diff --git a/CHANGES b/CHANGES
index 20af6fe06e..c1cbe3cf20 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+5045. [cleanup] Remove support for DNSSEC algorithms 3 (DSA)
+ and 6 (DSA-NSEC3-SHA1). [GL #22]
+
5044. [cleanup] If "dnssec-enable" is no, then "dnssec-validation"
now also defaults to no. [GL #388]
diff --git a/bin/python/dnssec-keymgr.docbook b/bin/python/dnssec-keymgr.docbook
index e7af3562cb..df9bc55f38 100644
--- a/bin/python/dnssec-keymgr.docbook
+++ b/bin/python/dnssec-keymgr.docbook
@@ -299,8 +299,7 @@
Takes two arguments: keytype (eihter "zsk" or "ksk") and size.
A default value for this option can be set in algorithm policies
as well as in policy classes or zone policies. If no policy is
- configured, the default is 1024 bits for DSA keys and 2048 for
- RSA.
+ configured, the default is 2048 bits for RSA keys.
diff --git a/bin/python/isc/dnskey.py.in b/bin/python/isc/dnskey.py.in
index 18a193acd4..8c5a80f7c1 100644
--- a/bin/python/isc/dnskey.py.in
+++ b/bin/python/isc/dnskey.py.in
@@ -32,7 +32,7 @@ class dnskey:
_ALGNAMES = (None, 'RSAMD5', 'DH', 'DSA', 'ECC', 'RSASHA1',
'NSEC3DSA', 'NSEC3RSASHA1', 'RSASHA256', None,
- 'RSASHA512', None, None, 'ECDSAP256SHA256',
+ 'RSASHA512', None, 'ECCGOST', 'ECDSAP256SHA256',
'ECDSAP384SHA384', 'ED25519', 'ED448')
def __init__(self, key, directory=None, keyttl=None):
diff --git a/bin/python/isc/policy.py.in b/bin/python/isc/policy.py.in
index 99fa22ca11..8af8a2517d 100644
--- a/bin/python/isc/policy.py.in
+++ b/bin/python/isc/policy.py.in
@@ -71,7 +71,7 @@ class PolicyLex:
return t
def t_ALGNAME(self, t):
- r'(?i)\b(RSAMD5|DH|DSA|NSEC3DSA|ECC|RSASHA1|NSEC3RSASHA1|RSASHA256|RSASHA512|ECDSAP256SHA256|ECDSAP384SHA384|ED25519|ED448)\b'
+ r'(?i)\b(RSAMD5|DH|ECC|RSASHA1|NSEC3RSASHA1|RSASHA256|RSASHA512|ECDSAP256SHA256|ECDSAP384SHA384|ED25519|ED448)\b'
t.value = t.value.upper()
return t
@@ -132,9 +132,7 @@ class Policy:
keyttl = None
coverage = None
directory = None
- valid_key_sz_per_algo = {'DSA': [512, 1024],
- 'NSEC3DSA': [512, 1024],
- 'RSAMD5': [1024, 4096],
+ valid_key_sz_per_algo = {'RSAMD5': [1024, 4096],
'RSASHA1': [1024, 4096],
'NSEC3RSASHA1': [512, 4096],
'RSASHA256': [1024, 4096],
@@ -264,19 +262,6 @@ class Policy:
return False, 'ZSK key size %d outside valid range %s' \
% (self.zsk_keysize, key_sz_range)
- # Specific check for DSA keys
- if self.algorithm in ['DSA', 'NSEC3DSA'] and \
- self.ksk_keysize % 64 != 0:
- return False, \
- ('KSK key size %d not divisible by 64 ' +
- 'as required for DSA') % self.ksk_keysize
-
- if self.algorithm in ['DSA', 'NSEC3DSA'] and \
- self.zsk_keysize % 64 != 0:
- return False, \
- ('ZSK key size %d not divisible by 64 ' +
- 'as required for DSA') % self.zsk_keysize
-
if self.algorithm in ['ECDSAP256SHA256', \
'ECDSAP384SHA384', \
'ED25519', \
@@ -335,16 +320,6 @@ class dnssec_policy:
p.zsk_keysize = 2048;
# set default algorithm policies
- # these need a lower default key size:
- self.alg_policy['DSA'] = copy(p)
- self.alg_policy['DSA'].algorithm = "DSA"
- self.alg_policy['DSA'].name = "DSA"
- self.alg_policy['DSA'].ksk_keysize = 1024;
-
- self.alg_policy['NSEC3DSA'] = copy(p)
- self.alg_policy['NSEC3DSA'].algorithm = "NSEC3DSA"
- self.alg_policy['NSEC3DSA'].name = "NSEC3DSA"
- self.alg_policy['NSEC3DSA'].ksk_keysize = 1024;
# these can use default settings
self.alg_policy['RSAMD5'] = copy(p)
diff --git a/bin/python/isc/tests/policy_test.py.in b/bin/python/isc/tests/policy_test.py.in
index b09c62f8aa..51d008d057 100644
--- a/bin/python/isc/tests/policy_test.py.in
+++ b/bin/python/isc/tests/policy_test.py.in
@@ -25,15 +25,6 @@ class PolicyTest(unittest.TestCase):
self.assertEqual(p.constructed(), False)
self.assertEqual(p.validate(), (True, ""))
- p = pol.policy('good_dsa.test', novalidate=True)
- self.assertEqual(p.get_name(), "good_dsa.test")
- self.assertEqual(p.constructed(), False)
- self.assertEqual(p.validate(), (True, ""))
-
- p = pol.policy('bad_dsa.test', novalidate=True)
- self.assertEqual(p.validate(),
- (False, 'ZSK key size 769 not divisible by 64 as required for DSA'))
-
def test_prepublish(self):
pol = policy.dnssec_policy()
pol.load('test-policies/02-prepublish.pol')
diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
index a440a31a76..717bef14b8 100644
--- a/bin/tests/system/conf.sh.in
+++ b/bin/tests/system/conf.sh.in
@@ -20,6 +20,11 @@ TOP=${SYSTEMTESTTOP:=.}/../../..
# Make it absolute so that it continues to work after we cd.
TOP=`cd $TOP && pwd`
+# Default algorithm for testing
+DEFAULT_ALGORITHM=ECDSAP256SHA256
+DEFAULT_ALGORITHM_NUMBER=13
+DEFAULT_BITS=256
+
ARPANAME=$TOP/bin/tools/arpaname
CDS=$TOP/bin/dnssec/dnssec-cds
CHECKCONF=$TOP/bin/check/named-checkconf
@@ -378,7 +383,11 @@ copy_setports() {
-e "s/@EXTRAPORT6@/${EXTRAPORT6}/g" \
-e "s/@EXTRAPORT7@/${EXTRAPORT7}/g" \
-e "s/@EXTRAPORT8@/${EXTRAPORT8}/g" \
- -e "s/@CONTROLPORT@/${CONTROLPORT}/g" $1 > $2
+ -e "s/@CONTROLPORT@/${CONTROLPORT}/g" \
+ -e "s/@DEFAULT_ALGORITHM@/${DEFAULT_ALGORITHM}/g" \
+ -e "s/@DEFAULT_ALGORITHM_NUMBER@/${DEFAULT_ALGORITHM_NUMBER}/g" \
+ -e "s/@DEFAULT_BITS@/${DEFAULT_BITS}/g" \
+ $1 > $2
}
#
diff --git a/bin/tests/system/conf.sh.win32 b/bin/tests/system/conf.sh.win32
index da89e167c2..4adaff0bc6 100644
--- a/bin/tests/system/conf.sh.win32
+++ b/bin/tests/system/conf.sh.win32
@@ -26,6 +26,11 @@ TOP=`cd $TOP && pwd`
# Visual Studio build configurations are Release and Debug
VSCONF=Debug
+# Default algorithm for testing
+DEFAULT_ALGORITHM=ECDSAP256SHA256
+DEFAULT_ALGORITHM_NUMBER=13
+DEFAULT_BITS=256
+
ARPANAME=$TOP/Build/$VSCONF/arpaname@EXEEXT@
CHECKCONF=$TOP/Build/$VSCONF/named-checkconf@EXEEXT@
CHECKDS="$PYTHON `cygpath -w $TOP/bin/python/dnssec-checkds.py`"
@@ -361,7 +366,11 @@ copy_setports() {
-e "s/${atsign}EXTRAPORT6${atsign}/${EXTRAPORT6}/g" \
-e "s/${atsign}EXTRAPORT7${atsign}/${EXTRAPORT7}/g" \
-e "s/${atsign}EXTRAPORT8${atsign}/${EXTRAPORT8}/g" \
- -e "s/${atsign}CONTROLPORT${atsign}/${CONTROLPORT}/g" $1 > $2
+ -e "s/${atsign}CONTROLPORT${atsign}/${CONTROLPORT}/g" \
+ -e "s/${atsign}DEFAULT_ALGORITM${atsign}/${DEFAULT_ALGORITHM}/g" \
+ -e "s/${atsign}DEFAULT_ALGORITHM_NUMBER${atsign}/${DEFAULT_ALGORITHM_NUMBER}/g" \
+ -e "s/${atsign}DEFAULT_BITS${atsign}/${DEFAULT_BITS}/g" \
+ $1 > $2
}
#
diff --git a/bin/tests/system/dlv/ns1/sign.sh b/bin/tests/system/dlv/ns1/sign.sh
index d1404b78b8..d1bf35bb77 100755
--- a/bin/tests/system/dlv/ns1/sign.sh
+++ b/bin/tests/system/dlv/ns1/sign.sh
@@ -23,8 +23,8 @@ infile=root.db.in
zonefile=root.db
outfile=root.signed
-keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
diff --git a/bin/tests/system/dlv/ns2/sign.sh b/bin/tests/system/dlv/ns2/sign.sh
index d7b82e1377..5c34418895 100755
--- a/bin/tests/system/dlv/ns2/sign.sh
+++ b/bin/tests/system/dlv/ns2/sign.sh
@@ -24,8 +24,8 @@ zonefile=druz.db
outfile=druz.pre
dlvzone=utld.
-keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
diff --git a/bin/tests/system/dlv/ns3/sign.sh b/bin/tests/system/dlv/ns3/sign.sh
index a85f7860f7..fa51ae1daf 100755
--- a/bin/tests/system/dlv/ns3/sign.sh
+++ b/bin/tests/system/dlv/ns3/sign.sh
@@ -26,8 +26,8 @@ zonefile=child1.utld.db
outfile=child1.signed
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
-keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
@@ -42,8 +42,8 @@ zonefile=child3.utld.db
outfile=child3.signed
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
-keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
@@ -58,8 +58,8 @@ zonefile=child4.utld.db
outfile=child4.signed
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
-keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -73,8 +73,8 @@ zonefile=child5.utld.db
outfile=child5.signed
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
-keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
@@ -88,8 +88,8 @@ infile=child.db.in
zonefile=child7.utld.db
outfile=child7.signed
-keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
@@ -103,8 +103,8 @@ infile=child.db.in
zonefile=child8.utld.db
outfile=child8.signed
-keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -118,8 +118,8 @@ zonefile=child9.utld.db
outfile=child9.signed
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
-keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -132,8 +132,8 @@ zonefile=child10.utld.db
outfile=child10.signed
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
-keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -147,8 +147,8 @@ outfile=child1.druz.signed
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
-keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
@@ -164,8 +164,8 @@ outfile=child3.druz.signed
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
-keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
@@ -181,8 +181,8 @@ outfile=child4.druz.signed
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
-keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -197,8 +197,8 @@ outfile=child5.druz.signed
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
-keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
@@ -213,8 +213,8 @@ zonefile=child7.druz.db
outfile=child7.druz.signed
dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
-keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
dsfilename=../ns6/dsset-grand.`echo $zone |sed -e "s/\.$//g"`$TP
cat $infile $keyname1.key $keyname2.key $dsfilename >$zonefile
@@ -228,8 +228,8 @@ infile=child.db.in
zonefile=child8.druz.db
outfile=child8.druz.signed
-keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -243,8 +243,8 @@ zonefile=child9.druz.db
outfile=child9.druz.signed
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
-keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -258,8 +258,8 @@ outfile=child10.druz.signed
dlvsets="$dlvsets dlvset-`echo $zone |sed -e "s/.$//g"`$TP"
dssets="$dssets dsset-`echo $zone |sed -e "s/.$//g"`$TP"
-keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -272,8 +272,8 @@ infile=dlv.db.in
zonefile=dlv.utld.db
outfile=dlv.signed
-keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $dlvsets $keyname1.key $keyname2.key >$zonefile
diff --git a/bin/tests/system/dlv/ns6/sign.sh b/bin/tests/system/dlv/ns6/sign.sh
index cc5b2911ca..65f5f5d42b 100755
--- a/bin/tests/system/dlv/ns6/sign.sh
+++ b/bin/tests/system/dlv/ns6/sign.sh
@@ -21,8 +21,8 @@ infile=child.db.in
zonefile=grand.child1.utld.db
outfile=grand.child1.signed
-keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -36,8 +36,8 @@ zonefile=grand.child3.utld.db
outfile=grand.child3.signed
dlvzone=dlv.utld.
-keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -51,8 +51,8 @@ zonefile=grand.child4.utld.db
outfile=grand.child4.signed
dlvzone=dlv.utld.
-keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -66,8 +66,8 @@ zonefile=grand.child5.utld.db
outfile=grand.child5.signed
dlvzone=dlv.utld.
-keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -81,8 +81,8 @@ zonefile=grand.child7.utld.db
outfile=grand.child7.signed
dlvzone=dlv.utld.
-keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -96,8 +96,8 @@ zonefile=grand.child8.utld.db
outfile=grand.child8.signed
dlvzone=dlv.utld.
-keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -111,8 +111,8 @@ zonefile=grand.child9.utld.db
outfile=grand.child9.signed
dlvzone=dlv.utld.
-keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -125,8 +125,8 @@ zonefile=grand.child10.utld.db
outfile=grand.child10.signed
dlvzone=dlv.utld.
-keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -138,8 +138,8 @@ infile=child.db.in
zonefile=grand.child1.druz.db
outfile=grand.child1.druz.signed
-keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -153,8 +153,8 @@ zonefile=grand.child3.druz.db
outfile=grand.child3.druz.signed
dlvzone=dlv.druz.
-keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -168,8 +168,8 @@ zonefile=grand.child4.druz.db
outfile=grand.child4.druz.signed
dlvzone=dlv.druz.
-keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -183,8 +183,8 @@ zonefile=grand.child5.druz.db
outfile=grand.child5.druz.signed
dlvzone=dlv.druz.
-keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -198,8 +198,8 @@ zonefile=grand.child7.druz.db
outfile=grand.child7.druz.signed
dlvzone=dlv.druz.
-keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -213,8 +213,8 @@ zonefile=grand.child8.druz.db
outfile=grand.child8.druz.signed
dlvzone=dlv.druz.
-keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -228,8 +228,8 @@ zonefile=grand.child9.druz.db
outfile=grand.child9.druz.signed
dlvzone=dlv.druz.
-keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -242,8 +242,8 @@ zonefile=grand.child10.druz.db
outfile=grand.child10.druz.signed
dlvzone=dlv.druz.
-keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
index b0890df2a6..0a63a6bd4f 100644
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -29,8 +29,8 @@ do
cp ../ns3/dsset-$subdomain.example$TP .
done
-keyname1=`$KEYGEN -q -a DSA -b 768 -n zone $zone`
-keyname2=`$KEYGEN -q -a DSA -b 768 -n zone $zone`
+keyname1=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
+keyname2=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
cat $infile $keyname1.key $keyname2.key >$zonefile
@@ -89,8 +89,8 @@ zone=in-addr.arpa.
infile=in-addr.arpa.db.in
zonefile=in-addr.arpa.db
-keyname1=`$KEYGEN -q -a DSA -b 768 -n zone $zone`
-keyname2=`$KEYGEN -q -a DSA -b 768 -n zone $zone`
+keyname1=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
+keyname2=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -P -g -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
@@ -127,8 +127,8 @@ zone=badparam.
infile=badparam.db.in
zonefile=badparam.db
-keyname1=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone -f KSK $zone`
-keyname2=`$KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone`
+keyname1=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone -f KSK $zone`
+keyname2=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
cat $infile $keyname1.key $keyname2.key >$zonefile
diff --git a/bin/tests/system/dnssec/ns6/named.conf.in b/bin/tests/system/dnssec/ns6/named.conf.in
index c3f2930ee2..d9b7a94306 100644
--- a/bin/tests/system/dnssec/ns6/named.conf.in
+++ b/bin/tests/system/dnssec/ns6/named.conf.in
@@ -21,7 +21,7 @@ options {
listen-on-v6 { none; };
recursion yes;
notify yes;
- disable-algorithms . { DSA; };
+ disable-algorithms . { @DEFAULT_ALGORITHM@; };
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside . trust-anchor dlv;
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index 78c2c5a472..f3490027a3 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -147,10 +147,10 @@ status=`expr $status + $ret`
if [ -x ${DELV} ] ; then
ret=0
- echo_i "checking postive validation NSEC using dns_client ($n)"
+ echo_i "checking positive validation NSEC using dns_client ($n)"
$DELV $DELVOPTS @10.53.0.4 a a.example > delv.out$n || ret=1
grep "a.example..*10.0.0.1" delv.out$n > /dev/null || ret=1
- grep "a.example..*.RRSIG.A 3 2 300 .*" delv.out$n > /dev/null || ret=1
+ grep "a.example..*.RRSIG.A $DEFAULT_ALGORITHM_NUMBER 2 300 .*" delv.out$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@@ -222,7 +222,7 @@ if [ -x ${DELV} ] ; then
echo_i "checking positive wildcard validation NSEC using dns_client ($n)"
$DELV $DELVOPTS @10.53.0.4 a a.wild.example > delv.out$n || ret=1
grep "a.wild.example..*10.0.0.27" delv.out$n > /dev/null || ret=1
- grep "a.wild.example..*RRSIG.A 3 2 300.*" delv.out$n > /dev/null || ret=1
+ grep -E "a.wild.example..*RRSIG.A [0-9]+ 2 300.*" delv.out$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@@ -1190,7 +1190,7 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
-echo_i "checking that lookups succeed after disabling a algorithm works ($n)"
+echo_i "checking that lookups succeed after disabling an algorithm ($n)"
ret=0
$DIG $DIGOPTS +noauth example. SOA @10.53.0.2 \
> dig.out.ns2.test$n || ret=1
@@ -2997,11 +2997,11 @@ echo_i "check dig's +nocrypto flag ($n)"
ret=0
$DIG $DIGOPTS +norec +nocrypto DNSKEY . \
@10.53.0.1 > dig.out.dnskey.ns1.test$n || ret=1
-grep '256 3 1 \[key id = [1-9][0-9]*]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1
-grep 'RRSIG.* \[omitted]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1
+grep -E '256 [0-9]+ 1 \[key id = [1-9][0-9]*]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1
+grep -E 'RRSIG.* \[omitted]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1
$DIG $DIGOPTS +norec +nocrypto DS example \
@10.53.0.1 > dig.out.ds.ns1.test$n || ret=1
-grep 'DS.* 3 [12] \[omitted]' dig.out.ds.ns1.test$n > /dev/null || ret=1
+grep -E 'DS.* [0-9]+ [12] \[omitted]' dig.out.ds.ns1.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@@ -3137,12 +3137,8 @@ do
2) # Diffie Helman
alg=`expr $alg + 1`
continue;;
- 3) # DSA/SHA1
- size="-b 512";;
5) # RSA/SHA-1
size="-b 1024";;
- 6) # DSA-NSEC3-SHA1
- size="-b 512";;
7) # RSASHA1-NSEC3-SHA1
size="-b 1024";;
8) # RSA/SHA-256
diff --git a/bin/tests/system/filter-aaaa/ns1/sign.sh b/bin/tests/system/filter-aaaa/ns1/sign.sh
index 4075b3415e..2b75296ec1 100755
--- a/bin/tests/system/filter-aaaa/ns1/sign.sh
+++ b/bin/tests/system/filter-aaaa/ns1/sign.sh
@@ -21,8 +21,8 @@ infile=signed.db.in
zonefile=signed.db.signed
outfile=signed.db.signed
-keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
diff --git a/bin/tests/system/filter-aaaa/ns4/sign.sh b/bin/tests/system/filter-aaaa/ns4/sign.sh
index 4075b3415e..2b75296ec1 100755
--- a/bin/tests/system/filter-aaaa/ns4/sign.sh
+++ b/bin/tests/system/filter-aaaa/ns4/sign.sh
@@ -21,8 +21,8 @@ infile=signed.db.in
zonefile=signed.db.signed
outfile=signed.db.signed
-keyname1=`$KEYGEN -a DSA -b 768 -n zone $zone 2> /dev/null`
-keyname2=`$KEYGEN -f KSK -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname1=`$KEYGEN -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone 2> /dev/null`
cat $infile $keyname1.key $keyname2.key >$zonefile
diff --git a/bin/tests/system/inline/clean.sh b/bin/tests/system/inline/clean.sh
index b93bae9a47..7de4d15006 100644
--- a/bin/tests/system/inline/clean.sh
+++ b/bin/tests/system/inline/clean.sh
@@ -118,7 +118,7 @@ rm -f ns3/test-?.bk
rm -f ns3/test-?.bk.signed
rm -f ns3/test-?.bk.signed.jnl
rm -f import.key Kimport*
-rm -f checkdsa checkecdsa
+rm -f checkecdsa
rm -f ns3/a-file
rm -f ns*/named.lock
rm -f dig.out.*
diff --git a/bin/tests/system/inline/ns3/sign.sh b/bin/tests/system/inline/ns3/sign.sh
index eeb03032fd..15b5424215 100755
--- a/bin/tests/system/inline/ns3/sign.sh
+++ b/bin/tests/system/inline/ns3/sign.sh
@@ -133,7 +133,7 @@ zone=externalkey
rm -f K${zone}.+*+*.key
rm -f K${zone}.+*+*.private
-for alg in ECDSAP256SHA256 NSEC3RSASHA1 DSA
+for alg in ECDSAP256SHA256 NSEC3RSASHA1
do
k1=`$KEYGEN -q -a $alg -b 1024 -n zone -f KSK $zone`
k2=`$KEYGEN -q -a $alg -b 1024 -n zone $zone`
diff --git a/bin/tests/system/inline/tests.sh b/bin/tests/system/inline/tests.sh
index 7ee1b7391e..1c27043608 100755
--- a/bin/tests/system/inline/tests.sh
+++ b/bin/tests/system/inline/tests.sh
@@ -945,13 +945,11 @@ n=`expr $n + 1`
echo_i "testing adding external keys to a inline zone ($n)"
ret=0
$DIG $DIGOPTS @10.53.0.3 dnskey externalkey > dig.out.ns3.test$n
-for alg in 3 7 13
+for alg in 7 13
do
- [ $alg = 3 -a ! -f checkdsa ] && continue;
[ $alg = 13 -a ! -f checkecdsa ] && continue;
case $alg in
- 3) echo_i "checking DSA";;
7) echo_i "checking NSEC3RSASHA1";;
13) echo_i "checking ECDSAP256SHA256";;
*) echo_i "checking $alg";;
diff --git a/bin/tests/system/keymgr/policy.good b/bin/tests/system/keymgr/policy.good
index 95af940e98..eb23246214 100644
--- a/bin/tests/system/keymgr/policy.good
+++ b/bin/tests/system/keymgr/policy.good
@@ -134,12 +134,12 @@ algorithm policy RSASHA1:
zsk_standby None
keyttl None
-algorithm policy DSA:
+algorithm policy RSASHA256:
inherits None
directory None
- algorithm DSA
+ algorithm RSASHA256
coverage None
- ksk_keysize 1024
+ ksk_keysize 2048
zsk_keysize 2048
ksk_rollperiod None
zsk_rollperiod None
@@ -151,6 +151,23 @@ algorithm policy DSA:
zsk_standby None
keyttl None
+algorithm policy ECDSAP256SHA256:
+ inherits None
+ directory None
+ algorithm ECDSAP256SHA256
+ coverage None
+ ksk_keysize None
+ zsk_keysize None
+ ksk_rollperiod None
+ zsk_rollperiod None
+ ksk_prepublish None
+ ksk_postpublish None
+ zsk_prepublish None
+ zsk_postpublish None
+ ksk_standby None
+ zsk_standby None
+ keyttl None
+
policy extra:
inherits default
directory None
diff --git a/bin/tests/system/keymgr/testpolicy.py b/bin/tests/system/keymgr/testpolicy.py
index e9125cf347..723cf7224b 100644
--- a/bin/tests/system/keymgr/testpolicy.py
+++ b/bin/tests/system/keymgr/testpolicy.py
@@ -31,7 +31,8 @@ if len(sys.argv) > 0:
# print algorithm policies
print(pp.alg_policy['RSASHA1'])
- print(pp.alg_policy['DSA'])
+ print(pp.alg_policy['RSASHA256'])
+ print(pp.alg_policy['ECDSAP256SHA256'])
# print another named policy
print(pp.named_policy['extra'])
diff --git a/bin/tests/system/rootkeysentinel/ns2/sign.sh b/bin/tests/system/rootkeysentinel/ns2/sign.sh
index 9d0e62d6c7..6501ce5dba 100644
--- a/bin/tests/system/rootkeysentinel/ns2/sign.sh
+++ b/bin/tests/system/rootkeysentinel/ns2/sign.sh
@@ -22,8 +22,8 @@ zone=example.
infile=example.db.in
zonefile=example.db
-keyname1=`$KEYGEN -q -a DSA -b 768 -n zone $zone`
-keyname2=`$KEYGEN -q -a DSA -b 768 -n zone $zone`
+keyname1=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
+keyname2=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
cat $infile $keyname1.key $keyname2.key >$zonefile
echo root-key-sentinel-is-ta-$oldid A 10.53.0.1 >> $zonefile
diff --git a/bin/tests/system/sfcache/ns2/sign.sh b/bin/tests/system/sfcache/ns2/sign.sh
index 709c20c8d5..4fe8a6c08e 100644
--- a/bin/tests/system/sfcache/ns2/sign.sh
+++ b/bin/tests/system/sfcache/ns2/sign.sh
@@ -16,8 +16,8 @@ zone=example.
infile=example.db.in
zonefile=example.db
-keyname1=`$KEYGEN -q -a DSA -b 768 -n zone $zone`
-keyname2=`$KEYGEN -q -a DSA -b 768 -n zone $zone`
+keyname1=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
+keyname2=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n zone $zone`
cat $infile $keyname1.key $keyname2.key >$zonefile
diff --git a/bin/tests/system/testcrypto.sh b/bin/tests/system/testcrypto.sh
index 5ed278512d..b0fd76795c 100644
--- a/bin/tests/system/testcrypto.sh
+++ b/bin/tests/system/testcrypto.sh
@@ -15,7 +15,7 @@ SYSTEMTESTTOP=${SYSTEMTESTTOP:=..}
prog=$0
args=""
-alg="-a RSAMD5 -b 1024"
+alg="-a $DEFAULT_ALGORITHM -b $DEFAULT_BITS"
quiet=0
msg1="cryptography"
diff --git a/bin/tests/system/tsiggss/setup.sh b/bin/tests/system/tsiggss/setup.sh
index 7350f0221d..74d16dd0ad 100644
--- a/bin/tests/system/tsiggss/setup.sh
+++ b/bin/tests/system/tsiggss/setup.sh
@@ -16,5 +16,5 @@ $SHELL clean.sh
copy_setports ns1/named.conf.in ns1/named.conf
-key=`$KEYGEN -Cq -K ns1 -a DSA -b 512 -n HOST -T KEY key.example.nil.`
+key=`$KEYGEN -Cq -K ns1 -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -n HOST -T KEY key.example.nil.`
cat ns1/example.nil.db.in ns1/${key}.key > ns1/example.nil.db
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 15d3a56609..29839b35cf 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -373,6 +373,11 @@
usually long after their end-of-life date and they are
neither developed nor supported by their respective vendors.
+
+ Support for DSA and DSA-NSEC3-SHA1 algorithms has been
+ removed from BIND as the DSA key length is limited to 1024
+ bits and this is not considered secure enough.
+
diff --git a/lib/dns/Makefile.in b/lib/dns/Makefile.in
index e376afbbf8..3235d4fd2a 100644
--- a/lib/dns/Makefile.in
+++ b/lib/dns/Makefile.in
@@ -44,9 +44,9 @@ LIBS = @LIBS@
DSTOBJS = @DST_EXTRA_OBJS@ \
dst_api.@O@ dst_lib.@O@ dst_parse.@O@ dst_result.@O@ \
gssapi_link.@O@ gssapictx.@O@ hmac_link.@O@ \
- openssl_link.@O@ openssldh_link.@O@ openssldsa_link.@O@ \
+ openssl_link.@O@ openssldh_link.@O@ \
opensslecdsa_link.@O@ openssleddsa_link.@O@ opensslrsa_link.@O@ \
- pkcs11dsa_link.@O@ pkcs11rsa_link.@O@ \
+ pkcs11rsa_link.@O@ \
pkcs11ecdsa_link.@O@ pkcs11eddsa_link.@O@ pkcs11.@O@ \
key.@O@
@@ -82,9 +82,9 @@ OBJS= @DNSTAPOBJS@ ${DNSOBJS} ${OTHEROBJS} ${DSTOBJS} \
DSTSRCS = @DST_EXTRA_SRCS@ @PKCS11LINKSRCS@ \
dst_api.c dst_lib.c dst_parse.c \
dst_result.c gssapi_link.c gssapictx.c hmac_link.c \
- openssl_link.c openssldh_link.c openssldsa_link.c \
+ openssl_link.c openssldh_link.c \
opensslecdsa_link.c openssleddsa_link.c opensslrsa_link.c \
- pkcs11dsa_link.c pkcs11rsa_link.c \
+ pkcs11rsa_link.c \
pkcs11ecdsa_link.c pkcs11eddsa_link.c pkcs11.c \
key.c
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index 7633f1c54f..f4e4045ca7 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -190,8 +190,6 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) {
DST_ALG_RSASHA256));
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA512],
DST_ALG_RSASHA512));
- RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_DSA]));
- RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_NSEC3DSA]));
RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
#ifdef HAVE_OPENSSL_ED25519
@@ -209,8 +207,6 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) {
RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1]));
RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA256]));
RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA512]));
- RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_DSA]));
- RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_NSEC3DSA]));
RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
#ifdef HAVE_PKCS11_ED25519
@@ -1190,10 +1186,6 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) {
case DST_ALG_RSASHA512:
*n = (key->key_size + 7) / 8;
break;
- case DST_ALG_DSA:
- case DST_ALG_NSEC3DSA:
- *n = DNS_SIG_DSASIGSIZE;
- break;
case DST_ALG_ECDSA256:
*n = DNS_SIG_ECDSA256SIZE;
break;
@@ -1522,8 +1514,6 @@ issymmetric(const dst_key_t *key) {
case DST_ALG_NSEC3RSASHA1:
case DST_ALG_RSASHA256:
case DST_ALG_RSASHA512:
- case DST_ALG_DSA:
- case DST_ALG_NSEC3DSA:
case DST_ALG_DH:
case DST_ALG_ECDSA256:
case DST_ALG_ECDSA384:
diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h
index a6e6fe36ee..75635c87f1 100644
--- a/lib/dns/dst_internal.h
+++ b/lib/dns/dst_internal.h
@@ -53,7 +53,6 @@
#include
#include
-#include
#include
#include
#include
@@ -109,7 +108,6 @@ struct dst_key {
union {
void *generic;
gss_ctx_id_t gssctx;
- DSA *dsa;
DH *dh;
#if USE_OPENSSL
EVP_PKEY *pkey;
@@ -229,7 +227,6 @@ isc_result_t dst__openssldh_init(struct dst_func **funcp);
#if USE_OPENSSL
isc_result_t dst__opensslrsa_init(struct dst_func **funcp,
unsigned char algorithm);
-isc_result_t dst__openssldsa_init(struct dst_func **funcp);
isc_result_t dst__opensslecdsa_init(struct dst_func **funcp);
#if HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448
isc_result_t dst__openssleddsa_init(struct dst_func **funcp);
diff --git a/lib/dns/dst_parse.c b/lib/dns/dst_parse.c
index 105a7df6d0..8778f994f9 100644
--- a/lib/dns/dst_parse.c
+++ b/lib/dns/dst_parse.c
@@ -96,12 +96,6 @@ static struct parse_map map[] = {
{TAG_DH_PRIVATE, "Private_value(x):"},
{TAG_DH_PUBLIC, "Public_value(y):"},
- {TAG_DSA_PRIME, "Prime(p):"},
- {TAG_DSA_SUBPRIME, "Subprime(q):"},
- {TAG_DSA_BASE, "Base(g):"},
- {TAG_DSA_PRIVATE, "Private_value(x):"},
- {TAG_DSA_PUBLIC, "Public_value(y):"},
-
{TAG_ECDSA_PRIVATEKEY, "PrivateKey:"},
{TAG_ECDSA_ENGINE, "Engine:" },
{TAG_ECDSA_LABEL, "Label:" },
@@ -232,26 +226,6 @@ check_dh(const dst_private_t *priv) {
return (0);
}
-static int
-check_dsa(const dst_private_t *priv, bool external) {
- int i, j;
-
- if (external)
- return ((priv->nelements == 0)? 0 : -1);
-
- if (priv->nelements != DSA_NTAGS)
- return (-1);
-
- for (i = 0; i < DSA_NTAGS; i++) {
- for (j = 0; j < priv->nelements; j++)
- if (priv->elements[j].tag == TAG(DST_ALG_DSA, i))
- break;
- if (j == priv->nelements)
- return (-1);
- }
- return (0);
-}
-
static int
check_ecdsa(const dst_private_t *priv, bool external) {
int i, j;
@@ -370,9 +344,6 @@ check_data(const dst_private_t *priv, const unsigned int alg,
return (check_rsa(priv, external));
case DST_ALG_DH:
return (check_dh(priv));
- case DST_ALG_DSA:
- case DST_ALG_NSEC3DSA:
- return (check_dsa(priv, external));
case DST_ALG_ECDSA256:
case DST_ALG_ECDSA384:
return (check_ecdsa(priv, external));
@@ -696,18 +667,12 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
case DST_ALG_DH:
fprintf(fp, "(DH)\n");
break;
- case DST_ALG_DSA:
- fprintf(fp, "(DSA)\n");
- break;
case DST_ALG_RSASHA1:
fprintf(fp, "(RSASHA1)\n");
break;
case DST_ALG_NSEC3RSASHA1:
fprintf(fp, "(NSEC3RSASHA1)\n");
break;
- case DST_ALG_NSEC3DSA:
- fprintf(fp, "(NSEC3DSA)\n");
- break;
case DST_ALG_RSASHA256:
fprintf(fp, "(RSASHA256)\n");
break;
diff --git a/lib/dns/openssldsa_link.c b/lib/dns/openssldsa_link.c
deleted file mode 100644
index 8cc0d90b82..0000000000
--- a/lib/dns/openssldsa_link.c
+++ /dev/null
@@ -1,693 +0,0 @@
-/*
- * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- *
- * Portions Copyright (C) Network Associates, Inc.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
- * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
- * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*! \file */
-
-#include
-
-#if !USE_PKCS11
-
-#include
-
-#include
-#include
-
-#include
-#include
-#include
-#include
-#include
-#include
-
-#include
-
-#include "dst_internal.h"
-#include "dst_openssl.h"
-#include "dst_parse.h"
-
-#include
-
-static isc_result_t openssldsa_todns(const dst_key_t *key, isc_buffer_t *data);
-
-#if !HAVE_DSA_GET0_PQG
-static void
-DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q,
- const BIGNUM **g)
-{
- if (p != NULL)
- *p = d->p;
- if (q != NULL)
- *q = d->q;
- if (g != NULL)
- *g = d->g;
-}
-
-static int
-DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g) {
- if (p == NULL || q == NULL || g == NULL)
- return 0;
- BN_free(d->p);
- BN_free(d->q);
- BN_free(d->g);
- d->p = p;
- d->q = q;
- d->g = g;
-
- return 1;
-}
-
-static void
-DSA_get0_key(const DSA *d, const BIGNUM **pub_key, const BIGNUM **priv_key) {
- if (pub_key != NULL)
- *pub_key = d->pub_key;
- if (priv_key != NULL)
- *priv_key = d->priv_key;
-}
-
-static int
-DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key) {
- /* Note that it is valid for priv_key to be NULL */
- if (pub_key == NULL)
- return 0;
-
- BN_free(d->pub_key);
- BN_free(d->priv_key);
- d->pub_key = pub_key;
- d->priv_key = priv_key;
-
- return 1;
-}
-
-static void
-DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {
- *pr = sig->r;
- *ps = sig->s;
-}
-
-static int
-DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s) {
- if (r == NULL || s == NULL)
- return 0;
-
- BN_clear_free(sig->r);
- BN_clear_free(sig->s);
- sig->r = r;
- sig->s = s;
-
- return 1;
-}
-
-
-#define DSA_clear_flags(d, x) (d)->flags &= ~(x)
-
-#endif /* !HAVE_DSA_GET0_PQG */
-
-static isc_result_t
-openssldsa_createctx(dst_key_t *key, dst_context_t *dctx) {
- EVP_MD_CTX *evp_md_ctx;
-
- UNUSED(key);
-
- evp_md_ctx = EVP_MD_CTX_create();
- if (evp_md_ctx == NULL)
- return (ISC_R_NOMEMORY);
-
- if (!EVP_DigestInit_ex(evp_md_ctx, EVP_dss1(), NULL)) {
- EVP_MD_CTX_destroy(evp_md_ctx);
- return (ISC_R_FAILURE);
- }
-
- dctx->ctxdata.evp_md_ctx = evp_md_ctx;
-
- return (ISC_R_SUCCESS);
-}
-
-static void
-openssldsa_destroyctx(dst_context_t *dctx) {
- EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
-
- if (evp_md_ctx != NULL) {
- EVP_MD_CTX_destroy(evp_md_ctx);
- dctx->ctxdata.evp_md_ctx = NULL;
- }
-}
-
-static isc_result_t
-openssldsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
- EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
-
- if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length)) {
- return (ISC_R_FAILURE);
- }
- return (ISC_R_SUCCESS);
-}
-
-static int
-BN_bn2bin_fixed(const BIGNUM *bn, unsigned char *buf, int size) {
- int bytes = size - BN_num_bytes(bn);
- while (bytes-- > 0)
- *buf++ = 0;
- BN_bn2bin(bn, buf);
- return (size);
-}
-
-static isc_result_t
-openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
- dst_key_t *key = dctx->key;
- DSA *dsa = key->keydata.dsa;
- isc_region_t region;
- DSA_SIG *dsasig;
- const BIGNUM *r = 0, *s = NULL;
- unsigned int klen;
- EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
- EVP_PKEY *pkey;
- unsigned char *sigbuf;
- const unsigned char *sb;
- unsigned int siglen;
-
- isc_buffer_availableregion(sig, ®ion);
- if (region.length < ISC_SHA1_DIGESTLENGTH * 2 + 1)
- return (ISC_R_NOSPACE);
-
- pkey = EVP_PKEY_new();
- if (pkey == NULL)
- return (ISC_R_NOMEMORY);
- if (!EVP_PKEY_set1_DSA(pkey, dsa)) {
- EVP_PKEY_free(pkey);
- return (ISC_R_FAILURE);
- }
- sigbuf = malloc(EVP_PKEY_size(pkey));
- if (sigbuf == NULL) {
- EVP_PKEY_free(pkey);
- return (ISC_R_NOMEMORY);
- }
- if (!EVP_SignFinal(evp_md_ctx, sigbuf, &siglen, pkey)) {
- EVP_PKEY_free(pkey);
- free(sigbuf);
- return (dst__openssl_toresult3(dctx->category,
- "EVP_SignFinal",
- ISC_R_FAILURE));
- }
- INSIST(EVP_PKEY_size(pkey) >= (int) siglen);
- EVP_PKEY_free(pkey);
- /* Convert from Dss-Sig-Value (RFC2459). */
- dsasig = DSA_SIG_new();
- if (dsasig == NULL) {
- free(sigbuf);
- return (ISC_R_NOMEMORY);
- }
- sb = sigbuf;
- if (d2i_DSA_SIG(&dsasig, &sb, (long) siglen) == NULL) {
- free(sigbuf);
- return (dst__openssl_toresult3(dctx->category,
- "d2i_DSA_SIG",
- ISC_R_FAILURE));
- }
- free(sigbuf);
-
- klen = (key->key_size - 512)/64;
- if (klen > 255)
- return (ISC_R_FAILURE);
- *region.base = klen;
- isc_region_consume(®ion, 1);
-
- DSA_SIG_get0(dsasig, &r, &s);
- BN_bn2bin_fixed(r, region.base, ISC_SHA1_DIGESTLENGTH);
- isc_region_consume(®ion, ISC_SHA1_DIGESTLENGTH);
- BN_bn2bin_fixed(s, region.base, ISC_SHA1_DIGESTLENGTH);
- isc_region_consume(®ion, ISC_SHA1_DIGESTLENGTH);
- DSA_SIG_free(dsasig);
- isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1);
-
- return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-openssldsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
- dst_key_t *key = dctx->key;
- DSA *dsa = key->keydata.dsa;
- BIGNUM *r = NULL, *s = NULL;
- int status = 0;
- unsigned char *cp = sig->base;
- DSA_SIG *dsasig;
- EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
- unsigned int siglen;
- unsigned char digest[ISC_SHA1_DIGESTLENGTH];
-
- /* Only use EVP for the digest */
- if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &siglen)) {
- return (ISC_R_FAILURE);
- }
-
- if (sig->length != 2 * ISC_SHA1_DIGESTLENGTH + 1) {
- return (DST_R_VERIFYFAILURE);
- }
-
- cp++; /*%< Skip T */
- dsasig = DSA_SIG_new();
- if (dsasig == NULL)
- return (ISC_R_NOMEMORY);
- r = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL);
- cp += ISC_SHA1_DIGESTLENGTH;
- s = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL);
- DSA_SIG_set0(dsasig, r, s);
-
- status = DSA_do_verify(digest, ISC_SHA1_DIGESTLENGTH, dsasig, dsa);
-
- DSA_SIG_free(dsasig);
- switch (status) {
- case 1:
- return (ISC_R_SUCCESS);
- case 0:
- return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
- default:
- return (dst__openssl_toresult3(dctx->category,
- "DSA_do_verify",
- DST_R_VERIFYFAILURE));
- }
-}
-
-static bool
-openssldsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
- DSA *dsa1, *dsa2;
- const BIGNUM *pub_key1 = NULL, *priv_key1 = NULL;
- const BIGNUM *pub_key2 = NULL, *priv_key2 = NULL;
- const BIGNUM *p1 = NULL, *q1 = NULL, *g1 = NULL;
- const BIGNUM *p2 = NULL, *q2 = NULL, *g2 = NULL;
-
- dsa1 = key1->keydata.dsa;
- dsa2 = key2->keydata.dsa;
-
- if (dsa1 == NULL && dsa2 == NULL)
- return (true);
- else if (dsa1 == NULL || dsa2 == NULL)
- return (false);
-
- DSA_get0_key(dsa1, &pub_key1, &priv_key1);
- DSA_get0_key(dsa2, &pub_key2, &priv_key2);
- DSA_get0_pqg(dsa1, &p1, &q1, &g1);
- DSA_get0_pqg(dsa2, &p2, &q2, &g2);
-
- if (BN_cmp(p1, p2) != 0 || BN_cmp(q1, q2) != 0 ||
- BN_cmp(g1, g2) != 0 || BN_cmp(pub_key1, pub_key2) != 0)
- return (false);
-
- if (priv_key1 != NULL || priv_key2 != NULL) {
- if (priv_key1 == NULL || priv_key2 == NULL)
- return (false);
- if (BN_cmp(priv_key1, priv_key2))
- return (false);
- }
- return (true);
-}
-
-static int
-progress_cb(int p, int n, BN_GENCB *cb) {
- union {
- void *dptr;
- void (*fptr)(int);
- } u;
-
- UNUSED(n);
-
- u.dptr = BN_GENCB_get_arg(cb);
- if (u.fptr != NULL)
- u.fptr(p);
- return (1);
-}
-
-static isc_result_t
-openssldsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
- DSA *dsa;
- unsigned char rand_array[ISC_SHA1_DIGESTLENGTH];
- BN_GENCB *cb;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- BN_GENCB _cb;
-#endif
- union {
- void *dptr;
- void (*fptr)(int);
- } u;
-
- UNUSED(unused);
-
- isc_nonce_buf(rand_array, sizeof(rand_array));
-
- dsa = DSA_new();
- if (dsa == NULL)
- return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
- cb = BN_GENCB_new();
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
- if (cb == NULL) {
- DSA_free(dsa);
- return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
- }
-#endif
- if (callback == NULL) {
- BN_GENCB_set_old(cb, NULL, NULL);
- } else {
- u.fptr = callback;
- BN_GENCB_set(cb, &progress_cb, u.dptr);
- }
-
- if (!DSA_generate_parameters_ex(dsa, key->key_size, rand_array,
- ISC_SHA1_DIGESTLENGTH, NULL, NULL,
- cb))
- {
- DSA_free(dsa);
- BN_GENCB_free(cb);
- return (dst__openssl_toresult2("DSA_generate_parameters_ex",
- DST_R_OPENSSLFAILURE));
- }
- BN_GENCB_free(cb);
- cb = NULL;
-
- if (DSA_generate_key(dsa) == 0) {
- DSA_free(dsa);
- return (dst__openssl_toresult2("DSA_generate_key",
- DST_R_OPENSSLFAILURE));
- }
-
- DSA_clear_flags(dsa, DSA_FLAG_CACHE_MONT_P);
-
- key->keydata.dsa = dsa;
-
- return (ISC_R_SUCCESS);
-}
-
-static bool
-openssldsa_isprivate(const dst_key_t *key) {
- DSA *dsa = key->keydata.dsa;
- const BIGNUM *priv_key = NULL;
-
- DSA_get0_key(dsa, NULL, &priv_key);
- return (dsa != NULL && priv_key != NULL);
-}
-
-static void
-openssldsa_destroy(dst_key_t *key) {
- DSA *dsa = key->keydata.dsa;
- DSA_free(dsa);
- key->keydata.dsa = NULL;
-}
-
-
-static isc_result_t
-openssldsa_todns(const dst_key_t *key, isc_buffer_t *data) {
- DSA *dsa;
- const BIGNUM *pub_key, *p = NULL, *q = NULL, *g = NULL;
- isc_region_t r;
- int dnslen;
- unsigned int t, p_bytes;
-
- REQUIRE(key->keydata.dsa != NULL);
-
- dsa = key->keydata.dsa;
-
- isc_buffer_availableregion(data, &r);
-
- DSA_get0_key(dsa, &pub_key, NULL);
- DSA_get0_pqg(dsa, &p, &q, &g);
-
- t = (BN_num_bytes(p) - 64) / 8;
- if (t > 8)
- return (DST_R_INVALIDPUBLICKEY);
- p_bytes = 64 + 8 * t;
-
- dnslen = 1 + (key->key_size * 3)/8 + ISC_SHA1_DIGESTLENGTH;
- if (r.length < (unsigned int) dnslen)
- return (ISC_R_NOSPACE);
-
- *r.base = t;
- isc_region_consume(&r, 1);
-
- BN_bn2bin_fixed(q, r.base, ISC_SHA1_DIGESTLENGTH);
- isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
- BN_bn2bin_fixed(p, r.base, key->key_size/8);
- isc_region_consume(&r, p_bytes);
- BN_bn2bin_fixed(g, r.base, key->key_size/8);
- isc_region_consume(&r, p_bytes);
- BN_bn2bin_fixed(pub_key, r.base, key->key_size/8);
- isc_region_consume(&r, p_bytes);
-
- isc_buffer_add(data, dnslen);
-
- return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-openssldsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
- DSA *dsa;
- BIGNUM *pub_key, *p, *q, *g;
- isc_region_t r;
- unsigned int t, p_bytes;
- isc_mem_t *mctx = key->mctx;
-
- UNUSED(mctx);
-
- isc_buffer_remainingregion(data, &r);
- if (r.length == 0)
- return (ISC_R_SUCCESS);
-
- dsa = DSA_new();
- if (dsa == NULL)
- return (ISC_R_NOMEMORY);
- DSA_clear_flags(dsa, DSA_FLAG_CACHE_MONT_P);
-
- t = (unsigned int) *r.base;
- isc_region_consume(&r, 1);
- if (t > 8) {
- DSA_free(dsa);
- return (DST_R_INVALIDPUBLICKEY);
- }
- p_bytes = 64 + 8 * t;
-
- if (r.length < ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
- DSA_free(dsa);
- return (DST_R_INVALIDPUBLICKEY);
- }
-
- q = BN_bin2bn(r.base, ISC_SHA1_DIGESTLENGTH, NULL);
- isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
-
- p = BN_bin2bn(r.base, p_bytes, NULL);
- isc_region_consume(&r, p_bytes);
-
- g = BN_bin2bn(r.base, p_bytes, NULL);
- isc_region_consume(&r, p_bytes);
-
- pub_key = BN_bin2bn(r.base, p_bytes, NULL);
- isc_region_consume(&r, p_bytes);
-
- if (pub_key == NULL || p == NULL || q == NULL || g == NULL) {
- DSA_free(dsa);
- if (p != NULL) BN_free(p);
- if (q != NULL) BN_free(q);
- if (g != NULL) BN_free(g);
- return (ISC_R_NOMEMORY);
- }
-
- DSA_set0_key(dsa, pub_key, NULL);
- DSA_set0_pqg(dsa, p, q, g);
-
- key->key_size = p_bytes * 8;
-
- isc_buffer_forward(data, 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes);
-
- key->keydata.dsa = dsa;
-
- return (ISC_R_SUCCESS);
-}
-
-
-static isc_result_t
-openssldsa_tofile(const dst_key_t *key, const char *directory) {
- int cnt = 0;
- DSA *dsa;
- const BIGNUM *pub_key = NULL, *priv_key = NULL;
- const BIGNUM *p = NULL, *q = NULL, *g = NULL;
- dst_private_t priv;
- unsigned char bufs[5][128];
-
- if (key->keydata.dsa == NULL)
- return (DST_R_NULLKEY);
-
- if (key->external) {
- priv.nelements = 0;
- return (dst__privstruct_writefile(key, &priv, directory));
- }
-
- dsa = key->keydata.dsa;
-
- DSA_get0_key(dsa, &pub_key, &priv_key);
- DSA_get0_pqg(dsa, &p, &q, &g);
-
- priv.elements[cnt].tag = TAG_DSA_PRIME;
- priv.elements[cnt].length = BN_num_bytes(p);
- BN_bn2bin(p, bufs[cnt]);
- priv.elements[cnt].data = bufs[cnt];
- cnt++;
-
- priv.elements[cnt].tag = TAG_DSA_SUBPRIME;
- priv.elements[cnt].length = BN_num_bytes(q);
- BN_bn2bin(q, bufs[cnt]);
- priv.elements[cnt].data = bufs[cnt];
- cnt++;
-
- priv.elements[cnt].tag = TAG_DSA_BASE;
- priv.elements[cnt].length = BN_num_bytes(g);
- BN_bn2bin(g, bufs[cnt]);
- priv.elements[cnt].data = bufs[cnt];
- cnt++;
-
- priv.elements[cnt].tag = TAG_DSA_PRIVATE;
- priv.elements[cnt].length = BN_num_bytes(priv_key);
- BN_bn2bin(priv_key, bufs[cnt]);
- priv.elements[cnt].data = bufs[cnt];
- cnt++;
-
- priv.elements[cnt].tag = TAG_DSA_PUBLIC;
- priv.elements[cnt].length = BN_num_bytes(pub_key);
- BN_bn2bin(pub_key, bufs[cnt]);
- priv.elements[cnt].data = bufs[cnt];
- cnt++;
-
- priv.nelements = cnt;
- return (dst__privstruct_writefile(key, &priv, directory));
-}
-
-static isc_result_t
-openssldsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
- dst_private_t priv;
- isc_result_t ret;
- int i;
- DSA *dsa = NULL;
- BIGNUM *pub_key = NULL, *priv_key = NULL;
- BIGNUM *p = NULL, *q = NULL, *g = NULL;
- isc_mem_t *mctx = key->mctx;
-#define DST_RET(a) {ret = a; goto err;}
-
- /* read private key file */
- ret = dst__privstruct_parse(key, DST_ALG_DSA, lexer, mctx, &priv);
- if (ret != ISC_R_SUCCESS)
- return (ret);
-
- if (key->external) {
- if (priv.nelements != 0)
- DST_RET(DST_R_INVALIDPRIVATEKEY);
- if (pub == NULL)
- DST_RET(DST_R_INVALIDPRIVATEKEY);
- key->keydata.pkey = pub->keydata.pkey;
- pub->keydata.pkey = NULL;
- key->key_size = pub->key_size;
- dst__privstruct_free(&priv, mctx);
- isc_safe_memwipe(&priv, sizeof(priv));
- return (ISC_R_SUCCESS);
- }
-
- dsa = DSA_new();
- if (dsa == NULL)
- DST_RET(ISC_R_NOMEMORY);
- DSA_clear_flags(dsa, DSA_FLAG_CACHE_MONT_P);
- key->keydata.dsa = dsa;
-
- for (i = 0; i < priv.nelements; i++) {
- BIGNUM *bn;
- bn = BN_bin2bn(priv.elements[i].data,
- priv.elements[i].length, NULL);
- if (bn == NULL)
- DST_RET(ISC_R_NOMEMORY);
-
- switch (priv.elements[i].tag) {
- case TAG_DSA_PRIME:
- p = bn;
- break;
- case TAG_DSA_SUBPRIME:
- q = bn;
- break;
- case TAG_DSA_BASE:
- g = bn;
- break;
- case TAG_DSA_PRIVATE:
- priv_key = bn;
- break;
- case TAG_DSA_PUBLIC:
- pub_key = bn;
- break;
- }
- }
- dst__privstruct_free(&priv, mctx);
- isc_safe_memwipe(&priv, sizeof(priv));
- DSA_set0_key(dsa, pub_key, priv_key);
- DSA_set0_pqg(dsa, p, q, g);
- key->key_size = BN_num_bits(p);
- return (ISC_R_SUCCESS);
-
- err:
- if (p != NULL)
- BN_free(p);
- if (q != NULL)
- BN_free(q);
- if (g != NULL)
- BN_free(g);
- openssldsa_destroy(key);
- dst__privstruct_free(&priv, mctx);
- isc_safe_memwipe(&priv, sizeof(priv));
- return (ret);
-}
-
-static dst_func_t openssldsa_functions = {
- openssldsa_createctx,
- NULL, /*%< createctx2 */
- openssldsa_destroyctx,
- openssldsa_adddata,
- openssldsa_sign,
- openssldsa_verify,
- NULL, /*%< verify2 */
- NULL, /*%< computesecret */
- openssldsa_compare,
- NULL, /*%< paramcompare */
- openssldsa_generate,
- openssldsa_isprivate,
- openssldsa_destroy,
- openssldsa_todns,
- openssldsa_fromdns,
- openssldsa_tofile,
- openssldsa_parse,
- NULL, /*%< cleanup */
- NULL, /*%< fromlabel */
- NULL, /*%< dump */
- NULL, /*%< restore */
-};
-
-isc_result_t
-dst__openssldsa_init(dst_func_t **funcp) {
- REQUIRE(funcp != NULL);
- if (*funcp == NULL)
- *funcp = &openssldsa_functions;
- return (ISC_R_SUCCESS);
-}
-
-#endif /* !USE_PKCS11 */
diff --git a/lib/dns/pkcs11dsa_link.c b/lib/dns/pkcs11dsa_link.c
deleted file mode 100644
index eaeea8fa55..0000000000
--- a/lib/dns/pkcs11dsa_link.c
+++ /dev/null
@@ -1,1117 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-/*! \file */
-
-#include
-
-#if USE_PKCS11
-
-#include
-
-#include
-#include
-
-#include
-#include
-#include
-#include
-
-#include
-
-#include "dst_internal.h"
-#include "dst_parse.h"
-#include "dst_pkcs11.h"
-
-#include
-
-/*
- * FIPS 186-2 DSA keys:
- * mechanisms:
- * CKM_DSA_SHA1,
- * CKM_DSA_KEY_PAIR_GEN,
- * CKM_DSA_PARAMETER_GEN
- * domain parameters:
- * object class CKO_DOMAIN_PARAMETERS
- * key type CKK_DSA
- * attribute CKA_PRIME (prime p)
- * attribute CKA_SUBPRIME (subprime q)
- * attribute CKA_BASE (base g)
- * optional attribute CKA_PRIME_BITS (p length in bits)
- * public keys:
- * object class CKO_PUBLIC_KEY
- * key type CKK_DSA
- * attribute CKA_PRIME (prime p)
- * attribute CKA_SUBPRIME (subprime q)
- * attribute CKA_BASE (base g)
- * attribute CKA_VALUE (public value y)
- * private keys:
- * object class CKO_PRIVATE_KEY
- * key type CKK_DSA
- * attribute CKA_PRIME (prime p)
- * attribute CKA_SUBPRIME (subprime q)
- * attribute CKA_BASE (base g)
- * attribute CKA_VALUE (private value x)
- * reuse CKA_PRIVATE_EXPONENT for key pair private value
- */
-
-#define CKA_VALUE2 CKA_PRIVATE_EXPONENT
-
-#define DST_RET(a) {ret = a; goto err;}
-
-static CK_BBOOL truevalue = TRUE;
-static CK_BBOOL falsevalue = FALSE;
-
-static isc_result_t pkcs11dsa_todns(const dst_key_t *key, isc_buffer_t *data);
-static void pkcs11dsa_destroy(dst_key_t *key);
-
-static isc_result_t
-pkcs11dsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
- CK_RV rv;
- CK_MECHANISM mech = { CKM_DSA_SHA1, NULL, 0 };
- CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
- CK_KEY_TYPE keyType = CKK_DSA;
- CK_ATTRIBUTE keyTemplate[] =
- {
- { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
- { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
- { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
- { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
- { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
- { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
- { CKA_PRIME, NULL, 0 },
- { CKA_SUBPRIME, NULL, 0 },
- { CKA_BASE, NULL, 0 },
- { CKA_VALUE, NULL, 0 }
- };
- CK_ATTRIBUTE *attr;
- pk11_object_t *dsa;
- pk11_context_t *pk11_ctx;
- isc_result_t ret;
- unsigned int i;
-
- REQUIRE(key != NULL);
- dsa = key->keydata.pkey;
- REQUIRE(dsa != NULL);
-
- pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx,
- sizeof(*pk11_ctx));
- if (pk11_ctx == NULL)
- return (ISC_R_NOMEMORY);
- ret = pk11_get_session(pk11_ctx, OP_DSA, true, false,
- dsa->reqlogon, NULL,
- pk11_get_best_token(OP_DSA));
- if (ret != ISC_R_SUCCESS)
- goto err;
-
- if (dsa->ontoken && (dsa->object != CK_INVALID_HANDLE)) {
- pk11_ctx->ontoken = dsa->ontoken;
- pk11_ctx->object = dsa->object;
- goto token_key;
- }
-
- for (attr = pk11_attribute_first(dsa);
- attr != NULL;
- attr = pk11_attribute_next(dsa, attr))
- switch (attr->type) {
- case CKA_PRIME:
- INSIST(keyTemplate[6].type == attr->type);
- keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
- attr->ulValueLen);
- if (keyTemplate[6].pValue == NULL)
- DST_RET(ISC_R_NOMEMORY);
- memmove(keyTemplate[6].pValue, attr->pValue,
- attr->ulValueLen);
- keyTemplate[6].ulValueLen = attr->ulValueLen;
- break;
- case CKA_SUBPRIME:
- INSIST(keyTemplate[7].type == attr->type);
- keyTemplate[7].pValue = isc_mem_get(dctx->mctx,
- attr->ulValueLen);
- if (keyTemplate[7].pValue == NULL)
- DST_RET(ISC_R_NOMEMORY);
- memmove(keyTemplate[7].pValue, attr->pValue,
- attr->ulValueLen);
- keyTemplate[7].ulValueLen = attr->ulValueLen;
- break;
- case CKA_BASE:
- INSIST(keyTemplate[8].type == attr->type);
- keyTemplate[8].pValue = isc_mem_get(dctx->mctx,
- attr->ulValueLen);
- if (keyTemplate[8].pValue == NULL)
- DST_RET(ISC_R_NOMEMORY);
- memmove(keyTemplate[8].pValue, attr->pValue,
- attr->ulValueLen);
- keyTemplate[8].ulValueLen = attr->ulValueLen;
- break;
- case CKA_VALUE2:
- INSIST(keyTemplate[9].type == CKA_VALUE);
- keyTemplate[9].pValue = isc_mem_get(dctx->mctx,
- attr->ulValueLen);
- if (keyTemplate[9].pValue == NULL)
- DST_RET(ISC_R_NOMEMORY);
- memmove(keyTemplate[9].pValue, attr->pValue,
- attr->ulValueLen);
- keyTemplate[9].ulValueLen = attr->ulValueLen;
- break;
- }
- pk11_ctx->object = CK_INVALID_HANDLE;
- pk11_ctx->ontoken = false;
- PK11_RET(pkcs_C_CreateObject,
- (pk11_ctx->session,
- keyTemplate, (CK_ULONG) 10,
- &pk11_ctx->object),
- ISC_R_FAILURE);
-
- token_key:
-
- PK11_RET(pkcs_C_SignInit,
- (pk11_ctx->session, &mech, pk11_ctx->object),
- ISC_R_FAILURE);
-
- dctx->ctxdata.pk11_ctx = pk11_ctx;
-
- for (i = 6; i <= 9; i++)
- if (keyTemplate[i].pValue != NULL) {
- isc_safe_memwipe(keyTemplate[i].pValue,
- keyTemplate[i].ulValueLen);
- isc_mem_put(dctx->mctx,
- keyTemplate[i].pValue,
- keyTemplate[i].ulValueLen);
- }
-
- return (ISC_R_SUCCESS);
-
- err:
- if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE))
- (void) pkcs_C_DestroyObject(pk11_ctx->session, pk11_ctx->object);
- for (i = 6; i <= 9; i++)
- if (keyTemplate[i].pValue != NULL) {
- isc_safe_memwipe(keyTemplate[i].pValue,
- keyTemplate[i].ulValueLen);
- isc_mem_put(dctx->mctx,
- keyTemplate[i].pValue,
- keyTemplate[i].ulValueLen);
- }
- pk11_return_session(pk11_ctx);
- isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
- isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
-
- return (ret);
-}
-
-static isc_result_t
-pkcs11dsa_createctx_verify(dst_key_t *key, dst_context_t *dctx) {
- CK_RV rv;
- CK_MECHANISM mech = { CKM_DSA_SHA1, NULL, 0 };
- CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
- CK_KEY_TYPE keyType = CKK_DSA;
- CK_ATTRIBUTE keyTemplate[] =
- {
- { CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
- { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
- { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
- { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
- { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
- { CKA_PRIME, NULL, 0 },
- { CKA_SUBPRIME, NULL, 0 },
- { CKA_BASE, NULL, 0 },
- { CKA_VALUE, NULL, 0 }
- };
- CK_ATTRIBUTE *attr;
- pk11_object_t *dsa;
- pk11_context_t *pk11_ctx;
- isc_result_t ret;
- unsigned int i;
-
- dsa = key->keydata.pkey;
- REQUIRE(dsa != NULL);
- pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx,
- sizeof(*pk11_ctx));
- if (pk11_ctx == NULL)
- return (ISC_R_NOMEMORY);
- ret = pk11_get_session(pk11_ctx, OP_DSA, true, false,
- dsa->reqlogon, NULL,
- pk11_get_best_token(OP_DSA));
- if (ret != ISC_R_SUCCESS)
- goto err;
-
- if (dsa->ontoken && (dsa->object != CK_INVALID_HANDLE)) {
- pk11_ctx->ontoken = dsa->ontoken;
- pk11_ctx->object = dsa->object;
- goto token_key;
- }
-
- for (attr = pk11_attribute_first(dsa);
- attr != NULL;
- attr = pk11_attribute_next(dsa, attr))
- switch (attr->type) {
- case CKA_PRIME:
- INSIST(keyTemplate[5].type == attr->type);
- keyTemplate[5].pValue = isc_mem_get(dctx->mctx,
- attr->ulValueLen);
- if (keyTemplate[5].pValue == NULL)
- DST_RET(ISC_R_NOMEMORY);
- memmove(keyTemplate[5].pValue, attr->pValue,
- attr->ulValueLen);
- keyTemplate[5].ulValueLen = attr->ulValueLen;
- break;
- case CKA_SUBPRIME:
- INSIST(keyTemplate[6].type == attr->type);
- keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
- attr->ulValueLen);
- if (keyTemplate[6].pValue == NULL)
- DST_RET(ISC_R_NOMEMORY);
- memmove(keyTemplate[6].pValue, attr->pValue,
- attr->ulValueLen);
- keyTemplate[6].ulValueLen = attr->ulValueLen;
- break;
- case CKA_BASE:
- INSIST(keyTemplate[7].type == attr->type);
- keyTemplate[7].pValue = isc_mem_get(dctx->mctx,
- attr->ulValueLen);
- if (keyTemplate[7].pValue == NULL)
- DST_RET(ISC_R_NOMEMORY);
- memmove(keyTemplate[7].pValue, attr->pValue,
- attr->ulValueLen);
- keyTemplate[7].ulValueLen = attr->ulValueLen;
- break;
- case CKA_VALUE:
- INSIST(keyTemplate[8].type == attr->type);
- keyTemplate[8].pValue = isc_mem_get(dctx->mctx,
- attr->ulValueLen);
- if (keyTemplate[8].pValue == NULL)
- DST_RET(ISC_R_NOMEMORY);
- memmove(keyTemplate[8].pValue, attr->pValue,
- attr->ulValueLen);
- keyTemplate[8].ulValueLen = attr->ulValueLen;
- break;
- }
- pk11_ctx->object = CK_INVALID_HANDLE;
- pk11_ctx->ontoken = false;
- PK11_RET(pkcs_C_CreateObject,
- (pk11_ctx->session,
- keyTemplate, (CK_ULONG) 9,
- &pk11_ctx->object),
- ISC_R_FAILURE);
-
- token_key:
-
- PK11_RET(pkcs_C_VerifyInit,
- (pk11_ctx->session, &mech, pk11_ctx->object),
- ISC_R_FAILURE);
-
- dctx->ctxdata.pk11_ctx = pk11_ctx;
-
- for (i = 5; i <= 8; i++)
- if (keyTemplate[i].pValue != NULL) {
- isc_safe_memwipe(keyTemplate[i].pValue,
- keyTemplate[i].ulValueLen);
- isc_mem_put(dctx->mctx,
- keyTemplate[i].pValue,
- keyTemplate[i].ulValueLen);
- }
-
- return (ISC_R_SUCCESS);
-
- err:
- if (!pk11_ctx->ontoken && (pk11_ctx->object != CK_INVALID_HANDLE))
- (void) pkcs_C_DestroyObject(pk11_ctx->session, pk11_ctx->object);
- for (i = 5; i <= 8; i++)
- if (keyTemplate[i].pValue != NULL) {
- isc_safe_memwipe(keyTemplate[i].pValue,
- keyTemplate[i].ulValueLen);
- isc_mem_put(dctx->mctx,
- keyTemplate[i].pValue,
- keyTemplate[i].ulValueLen);
- }
- pk11_return_session(pk11_ctx);
- isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
- isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
-
- return (ret);
-}
-
-static isc_result_t
-pkcs11dsa_createctx(dst_key_t *key, dst_context_t *dctx) {
- if (dctx->use == DO_SIGN)
- return (pkcs11dsa_createctx_sign(key, dctx));
- else
- return (pkcs11dsa_createctx_verify(key, dctx));
-}
-
-static void
-pkcs11dsa_destroyctx(dst_context_t *dctx) {
- pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
-
- if (pk11_ctx != NULL) {
- if (!pk11_ctx->ontoken &&
- (pk11_ctx->object != CK_INVALID_HANDLE))
- (void) pkcs_C_DestroyObject(pk11_ctx->session,
- pk11_ctx->object);
- pk11_return_session(pk11_ctx);
- isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
- isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
- dctx->ctxdata.pk11_ctx = NULL;
- }
-}
-
-static isc_result_t
-pkcs11dsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
- CK_RV rv;
- pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
- isc_result_t ret = ISC_R_SUCCESS;
-
- if (dctx->use == DO_SIGN)
- PK11_CALL(pkcs_C_SignUpdate,
- (pk11_ctx->session,
- (CK_BYTE_PTR) data->base,
- (CK_ULONG) data->length),
- ISC_R_FAILURE);
- else
- PK11_CALL(pkcs_C_VerifyUpdate,
- (pk11_ctx->session,
- (CK_BYTE_PTR) data->base,
- (CK_ULONG) data->length),
- ISC_R_FAILURE);
- return (ret);
-}
-
-static isc_result_t
-pkcs11dsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
- CK_RV rv;
- CK_ULONG siglen = ISC_SHA1_DIGESTLENGTH * 2;
- isc_region_t r;
- pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
- isc_result_t ret = ISC_R_SUCCESS;
- unsigned int klen;
-
- isc_buffer_availableregion(sig, &r);
- if (r.length < ISC_SHA1_DIGESTLENGTH * 2 + 1)
- return (ISC_R_NOSPACE);
-
- PK11_RET(pkcs_C_SignFinal,
- (pk11_ctx->session, (CK_BYTE_PTR) r.base + 1, &siglen),
- DST_R_SIGNFAILURE);
- if (siglen != ISC_SHA1_DIGESTLENGTH * 2)
- return (DST_R_SIGNFAILURE);
-
- klen = (dctx->key->key_size - 512)/64;
- if (klen > 255)
- return (ISC_R_FAILURE);
- *r.base = klen;
- isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1);
-
- err:
- return (ret);
-}
-
-static isc_result_t
-pkcs11dsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
- CK_RV rv;
- pk11_context_t *pk11_ctx = dctx->ctxdata.pk11_ctx;
- isc_result_t ret = ISC_R_SUCCESS;
-
- PK11_CALL(pkcs_C_VerifyFinal,
- (pk11_ctx->session,
- (CK_BYTE_PTR) sig->base + 1,
- (CK_ULONG) sig->length - 1),
- DST_R_VERIFYFAILURE);
- return (ret);
-}
-
-static bool
-pkcs11dsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
- pk11_object_t *dsa1, *dsa2;
- CK_ATTRIBUTE *attr1, *attr2;
-
- dsa1 = key1->keydata.pkey;
- dsa2 = key2->keydata.pkey;
-
- if ((dsa1 == NULL) && (dsa2 == NULL))
- return (true);
- else if ((dsa1 == NULL) || (dsa2 == NULL))
- return (false);
-
- attr1 = pk11_attribute_bytype(dsa1, CKA_PRIME);
- attr2 = pk11_attribute_bytype(dsa2, CKA_PRIME);
- if ((attr1 == NULL) && (attr2 == NULL))
- return (true);
- else if ((attr1 == NULL) || (attr2 == NULL) ||
- (attr1->ulValueLen != attr2->ulValueLen) ||
- !isc_safe_memequal(attr1->pValue, attr2->pValue,
- attr1->ulValueLen))
- return (false);
-
- attr1 = pk11_attribute_bytype(dsa1, CKA_SUBPRIME);
- attr2 = pk11_attribute_bytype(dsa2, CKA_SUBPRIME);
- if ((attr1 == NULL) && (attr2 == NULL))
- return (true);
- else if ((attr1 == NULL) || (attr2 == NULL) ||
- (attr1->ulValueLen != attr2->ulValueLen) ||
- !isc_safe_memequal(attr1->pValue, attr2->pValue,
- attr1->ulValueLen))
- return (false);
-
- attr1 = pk11_attribute_bytype(dsa1, CKA_BASE);
- attr2 = pk11_attribute_bytype(dsa2, CKA_BASE);
- if ((attr1 == NULL) && (attr2 == NULL))
- return (true);
- else if ((attr1 == NULL) || (attr2 == NULL) ||
- (attr1->ulValueLen != attr2->ulValueLen) ||
- !isc_safe_memequal(attr1->pValue, attr2->pValue,
- attr1->ulValueLen))
- return (false);
-
- attr1 = pk11_attribute_bytype(dsa1, CKA_VALUE);
- attr2 = pk11_attribute_bytype(dsa2, CKA_VALUE);
- if ((attr1 == NULL) && (attr2 == NULL))
- return (true);
- else if ((attr1 == NULL) || (attr2 == NULL) ||
- (attr1->ulValueLen != attr2->ulValueLen) ||
- !isc_safe_memequal(attr1->pValue, attr2->pValue,
- attr1->ulValueLen))
- return (false);
-
- attr1 = pk11_attribute_bytype(dsa1, CKA_VALUE2);
- attr2 = pk11_attribute_bytype(dsa2, CKA_VALUE2);
- if (((attr1 != NULL) || (attr2 != NULL)) &&
- ((attr1 == NULL) || (attr2 == NULL) ||
- (attr1->ulValueLen != attr2->ulValueLen) ||
- !isc_safe_memequal(attr1->pValue, attr2->pValue,
- attr1->ulValueLen)))
- return (false);
-
- if (!dsa1->ontoken && !dsa2->ontoken)
- return (true);
- else if (dsa1->ontoken || dsa2->ontoken ||
- (dsa1->object != dsa2->object))
- return (false);
-
- return (true);
-}
-
-static isc_result_t
-pkcs11dsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
- CK_RV rv;
- CK_MECHANISM mech = { CKM_DSA_PARAMETER_GEN, NULL, 0 };
- CK_OBJECT_HANDLE dp = CK_INVALID_HANDLE;
- CK_OBJECT_CLASS dpClass = CKO_DOMAIN_PARAMETERS;
- CK_KEY_TYPE keyType = CKK_DSA;
- CK_ULONG bits = 0;
- CK_ATTRIBUTE dpTemplate[] =
- {
- { CKA_CLASS, &dpClass, (CK_ULONG) sizeof(dpClass) },
- { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
- { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
- { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
- { CKA_PRIME_BITS, &bits, (CK_ULONG) sizeof(bits) },
- };
- CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE;
- CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY;
- CK_ATTRIBUTE pubTemplate[] =
- {
- { CKA_CLASS, &pubClass, (CK_ULONG) sizeof(pubClass) },
- { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
- { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
- { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
- { CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
- { CKA_PRIME, NULL, 0 },
- { CKA_SUBPRIME, NULL, 0 },
- { CKA_BASE, NULL, 0 }
- };
- CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE;
- CK_OBJECT_HANDLE privClass = CKO_PRIVATE_KEY;
- CK_ATTRIBUTE privTemplate[] =
- {
- { CKA_CLASS, &privClass, (CK_ULONG) sizeof(privClass) },
- { CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
- { CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
- { CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
- { CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
- { CKA_EXTRACTABLE, &truevalue, (CK_ULONG) sizeof(truevalue) },
- { CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
- };
- CK_ATTRIBUTE *attr;
- pk11_object_t *dsa;
- pk11_context_t *pk11_ctx;
- isc_result_t ret;
- unsigned int i;
-
- UNUSED(unused);
- UNUSED(callback);
-
- pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx,
- sizeof(*pk11_ctx));
- if (pk11_ctx == NULL)
- return (ISC_R_NOMEMORY);
- ret = pk11_get_session(pk11_ctx, OP_DSA, true, false,
- false, NULL, pk11_get_best_token(OP_DSA));
- if (ret != ISC_R_SUCCESS)
- goto err;
-
- bits = key->key_size;
- PK11_RET(pkcs_C_GenerateKey,
- (pk11_ctx->session, &mech, dpTemplate, (CK_ULONG) 5, &dp),
- DST_R_CRYPTOFAILURE);
-
- dsa = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*dsa));
- if (dsa == NULL)
- DST_RET(ISC_R_NOMEMORY);
- memset(dsa, 0, sizeof(*dsa));
- key->keydata.pkey = dsa;
- dsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 5);
- if (dsa->repr == NULL)
- DST_RET(ISC_R_NOMEMORY);
- memset(dsa->repr, 0, sizeof(*attr) * 5);
- dsa->attrcnt = 5;
-
- attr = dsa->repr;
- attr[0].type = CKA_PRIME;
- attr[1].type = CKA_SUBPRIME;
- attr[2].type = CKA_BASE;
- attr[3].type = CKA_VALUE;
- attr[4].type = CKA_VALUE2;
-
- PK11_RET(pkcs_C_GetAttributeValue,
- (pk11_ctx->session, dp, attr, 3),
- DST_R_CRYPTOFAILURE);
-
- for (i = 0; i <= 2; i++) {
- attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen);
- if (attr[i].pValue == NULL)
- DST_RET(ISC_R_NOMEMORY);
- memset(attr[i].pValue, 0, attr[i].ulValueLen);
- }
- PK11_RET(pkcs_C_GetAttributeValue,
- (pk11_ctx->session, dp, attr, 3),
- DST_R_CRYPTOFAILURE);
- pubTemplate[5].pValue = attr[0].pValue;
- pubTemplate[5].ulValueLen = attr[0].ulValueLen;
- pubTemplate[6].pValue = attr[1].pValue;
- pubTemplate[6].ulValueLen = attr[1].ulValueLen;
- pubTemplate[7].pValue = attr[2].pValue;
- pubTemplate[7].ulValueLen = attr[2].ulValueLen;
-
- mech.mechanism = CKM_DSA_KEY_PAIR_GEN;
- PK11_RET(pkcs_C_GenerateKeyPair,
- (pk11_ctx->session, &mech,
- pubTemplate, (CK_ULONG) 8,
- privTemplate, (CK_ULONG) 7,
- &pub, &priv),
- DST_R_CRYPTOFAILURE);
-
- attr = dsa->repr;
- attr += 3;
- PK11_RET(pkcs_C_GetAttributeValue,
- (pk11_ctx->session, pub, attr, 1),
- DST_R_CRYPTOFAILURE);
- attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
- if (attr->pValue == NULL)
- DST_RET(ISC_R_NOMEMORY);
- memset(attr->pValue, 0, attr->ulValueLen);
- PK11_RET(pkcs_C_GetAttributeValue,
- (pk11_ctx->session, pub, attr, 1),
- DST_R_CRYPTOFAILURE);
-
- attr++;
- attr->type = CKA_VALUE;
- PK11_RET(pkcs_C_GetAttributeValue,
- (pk11_ctx->session, priv, attr, 1),
- DST_R_CRYPTOFAILURE);
- attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
- if (attr->pValue == NULL)
- DST_RET(ISC_R_NOMEMORY);
- memset(attr->pValue, 0, attr->ulValueLen);
- PK11_RET(pkcs_C_GetAttributeValue,
- (pk11_ctx->session, priv, attr, 1),
- DST_R_CRYPTOFAILURE);
- attr->type = CKA_VALUE2;
-
- (void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
- (void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
- (void) pkcs_C_DestroyObject(pk11_ctx->session, dp);
- pk11_return_session(pk11_ctx);
- isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
- isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
-
- return (ISC_R_SUCCESS);
-
- err:
- pkcs11dsa_destroy(key);
- if (priv != CK_INVALID_HANDLE)
- (void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
- if (pub != CK_INVALID_HANDLE)
- (void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
- if (dp != CK_INVALID_HANDLE)
- (void) pkcs_C_DestroyObject(pk11_ctx->session, dp);
- pk11_return_session(pk11_ctx);
- isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
- isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
-
- return (ret);
-}
-
-static bool
-pkcs11dsa_isprivate(const dst_key_t *key) {
- pk11_object_t *dsa = key->keydata.pkey;
- CK_ATTRIBUTE *attr;
-
- if (dsa == NULL)
- return (false);
- attr = pk11_attribute_bytype(dsa, CKA_VALUE2);
- return (attr != NULL || dsa->ontoken);
-}
-
-static void
-pkcs11dsa_destroy(dst_key_t *key) {
- pk11_object_t *dsa = key->keydata.pkey;
- CK_ATTRIBUTE *attr;
-
- if (dsa == NULL)
- return;
-
- INSIST((dsa->object == CK_INVALID_HANDLE) || dsa->ontoken);
-
- for (attr = pk11_attribute_first(dsa);
- attr != NULL;
- attr = pk11_attribute_next(dsa, attr))
- switch (attr->type) {
- case CKA_PRIME:
- case CKA_SUBPRIME:
- case CKA_BASE:
- case CKA_VALUE:
- case CKA_VALUE2:
- if (attr->pValue != NULL) {
- isc_safe_memwipe(attr->pValue,
- attr->ulValueLen);
- isc_mem_put(key->mctx,
- attr->pValue,
- attr->ulValueLen);
- }
- break;
- }
- if (dsa->repr != NULL) {
- isc_safe_memwipe(dsa->repr, dsa->attrcnt * sizeof(*attr));
- isc_mem_put(key->mctx,
- dsa->repr,
- dsa->attrcnt * sizeof(*attr));
- }
- isc_safe_memwipe(dsa, sizeof(*dsa));
- isc_mem_put(key->mctx, dsa, sizeof(*dsa));
- key->keydata.pkey = NULL;
-}
-
-
-static isc_result_t
-pkcs11dsa_todns(const dst_key_t *key, isc_buffer_t *data) {
- pk11_object_t *dsa;
- CK_ATTRIBUTE *attr;
- isc_region_t r;
- int dnslen;
- unsigned int t, p_bytes;
- CK_ATTRIBUTE *prime = NULL, *subprime = NULL;
- CK_ATTRIBUTE *base = NULL, *pub_key = NULL;
- CK_BYTE *cp;
-
- REQUIRE(key->keydata.pkey != NULL);
-
- dsa = key->keydata.pkey;
-
- for (attr = pk11_attribute_first(dsa);
- attr != NULL;
- attr = pk11_attribute_next(dsa, attr))
- switch (attr->type) {
- case CKA_PRIME:
- prime = attr;
- break;
- case CKA_SUBPRIME:
- subprime = attr;
- break;
- case CKA_BASE:
- base = attr;
- break;
- case CKA_VALUE:
- pub_key = attr;
- break;
- }
- REQUIRE((prime != NULL) && (subprime != NULL) &&
- (base != NULL) && (pub_key != NULL));
-
- isc_buffer_availableregion(data, &r);
-
- t = (prime->ulValueLen - 64) / 8;
- if (t > 8)
- return (DST_R_INVALIDPUBLICKEY);
- p_bytes = 64 + 8 * t;
-
- dnslen = 1 + (key->key_size * 3)/8 + ISC_SHA1_DIGESTLENGTH;
- if (r.length < (unsigned int) dnslen)
- return (ISC_R_NOSPACE);
-
- memset(r.base, 0, dnslen);
- *r.base = t;
- isc_region_consume(&r, 1);
-
- cp = (CK_BYTE *) subprime->pValue;
- memmove(r.base + ISC_SHA1_DIGESTLENGTH - subprime->ulValueLen,
- cp, subprime->ulValueLen);
- isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
- cp = (CK_BYTE *) prime->pValue;
- memmove(r.base + key->key_size/8 - prime->ulValueLen,
- cp, prime->ulValueLen);
- isc_region_consume(&r, p_bytes);
- cp = (CK_BYTE *) base->pValue;
- memmove(r.base + key->key_size/8 - base->ulValueLen,
- cp, base->ulValueLen);
- isc_region_consume(&r, p_bytes);
- cp = (CK_BYTE *) pub_key->pValue;
- memmove(r.base + key->key_size/8 - pub_key->ulValueLen,
- cp, pub_key->ulValueLen);
- isc_region_consume(&r, p_bytes);
-
- isc_buffer_add(data, dnslen);
-
- return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-pkcs11dsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
- pk11_object_t *dsa;
- isc_region_t r;
- unsigned int t, p_bytes;
- CK_BYTE *prime, *subprime, *base, *pub_key;
- CK_ATTRIBUTE *attr;
-
- isc_buffer_remainingregion(data, &r);
- if (r.length == 0)
- return (ISC_R_SUCCESS);
-
- dsa = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*dsa));
- if (dsa == NULL)
- return (ISC_R_NOMEMORY);
- memset(dsa, 0, sizeof(*dsa));
-
- t = (unsigned int) *r.base;
- isc_region_consume(&r, 1);
- if (t > 8) {
- isc_safe_memwipe(dsa, sizeof(*dsa));
- isc_mem_put(key->mctx, dsa, sizeof(*dsa));
- return (DST_R_INVALIDPUBLICKEY);
- }
- p_bytes = 64 + 8 * t;
-
- if (r.length < ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
- isc_safe_memwipe(dsa, sizeof(*dsa));
- isc_mem_put(key->mctx, dsa, sizeof(*dsa));
- return (DST_R_INVALIDPUBLICKEY);
- }
-
- subprime = r.base;
- isc_region_consume(&r, ISC_SHA1_DIGESTLENGTH);
-
- prime = r.base;
- isc_region_consume(&r, p_bytes);
-
- base = r.base;
- isc_region_consume(&r, p_bytes);
-
- pub_key = r.base;
- isc_region_consume(&r, p_bytes);
-
- key->key_size = p_bytes * 8;
-
- isc_buffer_forward(data, 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes);
-
- dsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 4);
- if (dsa->repr == NULL)
- goto nomemory;
- memset(dsa->repr, 0, sizeof(*attr) * 4);
- dsa->attrcnt = 4;
-
- attr = dsa->repr;
- attr[0].type = CKA_PRIME;
- attr[0].pValue = isc_mem_get(key->mctx, p_bytes);
- if (attr[0].pValue == NULL)
- goto nomemory;
- memmove(attr[0].pValue, prime, p_bytes);
- attr[0].ulValueLen = p_bytes;
-
- attr[1].type = CKA_SUBPRIME;
- attr[1].pValue = isc_mem_get(key->mctx, ISC_SHA1_DIGESTLENGTH);
- if (attr[1].pValue == NULL)
- goto nomemory;
- memmove(attr[1].pValue, subprime, ISC_SHA1_DIGESTLENGTH);
- attr[1].ulValueLen = ISC_SHA1_DIGESTLENGTH;
-
- attr[2].type = CKA_BASE;
- attr[2].pValue = isc_mem_get(key->mctx, p_bytes);
- if (attr[2].pValue == NULL)
- goto nomemory;
- memmove(attr[2].pValue, base, p_bytes);
- attr[2].ulValueLen = p_bytes;
-
- attr[3].type = CKA_VALUE;
- attr[3].pValue = isc_mem_get(key->mctx, p_bytes);
- if (attr[3].pValue == NULL)
- goto nomemory;
- memmove(attr[3].pValue, pub_key, p_bytes);
- attr[3].ulValueLen = p_bytes;
-
- key->keydata.pkey = dsa;
-
- return (ISC_R_SUCCESS);
-
- nomemory:
- for (attr = pk11_attribute_first(dsa);
- attr != NULL;
- attr = pk11_attribute_next(dsa, attr))
- switch (attr->type) {
- case CKA_PRIME:
- case CKA_SUBPRIME:
- case CKA_BASE:
- case CKA_VALUE:
- if (attr->pValue != NULL) {
- isc_safe_memwipe(attr->pValue,
- attr->ulValueLen);
- isc_mem_put(key->mctx,
- attr->pValue,
- attr->ulValueLen);
- }
- break;
- }
- if (dsa->repr != NULL) {
- isc_safe_memwipe(dsa->repr, dsa->attrcnt * sizeof(*attr));
- isc_mem_put(key->mctx,
- dsa->repr,
- dsa->attrcnt * sizeof(*attr));
- }
- isc_safe_memwipe(dsa, sizeof(*dsa));
- isc_mem_put(key->mctx, dsa, sizeof(*dsa));
- return (ISC_R_NOMEMORY);
-}
-
-static isc_result_t
-pkcs11dsa_tofile(const dst_key_t *key, const char *directory) {
- int cnt = 0;
- pk11_object_t *dsa;
- CK_ATTRIBUTE *attr;
- CK_ATTRIBUTE *prime = NULL, *subprime = NULL, *base = NULL;
- CK_ATTRIBUTE *pub_key = NULL, *priv_key = NULL;
- dst_private_t priv;
- unsigned char bufs[5][128];
-
- if (key->keydata.pkey == NULL)
- return (DST_R_NULLKEY);
-
- if (key->external) {
- priv.nelements = 0;
- return (dst__privstruct_writefile(key, &priv, directory));
- }
-
- dsa = key->keydata.pkey;
-
- for (attr = pk11_attribute_first(dsa);
- attr != NULL;
- attr = pk11_attribute_next(dsa, attr))
- switch (attr->type) {
- case CKA_PRIME:
- prime = attr;
- break;
- case CKA_SUBPRIME:
- subprime = attr;
- break;
- case CKA_BASE:
- base = attr;
- break;
- case CKA_VALUE:
- pub_key = attr;
- break;
- case CKA_VALUE2:
- priv_key = attr;
- break;
- }
- if ((prime == NULL) || (subprime == NULL) || (base == NULL) ||
- (pub_key == NULL) || (priv_key ==NULL))
- return (DST_R_NULLKEY);
-
- priv.elements[cnt].tag = TAG_DSA_PRIME;
- priv.elements[cnt].length = (unsigned short) prime->ulValueLen;
- memmove(bufs[cnt], prime->pValue, prime->ulValueLen);
- priv.elements[cnt].data = bufs[cnt];
- cnt++;
-
- priv.elements[cnt].tag = TAG_DSA_SUBPRIME;
- priv.elements[cnt].length = (unsigned short) subprime->ulValueLen;
- memmove(bufs[cnt], subprime->pValue, subprime->ulValueLen);
- priv.elements[cnt].data = bufs[cnt];
- cnt++;
-
- priv.elements[cnt].tag = TAG_DSA_BASE;
- priv.elements[cnt].length = (unsigned short) base->ulValueLen;
- memmove(bufs[cnt], base->pValue, base->ulValueLen);
- priv.elements[cnt].data = bufs[cnt];
- cnt++;
-
- priv.elements[cnt].tag = TAG_DSA_PRIVATE;
- priv.elements[cnt].length = (unsigned short) priv_key->ulValueLen;
- memmove(bufs[cnt], priv_key->pValue, priv_key->ulValueLen);
- priv.elements[cnt].data = bufs[cnt];
- cnt++;
-
- priv.elements[cnt].tag = TAG_DSA_PUBLIC;
- priv.elements[cnt].length = (unsigned short) pub_key->ulValueLen;
- memmove(bufs[cnt], pub_key->pValue, pub_key->ulValueLen);
- priv.elements[cnt].data = bufs[cnt];
- cnt++;
-
- priv.nelements = cnt;
- return (dst__privstruct_writefile(key, &priv, directory));
-}
-
-static isc_result_t
-pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
- dst_private_t priv;
- isc_result_t ret;
- int i;
- pk11_object_t *dsa = NULL;
- CK_ATTRIBUTE *attr;
- isc_mem_t *mctx = key->mctx;
-
- /* read private key file */
- ret = dst__privstruct_parse(key, DST_ALG_DSA, lexer, mctx, &priv);
- if (ret != ISC_R_SUCCESS)
- return (ret);
-
- if (key->external) {
- if (priv.nelements != 0)
- DST_RET(DST_R_INVALIDPRIVATEKEY);
- if (pub == NULL)
- DST_RET(DST_R_INVALIDPRIVATEKEY);
-
- key->keydata.pkey = pub->keydata.pkey;
- pub->keydata.pkey = NULL;
- key->key_size = pub->key_size;
-
- dst__privstruct_free(&priv, mctx);
- isc_safe_memwipe(&priv, sizeof(priv));
-
- return (ISC_R_SUCCESS);
- }
-
- dsa = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*dsa));
- if (dsa == NULL)
- DST_RET(ISC_R_NOMEMORY);
- memset(dsa, 0, sizeof(*dsa));
- key->keydata.pkey = dsa;
-
- dsa->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 5);
- if (dsa->repr == NULL)
- DST_RET(ISC_R_NOMEMORY);
- memset(dsa->repr, 0, sizeof(*attr) * 5);
- dsa->attrcnt = 5;
- attr = dsa->repr;
- attr[0].type = CKA_PRIME;
- attr[1].type = CKA_SUBPRIME;
- attr[2].type = CKA_BASE;
- attr[3].type = CKA_VALUE;
- attr[4].type = CKA_VALUE2;
-
- for (i = 0; i < priv.nelements; i++) {
- CK_BYTE *bn;
-
- bn = isc_mem_get(key->mctx, priv.elements[i].length);
- if (bn == NULL)
- DST_RET(ISC_R_NOMEMORY);
- memmove(bn, priv.elements[i].data, priv.elements[i].length);
-
- switch (priv.elements[i].tag) {
- case TAG_DSA_PRIME:
- attr = pk11_attribute_bytype(dsa, CKA_PRIME);
- INSIST(attr != NULL);
- attr->pValue = bn;
- attr->ulValueLen = priv.elements[i].length;
- break;
- case TAG_DSA_SUBPRIME:
- attr = pk11_attribute_bytype(dsa,
- CKA_SUBPRIME);
- INSIST(attr != NULL);
- attr->pValue = bn;
- attr->ulValueLen = priv.elements[i].length;
- break;
- case TAG_DSA_BASE:
- attr = pk11_attribute_bytype(dsa, CKA_BASE);
- INSIST(attr != NULL);
- attr->pValue = bn;
- attr->ulValueLen = priv.elements[i].length;
- break;
- case TAG_DSA_PRIVATE:
- attr = pk11_attribute_bytype(dsa, CKA_VALUE2);
- INSIST(attr != NULL);
- attr->pValue = bn;
- attr->ulValueLen = priv.elements[i].length;
- break;
- case TAG_DSA_PUBLIC:
- attr = pk11_attribute_bytype(dsa, CKA_VALUE);
- INSIST(attr != NULL);
- attr->pValue = bn;
- attr->ulValueLen = priv.elements[i].length;
- break;
- }
- }
- dst__privstruct_free(&priv, mctx);
-
- attr = pk11_attribute_bytype(dsa, CKA_PRIME);
- INSIST(attr != NULL);
- key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
-
- return (ISC_R_SUCCESS);
-
- err:
- pkcs11dsa_destroy(key);
- dst__privstruct_free(&priv, mctx);
- isc_safe_memwipe(&priv, sizeof(priv));
- return (ret);
-}
-
-static dst_func_t pkcs11dsa_functions = {
- pkcs11dsa_createctx,
- NULL, /*%< createctx2 */
- pkcs11dsa_destroyctx,
- pkcs11dsa_adddata,
- pkcs11dsa_sign,
- pkcs11dsa_verify,
- NULL, /*%< verify2 */
- NULL, /*%< computesecret */
- pkcs11dsa_compare,
- NULL, /*%< paramcompare */
- pkcs11dsa_generate,
- pkcs11dsa_isprivate,
- pkcs11dsa_destroy,
- pkcs11dsa_todns,
- pkcs11dsa_fromdns,
- pkcs11dsa_tofile,
- pkcs11dsa_parse,
- NULL, /*%< cleanup */
- NULL, /*%< fromlabel */
- NULL, /*%< dump */
- NULL, /*%< restore */
-};
-
-isc_result_t
-dst__pkcs11dsa_init(dst_func_t **funcp) {
- REQUIRE(funcp != NULL);
- if (*funcp == NULL)
- *funcp = &pkcs11dsa_functions;
- return (ISC_R_SUCCESS);
-}
-
-#endif /* USE_PKCS11 */
diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c
index 914ac47864..41fc88e893 100644
--- a/lib/dns/rcode.c
+++ b/lib/dns/rcode.c
@@ -108,8 +108,6 @@
{ DNS_KEYALG_RSAMD5, "RSAMD5", 0 }, \
{ DNS_KEYALG_RSAMD5, "RSA", 0 }, \
{ DNS_KEYALG_DH, "DH", 0 }, \
- { DNS_KEYALG_DSA, "DSA", 0 }, \
- { DNS_KEYALG_NSEC3DSA, "NSEC3DSA", 0 }, \
{ DNS_KEYALG_ECC, "ECC", 0 }, \
{ DNS_KEYALG_RSASHA1, "RSASHA1", 0 }, \
{ DNS_KEYALG_NSEC3RSASHA1, "NSEC3RSASHA1", 0 }, \
diff --git a/lib/isc/include/pk11/site.h b/lib/isc/include/pk11/site.h
index de08b04979..442ce71c96 100644
--- a/lib/isc/include/pk11/site.h
+++ b/lib/isc/include/pk11/site.h
@@ -12,8 +12,3 @@
#pragma once
/*! \file pk11/site.h */
-
-#ifdef HAVE_GETPASSPHRASE
-#undef getpass
-#define getpass(x) getpassphrase(x)
-#endif
diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c
index 13b4d75eb0..4b7efce0fb 100644
--- a/lib/isc/pk11.c
+++ b/lib/isc/pk11.c
@@ -81,7 +81,6 @@ struct pk11_token {
static ISC_LIST(pk11_token_t) tokens;
static pk11_token_t *best_rsa_token;
-static pk11_token_t *best_dsa_token;
static pk11_token_t *best_dh_token;
static pk11_token_t *best_ecdsa_token;
static pk11_token_t *best_eddsa_token;
@@ -238,9 +237,6 @@ pk11_finalize(void) {
if (token == best_rsa_token) {
best_rsa_token = NULL;
}
- if (token == best_dsa_token) {
- best_dsa_token = NULL;
- }
if (token == best_dh_token) {
best_dh_token = NULL;
}
@@ -563,35 +559,6 @@ scan_slots(void) {
}
}
- /* Check for DSA support */
- bad = false;
- rv = pkcs_C_GetMechanismInfo(slot, CKM_DSA_PARAMETER_GEN,
- &mechInfo);
- if ((rv != CKR_OK) || ((mechInfo.flags & CKF_GENERATE) == 0)) {
- bad = true;
- PK11_TRACEM(CKM_DSA_PARAMETER_GEN);
- }
- rv = pkcs_C_GetMechanismInfo(slot, CKM_DSA_KEY_PAIR_GEN,
- &mechInfo);
- if ((rv != CKR_OK) ||
- ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) {
- bad = true;
- PK11_TRACEM(CKM_DSA_PARAMETER_GEN);
- }
- rv = pkcs_C_GetMechanismInfo(slot, CKM_DSA_SHA1, &mechInfo);
- if ((rv != CKR_OK) ||
- ((mechInfo.flags & CKF_SIGN) == 0) ||
- ((mechInfo.flags & CKF_VERIFY) == 0)) {
- bad = true;
- PK11_TRACEM(CKM_DSA_SHA1);
- }
- if (!bad) {
- token->operations |= 1 << OP_DSA;
- if (best_dsa_token == NULL) {
- best_dsa_token = token;
- }
- }
-
/* Check for DH support */
bad = false;
rv = pkcs_C_GetMechanismInfo(slot, CKM_DH_PKCS_PARAMETER_GEN,
@@ -684,9 +651,6 @@ pk11_get_best_token(pk11_optype_t optype) {
case OP_RSA:
token = best_rsa_token;
break;
- case OP_DSA:
- token = best_dsa_token;
- break;
case OP_DH:
token = best_dh_token;
break;
@@ -1035,8 +999,6 @@ pk11_parse_uri(pk11_object_t *obj, const char *label,
if (token == NULL) {
if (optype == OP_RSA) {
token = best_rsa_token;
- } else if (optype == OP_DSA) {
- token = best_dsa_token;
} else if (optype == OP_DH) {
token = best_dh_token;
} else if (optype == OP_ECDSA) {
@@ -1076,7 +1038,6 @@ pk11_dump_tokens(void) {
printf("DEFAULTS\n");
printf("\tbest_rsa_token=%p\n", best_rsa_token);
- printf("\tbest_dsa_token=%p\n", best_dsa_token);
printf("\tbest_dh_token=%p\n", best_dh_token);
printf("\tbest_ecdsa_token=%p\n", best_ecdsa_token);
printf("\tbest_eddsa_token=%p\n", best_eddsa_token);
@@ -1097,12 +1058,6 @@ pk11_dump_tokens(void) {
first = false;
printf("RSA");
}
- if (token->operations & (1 << OP_DSA)) {
- if (!first)
- printf(",");
- first = false;
- printf("DSA");
- }
if (token->operations & (1 << OP_DH)) {
if (!first)
printf(",");
diff --git a/util/copyrights b/util/copyrights
index cef76fcc15..7513c60546 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -2965,14 +2965,12 @@
./lib/dns/nta.c C 2014,2015,2016,2017,2018
./lib/dns/openssl_link.c C.NAI 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2014,2015,2016,2017,2018
./lib/dns/openssldh_link.c C.NAI 1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018
-./lib/dns/openssldsa_link.c C.NAI 1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018
./lib/dns/opensslecdsa_link.c C 2012,2013,2014,2015,2016,2017,2018
./lib/dns/openssleddsa_link.c C 2017,2018
./lib/dns/opensslrsa_link.c C 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018
./lib/dns/order.c C 2002,2004,2005,2007,2015,2016,2017,2018
./lib/dns/peer.c C 2000,2001,2003,2004,2005,2006,2007,2008,2009,2012,2013,2014,2015,2016,2017,2018
./lib/dns/pkcs11.c C 2014,2016,2017,2018
-./lib/dns/pkcs11dsa_link.c C 2014,2015,2016,2017,2018
./lib/dns/pkcs11ecdsa_link.c C 2014,2015,2016,2017,2018
./lib/dns/pkcs11eddsa_link.c C 2017,2018
./lib/dns/pkcs11rsa_link.c C 2014,2015,2016,2017,2018