From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Tue, 11 Sep 2018 18:23:13 +0000 (+0200)
Subject: Improve RSA key warnings
X-Git-Tag: auth-4.2.0-alpha1~34^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f59c4313c47361993596f01154249e9a2d09dbd7;p=thirdparty%2Fpdns.git

Improve RSA key warnings
---

diff --git a/pdns/opensslsigners.cc b/pdns/opensslsigners.cc
index d0a65e6489..452025398c 100644
--- a/pdns/opensslsigners.cc
+++ b/pdns/opensslsigners.cc
@@ -216,6 +216,7 @@ private:
 
 void OpenSSLRSADNSCryptoKeyEngine::create(unsigned int bits)
 {
+  // When changing the bitsizes, also edit them in ::checkKey and pdnsutil.cc
   if ((d_algorithm == DNSSECKeeper::RSASHA1 || d_algorithm == DNSSECKeeper::RSASHA1NSEC3SHA1) && (bits < 512 || bits > 4096)) {
     /* RFC3110 */
     throw runtime_error(getName()+" RSASHA1 key generation failed for invalid bits size " + std::to_string(bits));
@@ -540,6 +541,16 @@ void OpenSSLRSADNSCryptoKeyEngine::fromISCMap(DNSKEYRecordContent& drc, std::map
 
 bool OpenSSLRSADNSCryptoKeyEngine::checkKey() const
 {
+  // When changing the bitsizes, also edit them in ::create and pdnsutil.cc
+  if ((d_algorithm == DNSSECKeeper::RSASHA1 || d_algorithm == DNSSECKeeper::RSASHA1NSEC3SHA1) && (getBits() < 512 || getBits()> 4096)) {
+    return false;
+  }
+  if (d_algorithm == DNSSECKeeper::RSASHA256 && (getBits() < 512 || getBits() > 4096)) {
+    return false;
+  }
+  if (d_algorithm == DNSSECKeeper::RSASHA512 && (getBits() < 1024 || getBits() > 4096)) {
+    return false;
+  }
   return (RSA_check_key(d_key) == 1);
 }
 
diff --git a/pdns/pdnsutil.cc b/pdns/pdnsutil.cc
index 7b237e9153..5c98023ea5 100644
--- a/pdns/pdnsutil.cc
+++ b/pdns/pdnsutil.cc
@@ -279,6 +279,26 @@ int checkZone(DNSSECKeeper &dk, UeberBackend &B, const DNSName& zone, const vect
   if (!validKeys) {
     numerrors++;
     cout<<"[Error] zone '" << zone << "' has at least one invalid DNS Private Key." << endl;
+    vector<DNSBackend::KeyData> dbkeyset;
+    B.getDomainKeys(zone, dbkeyset);
+
+    for(const DNSBackend::KeyData &keydata : dbkeyset) {
+      DNSKEYRecordContent dkrc;
+      shared_ptr<DNSCryptoKeyEngine> dke(DNSCryptoKeyEngine::makeFromISCString(dkrc, keydata.content));
+      string msg;
+      if ((dke->getAlgorithm() == DNSSECKeeper::RSASHA1 || dke->getAlgorithm() == DNSSECKeeper::RSASHA1NSEC3SHA1) && (dke->getBits() < 512 || dke->getBits() > 4096)) {
+        msg = "512 and 4096";
+      }
+      if (dke->getAlgorithm() == DNSSECKeeper::RSASHA256 && (dke->getBits() < 512 || dke->getBits() > 4096)) {
+        msg = "512 and 4096";
+      }
+      if (dke->getAlgorithm() == DNSSECKeeper::RSASHA512 && (dke->getBits() < 1024 || dke->getBits() > 4096)) {
+        msg = "1024 and 4096";
+      }
+      if (!msg.empty()) {
+        cout<<"[Error] zone '" << zone << "' key with algorithm " << DNSSECKeeper::algorithm2name(dke->getAlgorithm()) << " has a keysize of " << dke->getBits() << ", which is not between " << msg << endl;
+      }
+    }
   }
 
   // Check for delegation in parent zone