From: Matthijs Mekking Date: Wed, 9 Mar 2022 09:55:48 +0000 (+0100) Subject: Refactor findmatchingkeys and keylistfromrdataset X-Git-Tag: v9.19.22~70^2~24 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9081426313c9a3e660d83fef90239551c63d36f9;p=thirdparty%2Fbind9.git Refactor findmatchingkeys and keylistfromrdataset Refactor dns_dnssec_findmatchingkeys and dns_dnssec_keylistfromrdataset to take into account the key store directories in case the zone is using dnssec-policy (kasp). Add 'kasp' and 'keystores' parameters. This requires the keystorelist to be stored inside the zone structure. The calls to these functions in the DNSSEC tools can use NULL as the kasp value, as dnssec-signzone does not (yet) support dnssec-policy, and key collision is checked inside the directory where it is created. --- diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index 83e3b9ee6af..29ae7d578cb 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -2639,7 +2639,7 @@ loadzonekeys(bool preserve_keys, bool load_public) { /* Load keys corresponding to the existing DNSKEY RRset. */ result = dns_dnssec_keylistfromrdataset( - gorigin, directory, mctx, &rdataset, &keysigs, &soasigs, + gorigin, NULL, directory, mctx, &rdataset, &keysigs, &soasigs, preserve_keys, load_public, &keylist); if (result != ISC_R_SUCCESS) { fatal("failed to load the zone keys: %s", @@ -2830,8 +2830,8 @@ findkeys: /* * Find keys that match this zone in the key repository. */ - result = dns_dnssec_findmatchingkeys(gorigin, directory, now, mctx, - &matchkeys); + result = dns_dnssec_findmatchingkeys(gorigin, NULL, directory, NULL, + now, mctx, &matchkeys); if (result == ISC_R_NOTFOUND) { result = ISC_R_SUCCESS; } diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c index 92980a8ca9c..59fc80b3f65 100644 --- a/bin/dnssec/dnssectool.c +++ b/bin/dnssec/dnssectool.c @@ -498,7 +498,8 @@ key_collision(dst_key_t *dstkey, dns_name_t *name, const char *dir, alg = dst_key_alg(dstkey); ISC_LIST_INIT(matchkeys); - result = dns_dnssec_findmatchingkeys(name, dir, now, mctx, &matchkeys); + result = dns_dnssec_findmatchingkeys(name, NULL, dir, NULL, now, mctx, + &matchkeys); if (result == ISC_R_NOTFOUND) { return (false); } diff --git a/bin/named/include/named/zoneconf.h b/bin/named/include/named/zoneconf.h index dbecd4a79e8..1eb059b25a0 100644 --- a/bin/named/include/named/zoneconf.h +++ b/bin/named/include/named/zoneconf.h @@ -28,8 +28,8 @@ ISC_LANG_BEGINDECLS isc_result_t named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, const cfg_obj_t *zconfig, cfg_aclconfctx_t *ac, - dns_kasplist_t *kasplist, dns_zone_t *zone, - dns_zone_t *raw); + dns_kasplist_t *kasplist, dns_keystorelist_t *keystores, + dns_zone_t *zone, dns_zone_t *raw); /*%< * Configure or reconfigure a zone according to the named.conf * data. diff --git a/bin/named/server.c b/bin/named/server.c index d8bda0f3d23..c371fb9c083 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -442,8 +442,8 @@ static isc_result_t configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, dns_view_t *view, dns_viewlist_t *viewlist, dns_kasplist_t *kasplist, - cfg_aclconfctx_t *aclconf, bool added, bool old_rpz_ok, - bool modify); + dns_keystorelist_t *keystores, cfg_aclconfctx_t *aclconf, + bool added, bool old_rpz_ok, bool modify); static void configure_zone_setviewcommit(isc_result_t result, const cfg_obj_t *zconfig, @@ -2788,13 +2788,13 @@ catz_addmodzone_cb(void *arg) { zoneobj = cfg_listelt_value(cfg_list_first(zlist)); /* Mark view unfrozen so that zone can be added */ - isc_loopmgr_pause(named_g_loopmgr); dns_view_thaw(cz->view); result = configure_zone(cfg->config, zoneobj, cfg->vconfig, cz->view, &cz->cbd->server->viewlist, - &cz->cbd->server->kasplist, cfg->actx, true, - false, cz->mod); + &cz->cbd->server->kasplist, + &cz->cbd->server->keystorelist, + cfg->actx, true, false, cz->mod); dns_view_freeze(cz->view); isc_loopmgr_resume(named_g_loopmgr); @@ -3976,8 +3976,9 @@ static const char *const response_synonyms[] = { "response", NULL }; static isc_result_t configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, cfg_obj_t *vconfig, named_cachelist_t *cachelist, - dns_kasplist_t *kasplist, const cfg_obj_t *bindkeys, - isc_mem_t *mctx, cfg_aclconfctx_t *actx, bool need_hints) { + dns_kasplist_t *kasplist, dns_keystorelist_t *keystores, + const cfg_obj_t *bindkeys, isc_mem_t *mctx, + cfg_aclconfctx_t *actx, bool need_hints) { const cfg_obj_t *maps[4]; const cfg_obj_t *cfgmaps[3]; const cfg_obj_t *optionmaps[3]; @@ -4122,7 +4123,8 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config, { const cfg_obj_t *zconfig = cfg_listelt_value(element); CHECK(configure_zone(config, zconfig, vconfig, view, viewlist, - kasplist, actx, false, old_rpz_ok, false)); + kasplist, keystores, actx, false, + old_rpz_ok, false)); zone_element_latest = element; } @@ -6430,8 +6432,8 @@ static isc_result_t configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, dns_view_t *view, dns_viewlist_t *viewlist, dns_kasplist_t *kasplist, - cfg_aclconfctx_t *aclconf, bool added, bool old_rpz_ok, - bool modify) { + dns_keystorelist_t *keystores, cfg_aclconfctx_t *aclconf, + bool added, bool old_rpz_ok, bool modify) { dns_view_t *pview = NULL; /* Production view */ dns_zone_t *zone = NULL; /* New or reused zone */ dns_zone_t *raw = NULL; /* New or reused raw zone */ @@ -6625,7 +6627,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, dns_zone_setstats(zone, named_g_server->zonestats); } CHECK(named_zone_configure(config, vconfig, zconfig, aclconf, - kasplist, zone, NULL)); + kasplist, keystores, zone, NULL)); dns_zone_attach(zone, &view->redirect); goto cleanup; } @@ -6801,7 +6803,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, * Configure the zone. */ CHECK(named_zone_configure(config, vconfig, zconfig, aclconf, kasplist, - zone, raw)); + keystores, zone, raw)); /* * Add the zone to its view in the new view list. @@ -7801,7 +7803,8 @@ configure_newzones(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, const cfg_obj_t *zconfig = cfg_listelt_value(element); CHECK(configure_zone(config, zconfig, vconfig, view, &named_g_server->viewlist, - &named_g_server->kasplist, actx, true, + &named_g_server->kasplist, + &named_g_server->keystorelist, actx, true, false, false)); } @@ -7986,7 +7989,8 @@ configure_newzone(const cfg_obj_t *zconfig, cfg_obj_t *config, cfg_aclconfctx_t *actx) { return (configure_zone( config, zconfig, vconfig, view, &named_g_server->viewlist, - &named_g_server->kasplist, actx, true, false, false)); + &named_g_server->kasplist, &named_g_server->keystorelist, actx, + true, false, false)); } /*% @@ -9083,7 +9087,8 @@ load_configuration(const char *filename, named_server_t *server, } result = configure_view(view, &viewlist, config, vconfig, - &cachelist, &server->kasplist, bindkeys, + &cachelist, &server->kasplist, + &server->keystorelist, bindkeys, named_g_mctx, named_g_aclconfctx, true); if (result != ISC_R_SUCCESS) { dns_view_detach(&view); @@ -9104,7 +9109,8 @@ load_configuration(const char *filename, named_server_t *server, goto cleanup_cachelist; } result = configure_view(view, &viewlist, config, NULL, - &cachelist, &server->kasplist, bindkeys, + &cachelist, &server->kasplist, + &server->keystorelist, bindkeys, named_g_mctx, named_g_aclconfctx, true); if (result != ISC_R_SUCCESS) { dns_view_detach(&view); @@ -9132,7 +9138,8 @@ load_configuration(const char *filename, named_server_t *server, } result = configure_view(view, &viewlist, config, vconfig, - &cachelist, &server->kasplist, bindkeys, + &cachelist, &server->kasplist, + &server->keystorelist, bindkeys, named_g_mctx, named_g_aclconfctx, false); if (result != ISC_R_SUCCESS) { @@ -13417,8 +13424,9 @@ do_addzone(named_server_t *server, ns_cfgctx_t *cfg, dns_view_t *view, /* Mark view unfrozen and configure zone */ dns_view_thaw(view); result = configure_zone(cfg->config, zoneobj, cfg->vconfig, view, - &server->viewlist, &server->kasplist, cfg->actx, - true, false, false); + &server->viewlist, &server->kasplist, + &server->keystorelist, cfg->actx, true, false, + false); dns_view_freeze(view); isc_loopmgr_resume(named_g_loopmgr); @@ -13602,8 +13610,9 @@ do_modzone(named_server_t *server, ns_cfgctx_t *cfg, dns_view_t *view, /* Reconfigure the zone */ dns_view_thaw(view); result = configure_zone(cfg->config, zoneobj, cfg->vconfig, view, - &server->viewlist, &server->kasplist, cfg->actx, - true, false, true); + &server->viewlist, &server->kasplist, + &server->keystorelist, cfg->actx, true, false, + true); dns_view_freeze(view); isc_loopmgr_resume(named_g_loopmgr); diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index 06982f9aeb1..1359507a04d 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -866,8 +866,8 @@ process_notifytype(dns_notifytype_t ntype, dns_zonetype_t ztype, isc_result_t named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, const cfg_obj_t *zconfig, cfg_aclconfctx_t *ac, - dns_kasplist_t *kasplist, dns_zone_t *zone, - dns_zone_t *raw) { + dns_kasplist_t *kasplist, dns_keystorelist_t *keystorelist, + dns_zone_t *zone, dns_zone_t *raw) { isc_result_t result; const char *zname; dns_rdataclass_t zclass; @@ -1576,6 +1576,8 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, filename = cfg_obj_asstring(obj); CHECK(dns_zone_setkeydirectory(zone, filename)); } + /* Also save a reference to the keystore list. */ + dns_zone_setkeystores(zone, keystorelist); obj = NULL; result = named_config_get(maps, "sig-signing-signatures", &obj); diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c index 6b45dfc1178..90234daa27d 100644 --- a/lib/dns/dnssec.c +++ b/lib/dns/dnssec.c @@ -1396,32 +1396,18 @@ dns_dnssec_get_hints(dns_dnsseckey_t *key, isc_stdtime_t now) { } } -/*% - * Get a list of DNSSEC keys from the key repository. - */ -isc_result_t -dns_dnssec_findmatchingkeys(const dns_name_t *origin, const char *directory, - isc_stdtime_t now, isc_mem_t *mctx, - dns_dnsseckeylist_t *keylist) { +static isc_result_t +findmatchingkeys(const char *directory, char *namebuf, unsigned int len, + isc_mem_t *mctx, isc_stdtime_t now, + dns_dnsseckeylist_t *list) { isc_result_t result = ISC_R_SUCCESS; - bool dir_open = false; - dns_dnsseckeylist_t list; isc_dir_t dir; + bool dir_open = false; + unsigned int i, alg; dns_dnsseckey_t *key = NULL; dst_key_t *dstkey = NULL; - char namebuf[DNS_NAME_FORMATSIZE]; - isc_buffer_t b; - unsigned int len, i, alg; - REQUIRE(keylist != NULL); - ISC_LIST_INIT(list); isc_dir_init(&dir); - - isc_buffer_init(&b, namebuf, sizeof(namebuf) - 1); - RETERR(dns_name_tofilenametext(origin, false, &b)); - len = isc_buffer_usedlength(&b); - namebuf[len] = '\0'; - if (directory == NULL) { directory = "."; } @@ -1508,11 +1494,77 @@ dns_dnssec_findmatchingkeys(const dns_name_t *origin, const char *directory, if (key->legacy) { dns_dnsseckey_destroy(mctx, &key); } else { - ISC_LIST_APPEND(list, key, link); + ISC_LIST_APPEND(*list, key, link); key = NULL; } } +failure: + if (dir_open) { + isc_dir_close(&dir); + } + if (dstkey != NULL) { + dst_key_free(&dstkey); + } + return (result); +} + +/*% + * Get a list of DNSSEC keys from the key repository. + */ +isc_result_t +dns_dnssec_findmatchingkeys(const dns_name_t *origin, dns_kasp_t *kasp, + const char *keydir, dns_keystorelist_t *keystores, + isc_stdtime_t now, isc_mem_t *mctx, + dns_dnsseckeylist_t *keylist) { + isc_result_t result = ISC_R_SUCCESS; + dns_dnsseckeylist_t list; + dns_dnsseckey_t *key = NULL; + char namebuf[DNS_NAME_FORMATSIZE]; + isc_buffer_t b; + unsigned int len; + + REQUIRE(keylist != NULL); + ISC_LIST_INIT(list); + + isc_buffer_init(&b, namebuf, sizeof(namebuf) - 1); + RETERR(dns_name_tofilenametext(origin, false, &b)); + len = isc_buffer_usedlength(&b); + namebuf[len] = '\0'; + + if (kasp == NULL || (strcmp(dns_kasp_getname(kasp), "none") == 0) || + (strcmp(dns_kasp_getname(kasp), "insecure") == 0)) + { + RETERR(findmatchingkeys(keydir, namebuf, len, mctx, now, + &list)); + } else if (keystores != NULL) { + for (dns_keystore_t *keystore = ISC_LIST_HEAD(*keystores); + keystore != NULL; keystore = ISC_LIST_NEXT(keystore, link)) + { + for (dns_kasp_key_t *kkey = + ISC_LIST_HEAD(dns_kasp_keys(kasp)); + kkey != NULL; kkey = ISC_LIST_NEXT(kkey, link)) + { + if (dns_kasp_key_keystore(kkey) == keystore) { + const char *directory = + dns_keystore_directory( + keystore); + if (directory == NULL || + (strcmp(dns_keystore_name(keystore), + DNS_KEYSTORE_KEYDIRECTORY) == + 0)) + { + directory = keydir; + } + RETERR(findmatchingkeys( + directory, namebuf, len, mctx, + now, &list)); + break; + } + } + } + } + if (!ISC_LIST_EMPTY(list)) { result = ISC_R_SUCCESS; ISC_LIST_APPENDLIST(*keylist, list, link); @@ -1521,19 +1573,12 @@ dns_dnssec_findmatchingkeys(const dns_name_t *origin, const char *directory, } failure: - if (dir_open) { - isc_dir_close(&dir); - } - INSIST(key == NULL); while ((key = ISC_LIST_HEAD(list)) != NULL) { ISC_LIST_UNLINK(list, key, link); INSIST(key->key != NULL); dst_key_free(&key->key); dns_dnsseckey_destroy(mctx, &key); } - if (dstkey != NULL) { - dst_key_free(&dstkey); - } return (result); } @@ -1641,15 +1686,54 @@ mark_active_keys(dns_dnsseckeylist_t *keylist, dns_rdataset_t *rrsigs) { return (result); } +static isc_result_t +keyfromfile(dns_kasp_t *kasp, const char *keydir, dst_key_t *key, int type, + isc_mem_t *mctx, dst_key_t **savekey) { + const char *directory = keydir; + isc_result_t result = ISC_R_NOTFOUND; + + if (kasp == NULL || (strcmp(dns_kasp_getname(kasp), "none") == 0) || + (strcmp(dns_kasp_getname(kasp), "insecure") == 0)) + { + result = dst_key_fromfile(dst_key_name(key), dst_key_id(key), + dst_key_alg(key), type, directory, + mctx, savekey); + } else { + for (dns_kasp_key_t *kkey = ISC_LIST_HEAD(dns_kasp_keys(kasp)); + kkey != NULL; kkey = ISC_LIST_NEXT(kkey, link)) + { + dns_keystore_t *ks = dns_kasp_key_keystore(kkey); + if (ks == NULL || + strcmp(dns_keystore_name(ks), + DNS_KEYSTORE_KEYDIRECTORY) == 0) + { + directory = keydir; + } else { + directory = dns_keystore_directory(ks); + } + + result = dst_key_fromfile(dst_key_name(key), + dst_key_id(key), + dst_key_alg(key), type, + directory, mctx, savekey); + if (result == ISC_R_SUCCESS) { + break; + } + } + } + + return (result); +} + /*% * Add the contents of a DNSKEY rdataset 'keyset' to 'keylist'. */ isc_result_t -dns_dnssec_keylistfromrdataset(const dns_name_t *origin, const char *directory, - isc_mem_t *mctx, dns_rdataset_t *keyset, - dns_rdataset_t *keysigs, dns_rdataset_t *soasigs, - bool savekeys, bool publickey, - dns_dnsseckeylist_t *keylist) { +dns_dnssec_keylistfromrdataset(const dns_name_t *origin, dns_kasp_t *kasp, + const char *directory, isc_mem_t *mctx, + dns_rdataset_t *keyset, dns_rdataset_t *keysigs, + dns_rdataset_t *soasigs, bool savekeys, + bool publickey, dns_dnsseckeylist_t *keylist) { dns_rdataset_t keys; dns_rdata_t rdata = DNS_RDATA_INIT; dst_key_t *dnskey = NULL, *pubkey = NULL, *privkey = NULL; @@ -1695,21 +1779,19 @@ dns_dnssec_keylistfromrdataset(const dns_name_t *origin, const char *directory, } /* Try to read the public key. */ - result = dst_key_fromfile( - dst_key_name(dnskey), dst_key_id(dnskey), - dst_key_alg(dnskey), (DST_TYPE_PUBLIC | DST_TYPE_STATE), - directory, mctx, &pubkey); + result = keyfromfile(kasp, directory, dnskey, + (DST_TYPE_PUBLIC | DST_TYPE_STATE), mctx, + &pubkey); if (result == ISC_R_FILENOTFOUND || result == ISC_R_NOPERM) { result = ISC_R_SUCCESS; } RETERR(result); /* Now read the private key. */ - result = dst_key_fromfile( - dst_key_name(dnskey), dst_key_id(dnskey), - dst_key_alg(dnskey), + result = keyfromfile( + kasp, directory, dnskey, (DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_STATE), - directory, mctx, &privkey); + mctx, &privkey); /* * If the key was revoked and the private file @@ -1722,12 +1804,11 @@ dns_dnssec_keylistfromrdataset(const dns_name_t *origin, const char *directory, if ((flags & DNS_KEYFLAG_REVOKE) != 0) { dst_key_setflags(dnskey, flags & ~DNS_KEYFLAG_REVOKE); - result = dst_key_fromfile( - dst_key_name(dnskey), - dst_key_id(dnskey), dst_key_alg(dnskey), - (DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | - DST_TYPE_STATE), - directory, mctx, &privkey); + result = keyfromfile(kasp, directory, dnskey, + (DST_TYPE_PUBLIC | + DST_TYPE_PRIVATE | + DST_TYPE_STATE), + mctx, &privkey); if (result == ISC_R_SUCCESS && dst_key_pubcompare(dnskey, privkey, false)) { @@ -1750,7 +1831,7 @@ dns_dnssec_keylistfromrdataset(const dns_name_t *origin, const char *directory, dst_key_alg(dnskey), (DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_STATE), - directory, mctx, &buf); + NULL, mctx, &buf); if (result2 != ISC_R_SUCCESS) { char namebuf[DNS_NAME_FORMATSIZE]; char algbuf[DNS_SECALG_FORMATSIZE]; diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h index 903d40c4f71..b9bdffc6819 100644 --- a/lib/dns/include/dns/dnssec.h +++ b/lib/dns/include/dns/dnssec.h @@ -22,6 +22,7 @@ #include #include +#include #include #include @@ -295,11 +296,15 @@ dns_dnssec_get_hints(dns_dnsseckey_t *key, isc_stdtime_t now); */ isc_result_t -dns_dnssec_findmatchingkeys(const dns_name_t *origin, const char *directory, +dns_dnssec_findmatchingkeys(const dns_name_t *origin, dns_kasp_t *kasp, + const char *keydir, dns_keystorelist_t *keystores, isc_stdtime_t now, isc_mem_t *mctx, dns_dnsseckeylist_t *keylist); /*%< - * Search 'directory' for K* key files matching the name in 'origin'. + * Search for K* key files matching the name in 'origin'. If 'kasp' is not + * NULL, search in the directories used in 'keystores'. Otherwise search in the + * key-directory 'keydir'. + * * Append all such keys, along with use hints gleaned from their * metadata, onto 'keylist'. Skip any unsupported algorithms. * @@ -318,17 +323,18 @@ dns_dnssec_findmatchingkeys(const dns_name_t *origin, const char *directory, */ isc_result_t -dns_dnssec_keylistfromrdataset(const dns_name_t *origin, const char *directory, - isc_mem_t *mctx, dns_rdataset_t *keyset, - dns_rdataset_t *keysigs, dns_rdataset_t *soasigs, - bool savekeys, bool publickey, - dns_dnsseckeylist_t *keylist); +dns_dnssec_keylistfromrdataset(const dns_name_t *origin, dns_kasp_t *kasp, + const char *directory, isc_mem_t *mctx, + dns_rdataset_t *keyset, dns_rdataset_t *keysigs, + dns_rdataset_t *soasigs, bool savekeys, + bool publickey, dns_dnsseckeylist_t *keylist); /*%< * Append the contents of a DNSKEY rdataset 'keyset' to 'keylist'. - * Omit duplicates. If 'publickey' is false, search 'directory' for - * matching key files, and load the private keys that go with - * the public ones. If 'savekeys' is true, mark the keys so - * they will not be deleted or inactivated regardless of metadata. + * Omit duplicates. If 'publickey' is false, search the key stores referenced + * in 'kasp', or 'directory' if 'kasp' is NULL, for matching key files, and + * load the private keys that go with the public ones. If 'savekeys' is true, + * mark the keys so they will not be deleted or inactivated regardless of + * metadata. * * 'keysigs' and 'soasigs', if not NULL and associated, contain the * RRSIGS for the DNSKEY and SOA records respectively and are used to mark diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h index de48246d1d7..a463fee162e 100644 --- a/lib/dns/include/dns/zone.h +++ b/lib/dns/include/dns/zone.h @@ -1595,7 +1595,7 @@ isc_result_t dns_zone_setkeydirectory(dns_zone_t *zone, const char *directory); /*%< * Sets the name of the directory where private keys used for - * online signing of dynamic zones are found. + * online signing or dynamic zones are found. * * Require: *\li 'zone' to be a valid zone. @@ -1618,6 +1618,29 @@ dns_zone_getkeydirectory(dns_zone_t *zone); * Pointer to null-terminated file name, or NULL. */ +void +dns_zone_setkeystores(dns_zone_t *zone, dns_keystorelist_t *keystores); +/*%< + * Sets the keystore list where private keys used for + * online signing or dynamic zones are found. + * + * Require: + *\li 'zone' to be a valid zone. + */ + +dns_keystorelist_t * +dns_zone_getkeystores(dns_zone_t *zone); +/*%< + * Gets the keystore list where private keys used for + * online signing or dynamic zones are found. + * + * Require: + *\li 'zone' to be a valid zone. + * + * Returns: + * Pointer to the keystore list, or NULL. + */ + isc_result_t dns_zone_getdnsseckeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, isc_stdtime_t now, dns_dnsseckeylist_t *keys); diff --git a/lib/dns/update.c b/lib/dns/update.c index 6bef476fd5d..cbcbe1c1390 100644 --- a/lib/dns/update.c +++ b/lib/dns/update.c @@ -1056,13 +1056,20 @@ find_zone_keys(dns_zone_t *zone, isc_mem_t *mctx, unsigned int maxkeys, unsigned int count = 0; isc_result_t result; isc_stdtime_t now = isc_stdtime_now(); + dns_kasp_t *kasp; + dns_keystorelist_t *keystores; + const char *keydir; ISC_LIST_INIT(keylist); + kasp = dns_zone_getkasp(zone); + keydir = dns_zone_getkeydirectory(zone); + keystores = dns_zone_getkeystores(zone); + dns_zone_lock_keyfiles(zone); - result = dns_dnssec_findmatchingkeys(dns_zone_getorigin(zone), - dns_zone_getkeydirectory(zone), - now, mctx, &keylist); + result = dns_dnssec_findmatchingkeys(dns_zone_getorigin(zone), kasp, + keydir, keystores, now, mctx, + &keylist); dns_zone_unlock_keyfiles(zone); if (result != ISC_R_SUCCESS) { diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 0e4be369486..7651dcb3e92 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -303,6 +303,7 @@ struct dns_zone { isc_stdtime_t log_key_expired_timer; char *keydirectory; dns_keyfileio_t *kfio; + dns_keystorelist_t *keystores; uint32_t maxrefresh; uint32_t minrefresh; @@ -6120,8 +6121,8 @@ dns_zone_getdnsseckeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, /* Get keys from private key files. */ dns_zone_lock_keyfiles(zone); - result = dns_dnssec_findmatchingkeys(origin, dir, now, - dns_zone_getmctx(zone), keys); + result = dns_dnssec_findmatchingkeys(origin, kasp, dir, zone->keystores, + now, dns_zone_getmctx(zone), keys); dns_zone_unlock_keyfiles(zone); if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) { @@ -6134,8 +6135,8 @@ dns_zone_getdnsseckeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_rdatatype_none, 0, &keyset, NULL); if (result == ISC_R_SUCCESS) { CHECK(dns_dnssec_keylistfromrdataset( - origin, dir, dns_zone_getmctx(zone), &keyset, NULL, - NULL, false, false, &dnskeys)); + origin, kasp, dir, dns_zone_getmctx(zone), &keyset, + NULL, NULL, false, false, &dnskeys)); } else if (result != ISC_R_NOTFOUND) { CHECK(result); } @@ -15920,6 +15921,9 @@ dns_zone_dnskey_inuse(dns_zone_t *zone, dns_rdata_t *rdata, bool *inuse) { isc_result_t result = ISC_R_SUCCESS; isc_stdtime_t now = isc_stdtime_now(); isc_mem_t *mctx; + dns_kasp_t *kasp; + dns_keystorelist_t *keystores; + const char *keydir; REQUIRE(DNS_ZONE_VALID(zone)); REQUIRE(dns_rdatatype_iskeymaterial(rdata->type)); @@ -15930,10 +15934,14 @@ dns_zone_dnskey_inuse(dns_zone_t *zone, dns_rdata_t *rdata, bool *inuse) { *inuse = false; + kasp = dns_zone_getkasp(zone); + keydir = dns_zone_getkeydirectory(zone); + keystores = dns_zone_getkeystores(zone); + dns_zone_lock_keyfiles(zone); - result = dns_dnssec_findmatchingkeys(dns_zone_getorigin(zone), - dns_zone_getkeydirectory(zone), - now, mctx, &keylist); + result = dns_dnssec_findmatchingkeys(dns_zone_getorigin(zone), kasp, + keydir, keystores, now, mctx, + &keylist); dns_zone_unlock_keyfiles(zone); if (result == ISC_R_NOTFOUND) { return (ISC_R_SUCCESS); @@ -19414,6 +19422,32 @@ dns_zone_getkeydirectory(dns_zone_t *zone) { return (zone->keydirectory); } +void +dns_zone_setkeystores(dns_zone_t *zone, dns_keystorelist_t *keystores) { + REQUIRE(DNS_ZONE_VALID(zone)); + + LOCK_ZONE(zone); + zone->keystores = keystores; + UNLOCK_ZONE(zone); +} + +dns_keystorelist_t * +dns_zone_getkeystores(dns_zone_t *zone) { + dns_keystorelist_t *ks = NULL; + + REQUIRE(DNS_ZONE_VALID(zone)); + + LOCK_ZONE(zone); + if (inline_raw(zone) && zone->secure != NULL) { + ks = zone->secure->keystores; + } else { + ks = zone->keystores; + } + UNLOCK_ZONE(zone); + + return (ks); +} + unsigned int dns_zonemgr_getcount(dns_zonemgr_t *zmgr, int state) { dns_zone_t *zone; @@ -21634,8 +21668,8 @@ zone_rekey(dns_zone_t *zone) { dns_zone_lock_keyfiles(zone); result = dns_dnssec_keylistfromrdataset( - &zone->origin, dir, mctx, &keyset, &keysigs, &soasigs, - false, false, &dnskeys); + &zone->origin, kasp, dir, mctx, &keyset, &keysigs, + &soasigs, false, false, &dnskeys); dns_zone_unlock_keyfiles(zone); @@ -21696,8 +21730,8 @@ zone_rekey(dns_zone_t *zone) { KASP_LOCK(kasp); dns_zone_lock_keyfiles(zone); - result = dns_dnssec_findmatchingkeys(&zone->origin, dir, now, mctx, - &keys); + result = dns_dnssec_findmatchingkeys(&zone->origin, kasp, dir, + zone->keystores, now, mctx, &keys); dns_zone_unlock_keyfiles(zone); if (result != ISC_R_SUCCESS) {