From 292d907bc072fc7fbd1c29def0ad3d45afc33be7 Mon Sep 17 00:00:00 2001
From: Daniel Salzman <daniel.salzman@nic.cz>
Date: Tue, 21 Oct 2025 10:11:14 +0200
Subject: [PATCH] Replace DNSSEC_PKCS8_IMPORT_ERROR and DNSSEC_KEY_IMPORT_ERROR
 with KNOT_KEY_EIMPORT

---
 src/libknot/dnssec/error.c           | 4 ++--
 src/libknot/dnssec/error.h           | 4 ++--
 src/libknot/dnssec/key/convert.c     | 6 +++---
 src/libknot/dnssec/key/privkey.c     | 2 +-
 src/libknot/dnssec/keystore/pkcs11.c | 6 +++---
 src/libknot/dnssec/pem.c             | 2 +-
 src/libknot/errcode.h                | 3 +++
 src/libknot/error.c                  | 3 +++
 src/utils/keymgr/bind_privkey.c      | 6 +++---
 9 files changed, 21 insertions(+), 15 deletions(-)

diff --git a/src/libknot/dnssec/error.c b/src/libknot/dnssec/error.c
index 7faa37863f..58e33b03e5 100644
--- a/src/libknot/dnssec/error.c
+++ b/src/libknot/dnssec/error.c
@@ -25,9 +25,9 @@ static const error_message_t ERROR_MESSAGES[] = {
 	{ KNOT_EMALF,	"malformed data" },
 	{ KNOT_ENOENT,		"not found" },
 
-	{ DNSSEC_PKCS8_IMPORT_ERROR,	"PKCS #8 import error" },
+	{ KNOT_KEY_EIMPORT,	"PKCS #8 import error" },
 	{ DNSSEC_KEY_EXPORT_ERROR,	"key export error" },
-	{ DNSSEC_KEY_IMPORT_ERROR,	"key import error" },
+	{ KNOT_KEY_EIMPORT,	"key import error" },
 	{ DNSSEC_KEY_GENERATE_ERROR,	"key generation error" },
 
 	{ DNSSEC_INVALID_PUBLIC_KEY,	"invalid public key" },
diff --git a/src/libknot/dnssec/error.h b/src/libknot/dnssec/error.h
index 996753547c..af64eedfe5 100644
--- a/src/libknot/dnssec/error.h
+++ b/src/libknot/dnssec/error.h
@@ -37,9 +37,9 @@ enum dnssec_error {
 	KNOT_EMALF,
 	KNOT_ENOENT,
 
-	DNSSEC_PKCS8_IMPORT_ERROR,
+	KNOT_KEY_EIMPORT,
 	DNSSEC_KEY_EXPORT_ERROR,
-	DNSSEC_KEY_IMPORT_ERROR,
+	KNOT_KEY_EIMPORT,
 	DNSSEC_KEY_GENERATE_ERROR,
 
 	DNSSEC_INVALID_PUBLIC_KEY,
diff --git a/src/libknot/dnssec/key/convert.c b/src/libknot/dnssec/key/convert.c
index 7978c3c3c0..c728a0dae5 100644
--- a/src/libknot/dnssec/key/convert.c
+++ b/src/libknot/dnssec/key/convert.c
@@ -210,7 +210,7 @@ static int rsa_rdata_to_pubkey(const dnssec_binary_t *rdata, gnutls_pubkey_t key
 
 	int result = gnutls_pubkey_import_rsa_raw(key, &modulus, &exponent);
 	if (result != GNUTLS_E_SUCCESS) {
-		return DNSSEC_KEY_IMPORT_ERROR;
+		return KNOT_KEY_EIMPORT;
 	}
 
 	return KNOT_EOK;
@@ -266,7 +266,7 @@ static int ecdsa_rdata_to_pubkey(const dnssec_binary_t *rdata, gnutls_pubkey_t k
 
 	int result = gnutls_pubkey_import_ecc_raw(key, curve, &point_x, &point_y);
 	if (result != GNUTLS_E_SUCCESS) {
-		return DNSSEC_KEY_IMPORT_ERROR;
+		return KNOT_KEY_EIMPORT;
 	}
 
 	return KNOT_EOK;
@@ -293,7 +293,7 @@ static int eddsa_rdata_to_pubkey(const dnssec_binary_t *rdata, gnutls_pubkey_t k
 
 	int result = gnutls_pubkey_import_ecc_raw(key, curve, &point_x, NULL);
 	if (result != GNUTLS_E_SUCCESS) {
-		return DNSSEC_KEY_IMPORT_ERROR;
+		return KNOT_KEY_EIMPORT;
 	}
 
 	return KNOT_EOK;
diff --git a/src/libknot/dnssec/key/privkey.c b/src/libknot/dnssec/key/privkey.c
index a1e10553b3..25a1c68d5b 100644
--- a/src/libknot/dnssec/key/privkey.c
+++ b/src/libknot/dnssec/key/privkey.c
@@ -46,7 +46,7 @@ static int public_from_private(gnutls_privkey_t privkey, gnutls_pubkey_t *pubkey
 	result = gnutls_pubkey_import_privkey(new_key, privkey, 0, 0);
 	if (result != GNUTLS_E_SUCCESS) {
 		gnutls_pubkey_deinit(new_key);
-		return DNSSEC_KEY_IMPORT_ERROR;
+		return KNOT_KEY_EIMPORT;
 	}
 
 	*pubkey = new_key;
diff --git a/src/libknot/dnssec/keystore/pkcs11.c b/src/libknot/dnssec/keystore/pkcs11.c
index 4be9068883..021320c855 100644
--- a/src/libknot/dnssec/keystore/pkcs11.c
+++ b/src/libknot/dnssec/keystore/pkcs11.c
@@ -236,7 +236,7 @@ static int import_pem(const dnssec_binary_t *pem,
 	if (gnutls_privkey_import_x509(key, x509_key, 0) != GNUTLS_E_SUCCESS ||
 	    gnutls_pubkey_import_privkey(pubkey, key, 0, 0) != GNUTLS_E_SUCCESS
 	) {
-		r = DNSSEC_KEY_IMPORT_ERROR;
+		r = KNOT_KEY_EIMPORT;
 		goto fail;
 	}
 
@@ -277,13 +277,13 @@ static int pkcs11_import_key(void *_ctx, const dnssec_binary_t *pem, char **id_p
 
 	r = gnutls_pkcs11_copy_x509_privkey2(ctx->url, key, NULL, &gid, 0, flags);
 	if (r != GNUTLS_E_SUCCESS) {
-		return DNSSEC_KEY_IMPORT_ERROR;
+		return KNOT_KEY_EIMPORT;
 	}
 
 	r = gnutls_pkcs11_copy_pubkey(ctx->url, pubkey, NULL, &gid, 0, flags);
 	if (r != GNUTLS_E_SUCCESS) {
 		// note, we result with dangling private key in the token
-		return DNSSEC_KEY_IMPORT_ERROR;
+		return KNOT_KEY_EIMPORT;
 	}
 
 	*id_ptr = bin_to_hex(id.data, id.size, false);
diff --git a/src/libknot/dnssec/pem.c b/src/libknot/dnssec/pem.c
index 9a1b94f81c..13b6a5f0e4 100644
--- a/src/libknot/dnssec/pem.c
+++ b/src/libknot/dnssec/pem.c
@@ -35,7 +35,7 @@ int dnssec_pem_to_x509(const dnssec_binary_t *pem, gnutls_x509_privkey_t *key)
 	r = gnutls_x509_privkey_import_pkcs8(_key, &data, format, password, flags);
 	if (r != GNUTLS_E_SUCCESS) {
 		gnutls_x509_privkey_deinit(_key);
-		return DNSSEC_PKCS8_IMPORT_ERROR;
+		return KNOT_KEY_EIMPORT;
 	}
 
 	*key = _key;
diff --git a/src/libknot/errcode.h b/src/libknot/errcode.h
index c0e7342822..093bb7392e 100644
--- a/src/libknot/errcode.h
+++ b/src/libknot/errcode.h
@@ -175,6 +175,9 @@ enum knot_error {
 	KNOT_DNSSEC_ENSEC3_OPTOUT,
 	KNOT_DNSSEC_EKEYTAG_LIMIT,
 	KNOT_DNSSEC_EXTRA_NSEC,
+	KNOT_KEY_EIMPORT,
+	KNOT_KEY_EEXPORT,
+	KNOT_KEY_EGENERATE,
 
 	KNOT_ERROR_MAX = -501
 };
diff --git a/src/libknot/error.c b/src/libknot/error.c
index 720b85f658..81525ee9cf 100644
--- a/src/libknot/error.c
+++ b/src/libknot/error.c
@@ -174,6 +174,9 @@ static const struct error errors[] = {
 	{ KNOT_DNSSEC_ENSEC3_OPTOUT,   "wrong NSEC3 opt-out" },
 	{ KNOT_DNSSEC_EKEYTAG_LIMIT,   "many keys with equal keytag" },
 	{ KNOT_DNSSEC_EXTRA_NSEC,      "superfluous NSEC(3)" },
+	{ KNOT_KEY_EIMPORT,            "failed to import key" },
+	{ KNOT_KEY_EEXPORT,            "failed to export key" },
+	{ KNOT_KEY_EGENERATE,          "failed to generate key" },
 
 	/* Terminator */
 	{ KNOT_ERROR, NULL }
diff --git a/src/utils/keymgr/bind_privkey.c b/src/utils/keymgr/bind_privkey.c
index c58b8f77b4..8c86cde068 100644
--- a/src/utils/keymgr/bind_privkey.c
+++ b/src/utils/keymgr/bind_privkey.c
@@ -258,7 +258,7 @@ static int rsa_params_to_pem(const bind_privkey_t *params, dnssec_binary_t *pem)
 
 	result = gnutls_x509_privkey_import_rsa_raw(key, &m, &e, &d, &p, &q, &u);
 	if (result != GNUTLS_E_SUCCESS) {
-		return DNSSEC_KEY_IMPORT_ERROR;
+		return KNOT_KEY_EIMPORT;
 	}
 
 	return dnssec_pem_from_x509(key, pem);
@@ -313,7 +313,7 @@ static int ecdsa_params_to_pem(dnssec_key_t *dnskey, const bind_privkey_t *param
 
 	result = gnutls_x509_privkey_import_ecc_raw(key, curve, &x, &y, &k);
 	if (result != KNOT_EOK) {
-		return DNSSEC_KEY_IMPORT_ERROR;
+		return KNOT_KEY_EIMPORT;
 	}
 
 	gnutls_x509_privkey_fix(key);
@@ -350,7 +350,7 @@ static int eddsa_params_to_pem(dnssec_key_t *dnskey, const bind_privkey_t *param
 
 	result = gnutls_x509_privkey_import_ecc_raw(key, curve, &x, NULL, &k);
 	if (result != KNOT_EOK) {
-		return DNSSEC_KEY_IMPORT_ERROR;
+		return KNOT_KEY_EIMPORT;
 	}
 
 	gnutls_x509_privkey_fix(key);
-- 
2.47.3