#include <isc/mutex.h>
#include <isc/refcount.h>
+#include <dns/dnssec.h>
#include <dns/keystore.h>
#include <dns/types.h>
*
*/
+bool
+dns_kasp_key_match(dns_kasp_key_t *key, dns_dnsseckey_t *dkey);
+/*%<
+ * Does the DNSSEC key 'dkey' match the policy parameters from the kasp key
+ * 'key'? A DNSSEC key matches if it has the same algorithm and size, and if
+ * it has the same role as the kasp key configuration.
+ *
+ * Requires:
+ *
+ *\li key != NULL
+ *\li dkey != NULL
+ *
+ * Returns:
+ *
+ *\li True, if the DNSSEC key matches.
+ *\li False, otherwise.
+ */
+
bool
dns_kasp_nsec3(dns_kasp_t *kasp);
/*%<
return (key->role & DNS_KASP_KEY_ROLE_ZSK);
}
+bool
+dns_kasp_key_match(dns_kasp_key_t *key, dns_dnsseckey_t *dkey) {
+ isc_result_t ret;
+ bool role = false;
+
+ REQUIRE(key != NULL);
+ REQUIRE(dkey != NULL);
+
+ /* Matching algorithms? */
+ if (dst_key_alg(dkey->key) != dns_kasp_key_algorithm(key)) {
+ return (false);
+ }
+ /* Matching length? */
+ if (dst_key_size(dkey->key) != dns_kasp_key_size(key)) {
+ return (false);
+ }
+ /* Matching role? */
+ ret = dst_key_getbool(dkey->key, DST_BOOL_KSK, &role);
+ if (ret != ISC_R_SUCCESS || role != dns_kasp_key_ksk(key)) {
+ return (false);
+ }
+ ret = dst_key_getbool(dkey->key, DST_BOOL_ZSK, &role);
+ if (ret != ISC_R_SUCCESS || role != dns_kasp_key_zsk(key)) {
+ return (false);
+ }
+ /* Found a match. */
+ return (true);
+}
+
uint8_t
dns_kasp_nsec3iter(dns_kasp_t *kasp) {
REQUIRE(kasp != NULL);
keymgr_keyrole(key->key));
}
-/*
- * Check if a dnsseckey matches kasp key configuration. A dnsseckey matches
- * if it has the same algorithm and size, and if it has the same role as the
- * kasp key configuration.
- *
- */
-static bool
-keymgr_dnsseckey_kaspkey_match(dns_dnsseckey_t *dkey, dns_kasp_key_t *kkey) {
- dst_key_t *key;
- isc_result_t ret;
- bool role = false;
-
- REQUIRE(dkey != NULL);
- REQUIRE(kkey != NULL);
-
- key = dkey->key;
-
- /* Matching algorithms? */
- if (dst_key_alg(key) != dns_kasp_key_algorithm(kkey)) {
- return (false);
- }
- /* Matching length? */
- if (dst_key_size(key) != dns_kasp_key_size(kkey)) {
- return (false);
- }
- /* Matching role? */
- ret = dst_key_getbool(key, DST_BOOL_KSK, &role);
- if (ret != ISC_R_SUCCESS || role != dns_kasp_key_ksk(kkey)) {
- return (false);
- }
- ret = dst_key_getbool(key, DST_BOOL_ZSK, &role);
- if (ret != ISC_R_SUCCESS || role != dns_kasp_key_zsk(kkey)) {
- return (false);
- }
-
- /* Found a match. */
- return (true);
-}
-
static bool
keymgr_keyid_conflict(dst_key_t *newkey, dns_dnsseckeylist_t *keys) {
uint16_t id = dst_key_id(newkey);
for (candidate = ISC_LIST_HEAD(*keyring); candidate != NULL;
candidate = ISC_LIST_NEXT(candidate, link))
{
- if (keymgr_dnsseckey_kaspkey_match(candidate, kaspkey) &&
+ if (dns_kasp_key_match(kaspkey, candidate) &&
dst_key_is_unused(candidate->key))
{
/* Found a candidate in keyring. */
for (kkey = ISC_LIST_HEAD(dns_kasp_keys(kasp)); kkey != NULL;
kkey = ISC_LIST_NEXT(kkey, link))
{
- if (keymgr_dnsseckey_kaspkey_match(dkey, kkey)) {
+ if (dns_kasp_key_match(kkey, dkey)) {
found_match = true;
break;
}
for (dns_dnsseckey_t *dkey = ISC_LIST_HEAD(*keyring);
dkey != NULL; dkey = ISC_LIST_NEXT(dkey, link))
{
- if (keymgr_dnsseckey_kaspkey_match(dkey, kkey)) {
+ if (dns_kasp_key_match(kkey, dkey)) {
/* Found a match. */
dst_key_format(dkey->key, keystr,
sizeof(keystr));
dnskey != NULL;
dnskey = ISC_LIST_NEXT(dnskey, link))
{
- if (keymgr_dnsseckey_kaspkey_match(dnskey,
- kkey))
- {
+ if (dns_kasp_key_match(kkey, dnskey)) {
/* Found a match. */
dst_key_format(dnskey->key, keystr,
sizeof(keystr));
projects / thirdparty / bind9.git / commitdiff
