DNSSEC: fix key checking in server

2026-06-09 08:33:59 -04:00 · 2014-08-28 09:30:19 +02:00 · 2014-08-28 09:30:19 +02:00 · b9c4e0ffe0
commit b9c4e0ffe0
parent bd83a4eda3
2 changed files with 35 additions and 27 deletions
--- a/src/knot/dnssec/zone-keys.c
+++ b/src/knot/dnssec/zone-keys.c
@ -155,7 +155,7 @@ fail:
 /*!
 * \brief Check if there is a functional KSK and ZSK for each used algorithm.
 *
- * \todo To be moved to libdnssec.
+ * \todo [dnssec] move to library
 */
 static int check_keys_validity(const zone_keyset_t *keyset)
 {
@ -217,20 +217,18 @@ static int check_keys_validity(const zone_keyset_t *keyset)
 /*!
 * \brief Log information about zone keys.
 */
-static void log_key_info(const zone_keyset_t *keyset, const char *zone_name)
+static void log_key_info(const zone_key_t *key, const char *zone_name)
 {
-	assert(keyset);
+	assert(key);
 	assert(zone_name);

-	for (size_t i = 0; i < keyset->count; i++) {
-		const zone_key_t *key = &keyset->keys[i];
-
-		log_zone_str_info(zone_name, "DNSSEC, loaded key %5d, %s, %s, %s",
-		                  dnssec_key_get_keytag(key->key),
-		                  key->is_ksk ? "KSK" : "ZSK",
-		                  key->is_public ? "public" : "not-public",
-		                  key->is_active ? "active" : "inactive");
-	}
+	log_zone_str_info(zone_name, "DNSSEC, loaded key, tag %5d, "
+			  "KSK %s, ZSK %s, public %s, active %s",
+			  dnssec_key_get_keytag(key->key),
+			  key->is_ksk ? "yes" : "no",
+			  key->is_zsk ? "yes" : "no",
+			  key->is_public ? "yes" : "no",
+			  key->is_active ? "yes" : "no");
 }

 /*!
@ -260,9 +258,26 @@ int load_zone_keys(const char *keydir_name, const char *zone_name,
 		return KNOT_ERROR;
 	}

-	log_key_info(&keyset, zone_name);
-
 	dnssec_kasp_keyset_t *kasp_keys = dnssec_kasp_zone_get_keys(keyset.kasp_zone);
+	keyset.count = dnssec_kasp_keyset_count(kasp_keys);
+	if (keyset.count == 0) {
+		log_zone_str_error(zone_name, "DNSSEC, no keys are available");
+		free_zone_keys(&keyset);
+		return KNOT_ERROR;
+	}
+
+	keyset.keys = calloc(keyset.count, sizeof(zone_key_t));
+	if (!keyset.keys) {
+		free_zone_keys(&keyset);
+		return KNOT_ENOMEM;
+	}
+
+	for (size_t i = 0; i < keyset.count; i++) {
+		dnssec_kasp_key_t *kasp_key = dnssec_kasp_keyset_at(kasp_keys, i);
+		set_key(kasp_key, &keyset.keys[i]);
+		log_key_info(&keyset.keys[i], zone_name);
+	}
+
 	r = check_keys_validity(&keyset);
 	if (r != KNOT_EOK) {
 		log_zone_str_error(zone_name, "DNSSEC, keys validation failed (%s)",
@ -271,18 +286,6 @@ int load_zone_keys(const char *keydir_name, const char *zone_name,
 		return KNOT_ERROR;
 	}

-	size_t keys_count = dnssec_kasp_keyset_count(kasp_keys);
-	keyset.keys = calloc(keys_count, sizeof(zone_key_t));
-	if (!keyset.keys) {
-		free_zone_keys(&keyset);
-		return KNOT_ENOMEM;
-	}
-
-	keyset.count = keys_count;
-	for (size_t i = 0; i < keys_count; i++) {
-		dnssec_kasp_key_t *kasp_key = dnssec_kasp_keyset_at(kasp_keys, i);
-		set_key(kasp_key, &keyset.keys[i]);
-	}

 	r = load_private_keys(keydir_name, &keyset);
 	if (r != KNOT_EOK) {
--- a/src/knot/dnssec/zone-keys.h
+++ b/src/knot/dnssec/zone-keys.h
@ -36,19 +36,24 @@
 #include "dnssec/kasp.h"
 #include "dnssec/sign.h"

+// [dnssec] will be replaced
 typedef struct zone_key {
 	dnssec_key_t *key;
 	dnssec_sign_ctx_t *ctx;

 	time_t next_event;
+
 	bool is_ksk;
 	bool is_zsk;
 	bool is_public;
 	bool is_active;
 } zone_key_t;

+// [dnssec] will be replaced
 typedef struct {
-	dnssec_kasp_t *kasp; // temporary, should be shared by all zones
+	// [dnssec] temporary, one instance per server
+	dnssec_kasp_t *kasp;
+
 	dnssec_kasp_zone_t *kasp_zone;
 	size_t count;
 	zone_key_t *keys;