.h +++ b/ldns/keys.h @@ -20,8 +20,8 @@ extern ldns_lookup_table ldns_signing_algorithms[]; -#define LDNS_KEY_ZONE_KEY_FLAG 0x0100 -#define LDNS_KEY_SEP_KEY_FLAG 0x0001 +#define LDNS_KEY_ZONE_KEY 0x0100 +#define LDNS_KEY_SEP_KEY 0x0001 /** * algorithms used in dns diff --git a/rr.c b/rr.c index 57e9c478..beed23a7 100644 --- a/rr.c +++ b/rr.c @@ -28,7 +28,7 @@ ldns_rr_new(void) rr->_rdata_fields = NULL; ldns_rr_set_ttl(rr, 0); ldns_rr_set_class(rr, LDNS_RR_CLASS_IN); - ldns_rr_set_ttl(rr, LDNS_DEFTTL); + ldns_rr_set_ttl(rr, LDNS_DEFAULT_TTL); return rr; } @@ -56,7 +56,7 @@ ldns_rr_new_frm_type(ldns_rr_type t) ldns_rr_set_rd_count(rr, ldns_rr_descriptor_minimum(desc)); ldns_rr_set_class(rr, LDNS_RR_CLASS_IN); - ldns_rr_set_ttl(rr, LDNS_DEFTTL); + ldns_rr_set_ttl(rr, LDNS_DEFAULT_TTL); ldns_rr_set_type(rr, t); return rr; } @@ -168,7 +168,7 @@ ldns_rr_new_frm_str(const char *str, uint16_t default_ttl, ldns_rdf *origin) if (ttl_val == 0) { /* ah, it's not there or something */ if (default_ttl == 0) { - ttl_val = LDNS_DEFTTL; + ttl_val = LDNS_DEFAULT_TTL; } else { ttl_val = default_ttl; } diff --git a/signzone.c b/signzone.c index 10205a4b..a4204e04 100644 --- a/signzone.c +++ b/signzone.c @@ -23,10 +23,12 @@ usage(FILE *fp, const char *prog) { fprintf(fp, " -e \t\texpiration date\n"); fprintf(fp, " -f \t\toutput zone to file (default .signed)\n"); fprintf(fp, " -i \t\tinception date\n"); - fprintf(fp, " -k \t\tkey signing key\n"); fprintf(fp, "\t\t\tdates can be in YYYYMMDD[HHmmSS] format or timestamps\n"); fprintf(fp, " -o \t\torigin for the zone\n"); - fprintf(fp, "keys and keysigning keys (-k option) can be given multiple times\n"); + fprintf(fp, "keys can be given multiple times\n"); + fprintf(fp, "keys are specified by their base name, there should be a file\n"); + fprintf(fp, "called .key and .private present. The .key should\n"); + fprintf(fp, "contain the DNSKEY RR of the public key, and will be added to the zone\n"); } int @@ -40,20 +42,25 @@ main(int argc, char *argv[]) ldns_rr_list *orig_rrs = NULL; ldns_rr *orig_soa = NULL; + const char *keyfile_name_base; + char *keyfile_name; FILE *keyfile = NULL; ldns_key *key = NULL; + ldns_rr *pubkey = NULL; ldns_key_list *keys; + char *outputfile_name = NULL; FILE *outputfile; /* we need to know the origin before reading ksk's, * so keep an array of filenames until we know it */ +/* int key_signing_key_nr = 0; char **key_signing_key_filenames = NULL; ldns_key_list *key_signing_keys; - +*/ struct tm tm; uint32_t inception; uint32_t expiration; @@ -73,7 +80,7 @@ main(int argc, char *argv[]) inception = 0; expiration = 0; - while ((c = getopt(argc, argv, "e:f:i:k:o:")) != -1) { + while ((c = getopt(argc, argv, "e:f:i:o:")) != -1) { switch (c) { case 'e': /* try to parse YYYYMMDD first, @@ -105,14 +112,6 @@ main(int argc, char *argv[]) inception = atol(optarg); } break; - case 'k': - key_signing_key_filenames = LDNS_XREALLOC(key_signing_key_filenames, char *, key_signing_key_nr + 1); - if (!key_signing_key_filenames) { - fprintf(stderr, "Out of memory\n"); - } - key_signing_key_filenames[key_signing_key_nr] = optarg; - key_signing_key_nr++; - break; case 'o': if (ldns_str2rdf_dname(&origin, optarg) != LDNS_STATUS_OK) { fprintf(stderr, "Bad origin, not a correct domain name\n"); @@ -175,15 +174,17 @@ main(int argc, char *argv[]) /* read the ZSKs */ argi = 1; while (argi < argc) { - keyfile = fopen(argv[argi], "r"); + keyfile_name_base = argv[argi]; + keyfile_name = LDNS_XMALLOC(char, strlen(keyfile_name_base) + 9); + sprintf(keyfile_name, "%s.private", keyfile_name_base); + keyfile = fopen(keyfile_name, "r"); + line_nr = 0; if (!keyfile) { - fprintf(stderr, "Error: unable to read k%s (%s)\n", argv[argi], strerror(errno)); + fprintf(stderr, "Error: unable to read %s: %s\n", keyfile_name, strerror(errno)); } else { - key = ldns_key_new_frm_fp(keyfile); + key = ldns_key_new_frm_fp_l(keyfile, &line_nr); + fclose(keyfile); if (key) { - /* TODO: should this be in frm_fp? */ - ldns_key_set_pubkey_owner(key, ldns_rdf_clone(origin)); - /* set times in key? they will end up in the rrsigs */ @@ -194,14 +195,32 @@ main(int argc, char *argv[]) ldns_key_set_inception(key, inception); } - ldns_key_set_flags(key, ldns_key_flags(key) | LDNS_KEY_ZONE_KEY_FLAG); - ldns_key_list_push_key(keys, key); + LDNS_FREE(keyfile_name); + keyfile_name = LDNS_XMALLOC(char, strlen(keyfile_name_base) + 5); + sprintf(keyfile_name, "%s.key", keyfile_name_base); + keyfile = fopen(keyfile_name, "r"); + line_nr = 0; + if (!keyfile) { + fprintf(stderr, "Error: unable to read %s: %s\n", keyfile_name, strerror(errno)); + } else { + pubkey = ldns_rr_new_frm_fp_l(keyfile, LDNS_DEFAULT_TTL, NULL, &line_nr); + if (pubkey) { + ldns_key_set_pubkey_owner(key, ldns_rdf_clone(ldns_rr_owner(pubkey))); + ldns_key_set_flags(key, ldns_rdf2native_int16(ldns_rr_rdf(pubkey, 0))); + } + /*ldns_key_set_flags(key, ldns_key_flags(key) | LDNS_KEY_ZONE_KEY);*/ + ldns_key_list_push_key(keys, key); + /* + ldns_zone_push_rr(orig_zone, ldns_rr_clone(pubkey)); + */ ldns_rr_free(pubkey); + } + } else { - fprintf(stderr, "Error reading key from %s\n", argv[argi]); + fprintf(stderr, "Error reading key from %s at line %d\n", argv[argi], line_nr); } - fclose(keyfile); } + argi++; } @@ -211,40 +230,7 @@ main(int argc, char *argv[]) exit(EXIT_FAILURE); } - /* read the KSKs */ - key_signing_keys = ldns_key_list_new(); - - for (argi = 0; argi < key_signing_key_nr; argi++) { - keyfile = fopen(key_signing_key_filenames[argi], "r"); - if (!keyfile) { - fprintf(stderr, "Error: unable to read KSK %s (%s)\n", argv[argi], strerror(errno)); - } else { - key = ldns_key_new_frm_fp(keyfile); - if (key) { - /* TODO: should this be in frm_fp? */ - ldns_key_set_pubkey_owner(key, ldns_rdf_clone(origin)); - - /* set times in key? they will end up - in the rrsigs - */ - if (expiration != 0) { - ldns_key_set_expiration(key, expiration); - } - if (inception != 0) { - ldns_key_set_inception(key, inception); - } - - ldns_key_set_flags(key, ldns_key_flags(key) | LDNS_KEY_ZONE_KEY_FLAG | LDNS_KEY_SEP_KEY_FLAG); - ldns_key_list_push_key(key_signing_keys, key); - } else { - fprintf(stderr, "Error reading KSK from %s\n", argv[argi]); - } - fclose(keyfile); - } - } - - signed_zone = ldns_zone_sign(orig_zone, keys, key_signing_keys); - + signed_zone = ldns_zone_sign(orig_zone, keys); if (!outputfile_name) { outputfile_name = LDNS_XMALLOC(char, MAX_FILENAME_LEN); @@ -266,10 +252,8 @@ main(int argc, char *argv[]) } ldns_key_list_free(keys); - ldns_key_list_free(key_signing_keys); ldns_zone_deep_free(orig_zone); LDNS_FREE(outputfile_name); - LDNS_FREE(key_signing_key_filenames); exit(EXIT_SUCCESS); }