diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c
index 418984a2c9..b6d1bbf3d3 100644
--- a/bin/dnssec/dnssec-keyfromlabel.c
+++ b/bin/dnssec/dnssec-keyfromlabel.c
@@ -64,8 +64,8 @@ usage(void) {
fprintf(stderr, " name: owner of the key\n");
fprintf(stderr, "Other options:\n");
fprintf(stderr, " -a algorithm: \n"
- " RSA | RSAMD5 | DH | DSA | RSASHA1 |\n"
- " NSEC3DSA | NSEC3RSASHA1 |\n"
+ " RSA | RSAMD5 | DH | RSASHA1 |\n"
+ " NSEC3RSASHA1 |\n"
" RSASHA256 | RSASHA512 |\n"
" ECDSAP256SHA256 | ECDSAP384SHA384\n");
fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
@@ -402,13 +402,9 @@ main(int argc, char **argv) {
if (use_nsec3) {
switch (alg) {
- case DST_ALG_DSA:
- alg = DST_ALG_NSEC3DSA;
- break;
case DST_ALG_RSASHA1:
alg = DST_ALG_NSEC3RSASHA1;
break;
- case DST_ALG_NSEC3DSA:
case DST_ALG_NSEC3RSASHA1:
case DST_ALG_RSASHA256:
case DST_ALG_RSASHA512:
diff --git a/bin/dnssec/dnssec-keyfromlabel.docbook b/bin/dnssec/dnssec-keyfromlabel.docbook
index 61d9fe0bd7..02f8c50569 100644
--- a/bin/dnssec/dnssec-keyfromlabel.docbook
+++ b/bin/dnssec/dnssec-keyfromlabel.docbook
@@ -106,7 +106,7 @@
Selects the cryptographic algorithm. The value of
must be one of RSAMD5, RSASHA1,
- DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
+ NSEC3RSASHA1, RSASHA256, RSASHA512,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
@@ -119,9 +119,9 @@
These values are case insensitive. In some cases, abbreviations
are supported, such as ECDSA256 for ECDSAP256SHA256 and
- ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
+ ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
along with the option, then NSEC3RSASHA1
- or NSEC3DSA will be used instead.
+ will be used instead.
As of BIND 9.12.0, this option is mandatory except when using
diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index 90b2f581bf..63e8b9cb49 100644
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -79,8 +79,8 @@ usage(void) {
fprintf(stderr, "Options:\n");
fprintf(stderr, " -K : write keys into directory\n");
fprintf(stderr, " -a :\n");
- fprintf(stderr, " RSA | RSAMD5 | DSA | RSASHA1 | NSEC3RSASHA1"
- " | NSEC3DSA |\n");
+ fprintf(stderr, " RSA | RSAMD5 | RSASHA1 | NSEC3RSASHA1"
+ " |\n");
fprintf(stderr, " RSASHA256 | RSASHA512 |\n");
fprintf(stderr, " ECDSAP256SHA256 | ECDSAP384SHA384 |\n");
fprintf(stderr, " ED25519 | ED448 | DH\n");
@@ -92,10 +92,6 @@ usage(void) {
fprintf(stderr, " RSASHA256:\t[1024..%d]\n", MAX_RSA);
fprintf(stderr, " RSASHA512:\t[1024..%d]\n", MAX_RSA);
fprintf(stderr, " DH:\t\t[128..4096]\n");
- fprintf(stderr, " DSA:\t\t[512..1024] and divisible by 64\n");
- fprintf(stderr, " NSEC3DSA:\t[512..1024] and divisible "
- "by 64\n");
- fprintf(stderr, " ECCGOST:\tignored\n");
fprintf(stderr, " ECDSAP256SHA256:\tignored\n");
fprintf(stderr, " ECDSAP384SHA384:\tignored\n");
fprintf(stderr, " ED25519:\tignored\n");
@@ -161,11 +157,6 @@ usage(void) {
exit (-1);
}
-static bool
-dsa_size_ok(int size) {
- return (size >= 512 && size <= 1024 && size % 64 == 0);
-}
-
static void
progress(int p)
{
@@ -542,17 +533,12 @@ main(int argc, char **argv) {
if (use_nsec3) {
switch (alg) {
- case DST_ALG_DSA:
- alg = DST_ALG_NSEC3DSA;
- break;
case DST_ALG_RSASHA1:
alg = DST_ALG_NSEC3RSASHA1;
break;
- case DST_ALG_NSEC3DSA:
case DST_ALG_NSEC3RSASHA1:
case DST_ALG_RSASHA256:
case DST_ALG_RSASHA512:
- case DST_ALG_ECCGOST:
case DST_ALG_ECDSA256:
case DST_ALG_ECDSA384:
case DST_ALG_ED25519:
@@ -598,7 +584,6 @@ main(int argc, char **argv) {
" to %d\n", size);
}
break;
- case DST_ALG_ECCGOST:
case DST_ALG_ECDSA256:
case DST_ALG_ECDSA384:
case DST_ALG_ED25519:
@@ -728,14 +713,6 @@ main(int argc, char **argv) {
if (size != 0 && (size < 128 || size > 4096))
fatal("DH key size %d out of range", size);
break;
- case DNS_KEYALG_DSA:
- case DNS_KEYALG_NSEC3DSA:
- if (size != 0 && !dsa_size_ok(size))
- fatal("invalid DSS key size: %d", size);
- break;
- case DST_ALG_ECCGOST:
- size = 256;
- break;
case DST_ALG_ECDSA256:
size = 256;
break;
@@ -815,9 +792,6 @@ main(int argc, char **argv) {
param = generator;
break;
- case DNS_KEYALG_DSA:
- case DNS_KEYALG_NSEC3DSA:
- case DST_ALG_ECCGOST:
case DST_ALG_ECDSA256:
case DST_ALG_ECDSA384:
case DST_ALG_ED25519:
diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook
index 66fc1ef828..d2e5a45e20 100644
--- a/bin/dnssec/dnssec-keygen.docbook
+++ b/bin/dnssec/dnssec-keygen.docbook
@@ -123,7 +123,7 @@
Selects the cryptographic algorithm. For DNSSEC keys, the value
of must be one of RSAMD5, RSASHA1,
- DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
+ NSEC3RSASHA1, RSASHA256, RSASHA512,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For
TKEY, the value must be DH (Diffie Hellman); specifying
his value will automatically set the
@@ -132,9 +132,9 @@
These values are case insensitive. In some cases, abbreviations
are supported, such as ECDSA256 for ECDSAP256SHA256 and
- ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
+ ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
along with the option, then NSEC3RSASHA1
- or NSEC3DSA will be used instead.
+ will be used instead.
This parameter must be specified except
diff --git a/bin/pkcs11/pkcs11-keygen.c b/bin/pkcs11/pkcs11-keygen.c
index e09f778dbf..e11ef6f35f 100644
--- a/bin/pkcs11/pkcs11-keygen.c
+++ b/bin/pkcs11/pkcs11-keygen.c
@@ -43,7 +43,7 @@
* Create a key in the keystore of an HSM
*
* The calculation of key tag is left to the script
- * that converts the key into a DNSKEY RR and inserts
+ * that converts the key into a DNSKEY RR and inserts
* it into a zone file.
*
* usage:
@@ -71,7 +71,6 @@
#include
#include
-#define WANT_DH_PRIMES
#include
#include
@@ -79,12 +78,10 @@
static CK_BBOOL truevalue = TRUE;
static CK_BBOOL falsevalue = FALSE;
-/* Key class: RSA, ECC, ECX, DSA, DH, or unknown */
+/* Key class: RSA, ECC, ECX, or unknown */
typedef enum {
key_unknown,
key_rsa,
- key_dsa,
- key_dh,
key_ecc,
key_ecx
} key_class_t;
@@ -152,78 +149,6 @@ static CK_ATTRIBUTE ecc_template[] = {
{CKA_ID, NULL_PTR, 0}
};
-/*
- * Public key template for DSA keys
- */
-#define DSA_LABEL 0
-#define DSA_VERIFY 1
-#define DSA_TOKEN 2
-#define DSA_PRIVATE 3
-#define DSA_PRIME 4
-#define DSA_SUBPRIME 5
-#define DSA_BASE 6
-#define DSA_ID 7
-#define DSA_ATTRS 8
-static CK_ATTRIBUTE dsa_template[] = {
- {CKA_LABEL, NULL_PTR, 0},
- {CKA_VERIFY, &truevalue, sizeof(truevalue)},
- {CKA_TOKEN, &truevalue, sizeof(truevalue)},
- {CKA_PRIVATE, &falsevalue, sizeof(falsevalue)},
- {CKA_PRIME, NULL_PTR, 0},
- {CKA_SUBPRIME, NULL_PTR, 0},
- {CKA_BASE, NULL_PTR, 0},
- {CKA_ID, NULL_PTR, 0}
-};
-#define DSA_PARAM_PRIME 0
-#define DSA_PARAM_SUBPRIME 1
-#define DSA_PARAM_BASE 2
-#define DSA_PARAM_ATTRS 3
-static CK_ATTRIBUTE dsa_param_template[] = {
- {CKA_PRIME, NULL_PTR, 0},
- {CKA_SUBPRIME, NULL_PTR, 0},
- {CKA_BASE, NULL_PTR, 0},
-};
-#define DSA_DOMAIN_PRIMEBITS 0
-#define DSA_DOMAIN_PRIVATE 1
-#define DSA_DOMAIN_ATTRS 2
-static CK_ATTRIBUTE dsa_domain_template[] = {
- {CKA_PRIME_BITS, NULL_PTR, 0},
- {CKA_PRIVATE, &falsevalue, sizeof(falsevalue)},
-};
-
-/*
- * Public key template for DH keys
- */
-#define DH_LABEL 0
-#define DH_VERIFY 1
-#define DH_TOKEN 2
-#define DH_PRIVATE 3
-#define DH_PRIME 4
-#define DH_BASE 5
-#define DH_ID 6
-#define DH_ATTRS 7
-static CK_ATTRIBUTE dh_template[] = {
- {CKA_LABEL, NULL_PTR, 0},
- {CKA_VERIFY, &truevalue, sizeof(truevalue)},
- {CKA_TOKEN, &truevalue, sizeof(truevalue)},
- {CKA_PRIVATE, &falsevalue, sizeof(falsevalue)},
- {CKA_PRIME, NULL_PTR, 0},
- {CKA_BASE, NULL_PTR, 0},
- {CKA_ID, NULL_PTR, 0}
-};
-#define DH_PARAM_PRIME 0
-#define DH_PARAM_BASE 1
-#define DH_PARAM_ATTRS 2
-static CK_ATTRIBUTE dh_param_template[] = {
- {CKA_PRIME, NULL_PTR, 0},
- {CKA_BASE, NULL_PTR, 0},
-};
-#define DH_DOMAIN_PRIMEBITS 0
-#define DH_DOMAIN_ATTRS 1
-static CK_ATTRIBUTE dh_domain_template[] = {
- {CKA_PRIME_BITS, NULL_PTR, 0},
-};
-
/*
* Convert from text to key class. Accepts the names of DNSSEC
* signing algorithms, so e.g., ECDSAP256SHA256 maps to ECC and
@@ -237,11 +162,6 @@ keyclass_fromtext(const char *name) {
if (strncasecmp(name, "rsa", 3) == 0 ||
strncasecmp(name, "nsec3rsa", 8) == 0)
return (key_rsa);
- else if (strncasecmp(name, "dsa", 3) == 0 ||
- strncasecmp(name, "nsec3dsa", 8) == 0)
- return (key_dsa);
- else if (strcasecmp(name, "dh") == 0)
- return (key_dh);
else if (strncasecmp(name, "ecc", 3) == 0 ||
strncasecmp(name, "ecdsa", 5) == 0)
return (key_ecc);
@@ -279,7 +199,7 @@ main(int argc, char *argv[]) {
pk11_context_t pctx;
int error = 0;
int c, errflg = 0;
- int hide = 1, special = 0, quiet = 0;
+ int hide = 1, quiet = 0;
int idlen = 0, id_offset = 0;
unsigned int i;
unsigned long id = 0;
@@ -331,9 +251,6 @@ main(int argc, char *argv[]) {
case 'q':
quiet = 1;
break;
- case 'S':
- special = 1;
- break;
case ':':
fprintf(stderr,
"Option -%c requires an operand\n",
@@ -360,12 +277,6 @@ main(int argc, char *argv[]) {
exit(2);
}
- if (special != 0 && keyclass != key_dh) {
- fprintf(stderr, "The -S option is only compatible "
- "with Diffie-Hellman key generation\n");
- exit(2);
- }
-
switch (keyclass) {
case key_rsa:
op_type = OP_RSA;
@@ -461,70 +372,10 @@ main(int argc, char *argv[]) {
#endif
break;
- case key_dsa:
- op_type = OP_DSA;
- if (bits == 0)
- usage();
-
- dpmech.mechanism = CKM_DSA_PARAMETER_GEN;
- dpmech.pParameter = NULL;
- dpmech.ulParameterLen = 0;
- mech.mechanism = CKM_DSA_KEY_PAIR_GEN;
- mech.pParameter = NULL;
- mech.ulParameterLen = 0;
-
- public_template = dsa_template;
- public_attrcnt = DSA_ATTRS;
- id_offset = DSA_ID;
-
- domain_template = dsa_domain_template;
- domain_attrcnt = DSA_DOMAIN_ATTRS;
- param_template = dsa_param_template;
- param_attrcnt = DSA_PARAM_ATTRS;
-
- domain_template[DSA_DOMAIN_PRIMEBITS].pValue = &bits;
- domain_template[DSA_DOMAIN_PRIMEBITS].ulValueLen = sizeof(bits);
- break;
- case key_dh:
- op_type = OP_DH;
- if (special && bits == 0)
- bits = 1024;
- else if (special &&
- bits != 768 && bits != 1024 && bits != 1536)
- {
- fprintf(stderr, "When using the special prime (-S) "
- "option, only key sizes of\n"
- "768, 1024 or 1536 are supported.\n");
- exit(2);
- } else if (bits == 0)
- usage();
-
- dpmech.mechanism = CKM_DH_PKCS_PARAMETER_GEN;
- dpmech.pParameter = NULL;
- dpmech.ulParameterLen = 0;
- mech.mechanism = CKM_DH_PKCS_KEY_PAIR_GEN;
- mech.pParameter = NULL;
- mech.ulParameterLen = 0;
-
- /* Override CKA_SIGN attribute */
- private_template[PRIVATE_DERIVE].type = CKA_DERIVE;
-
- public_template = dh_template;
- public_attrcnt = DH_ATTRS;
- id_offset = DH_ID;
-
- domain_template = dh_domain_template;
- domain_attrcnt = DH_DOMAIN_ATTRS;
- param_template = dh_param_template;
- param_attrcnt = DH_PARAM_ATTRS;
-
- domain_template[DH_DOMAIN_PRIMEBITS].pValue = &bits;
- domain_template[DH_DOMAIN_PRIMEBITS].ulValueLen = sizeof(bits);
- break;
case key_unknown:
usage();
}
-
+
search_template[0].pValue = label;
search_template[0].ulValueLen = strlen((char *)label);
public_template[0].pValue = label;
@@ -582,7 +433,7 @@ main(int argc, char *argv[]) {
hSession = pctx.session;
/* check if a key with the same id already exists */
- rv = pkcs_C_FindObjectsInit(hSession, search_template, 1);
+ rv = pkcs_C_FindObjectsInit(hSession, search_template, 1);
if (rv != CKR_OK) {
fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv);
error = 1;
@@ -609,29 +460,6 @@ main(int argc, char *argv[]) {
if (keyclass == key_rsa || keyclass == key_ecc || keyclass == key_ecx)
goto generate_keys;
- /*
- * Special setup for Diffie-Hellman keys
- */
- if (special != 0) {
- public_template[DH_BASE].pValue = pk11_dh_bn2;
- public_template[DH_BASE].ulValueLen = sizeof(pk11_dh_bn2);
- if (bits == 768) {
- public_template[DH_PRIME].pValue = pk11_dh_bn768;
- public_template[DH_PRIME].ulValueLen =
- sizeof(pk11_dh_bn768);
- } else if (bits == 1024) {
- public_template[DH_PRIME].pValue = pk11_dh_bn1024;
- public_template[DH_PRIME].ulValueLen =
- sizeof(pk11_dh_bn1024);
- } else {
- public_template[DH_PRIME].pValue = pk11_dh_bn1536;
- public_template[DH_PRIME].ulValueLen =
- sizeof(pk11_dh_bn1536);
- }
- param_attrcnt = 0;
- goto generate_keys;
- }
-
/* Generate Domain parameters */
rv = pkcs_C_GenerateKey(hSession, &dpmech, domain_template,
domain_attrcnt, &domainparams);
@@ -651,7 +479,7 @@ main(int argc, char *argv[]) {
fprintf(stderr,
"C_GetAttributeValue0: Error = 0x%.8lX\n", rv);
error = 1;
- goto exit_domain;
+ goto exit_search;
}
/* Allocate space for parameter attributes */
@@ -664,81 +492,22 @@ main(int argc, char *argv[]) {
if (param_template[i].pValue == NULL) {
fprintf(stderr, "malloc failed\n");
error = 1;
- goto exit_params;
+ goto exit_search;
}
}
- rv = pkcs_C_GetAttributeValue(hSession, domainparams,
- dsa_param_template, DSA_PARAM_ATTRS);
-
- if (rv != CKR_OK) {
- fprintf(stderr,
- "C_GetAttributeValue1: Error = 0x%.8lX\n", rv);
- error = 1;
- goto exit_params;
- }
-
- switch (keyclass) {
- case key_dsa:
- public_template[DSA_PRIME].pValue =
- param_template[DSA_PARAM_PRIME].pValue;
- public_template[DSA_PRIME].ulValueLen =
- param_template[DSA_PARAM_PRIME].ulValueLen;
- public_template[DSA_SUBPRIME].pValue =
- param_template[DSA_PARAM_SUBPRIME].pValue;
- public_template[DSA_SUBPRIME].ulValueLen =
- param_template[DSA_PARAM_SUBPRIME].ulValueLen;
- public_template[DSA_BASE].pValue =
- param_template[DSA_PARAM_BASE].pValue;
- public_template[DSA_BASE].ulValueLen =
- param_template[DSA_PARAM_BASE].ulValueLen;
- break;
- case key_dh:
- public_template[DH_PRIME].pValue =
- param_template[DH_PARAM_PRIME].pValue;
- public_template[DH_PRIME].ulValueLen =
- param_template[DH_PARAM_PRIME].ulValueLen;
- public_template[DH_BASE].pValue =
- param_template[DH_PARAM_BASE].pValue;
- public_template[DH_BASE].ulValueLen =
- param_template[DH_PARAM_BASE].ulValueLen;
- default:
- break;
- }
-
generate_keys:
/* Generate Key pair for signing/verifying */
rv = pkcs_C_GenerateKeyPair(hSession, &mech,
public_template, public_attrcnt,
private_template, private_attrcnt,
&publickey, &privatekey);
-
+
if (rv != CKR_OK) {
fprintf(stderr, "C_GenerateKeyPair: Error = 0x%.8lX\n", rv);
error = 1;
} else if (!quiet)
printf("Key pair generation complete.\n");
-
- exit_params:
- /* Free parameter attributes */
- if (keyclass == key_dsa || keyclass == key_dh) {
- for (i = 0; i < param_attrcnt; i++) {
- if (param_template[i].pValue != NULL) {
- free(param_template[i].pValue);
- }
- }
- }
-
- exit_domain:
- /* Destroy domain parameters */
- if (keyclass == key_dsa || (keyclass == key_dh && !special)) {
- rv = pkcs_C_DestroyObject(hSession, domainparams);
- if (rv != CKR_OK) {
- fprintf(stderr,
- "C_DestroyObject: Error = 0x%.8lX\n", rv);
- error = 1;
- }
- }
exit_search:
rv = pkcs_C_FindObjectsFinal(hSession);
diff --git a/bin/python/isc/dnskey.py.in b/bin/python/isc/dnskey.py.in
index 8c5a80f7c1..eaedb80d99 100644
--- a/bin/python/isc/dnskey.py.in
+++ b/bin/python/isc/dnskey.py.in
@@ -30,7 +30,7 @@ class dnskey:
'Revoke', 'DSPublish', 'SyncPublish', 'SyncDelete')
_OPTS = (None, '-P', '-A', '-I', '-D', '-R', None, '-Psync', '-Dsync')
- _ALGNAMES = (None, 'RSAMD5', 'DH', 'DSA', 'ECC', 'RSASHA1',
+ _ALGNAMES = (None, 'RSAMD5', 'DH', 'DSA', None, 'RSASHA1',
'NSEC3DSA', 'NSEC3RSASHA1', 'RSASHA256', None,
'RSASHA512', None, 'ECCGOST', 'ECDSAP256SHA256',
'ECDSAP384SHA384', 'ED25519', 'ED448')
diff --git a/bin/tests/optional/Kchild.example.+003+04017.key b/bin/tests/optional/Kchild.example.+003+04017.key
deleted file mode 100644
index 9f5cbac0a3..0000000000
--- a/bin/tests/optional/Kchild.example.+003+04017.key
+++ /dev/null
@@ -1 +0,0 @@
-child.example. IN KEY 256 3 3 ALeiYGFXbil6PgHnkm5ZE67ygEVDvGT/gqZmLH7tGboofcPSfyhh1hpw dxZgJ26d/gynWMGVSYzaXfzsxpPoNeYn+qeevQoJOaxXXlfcy8Ik52Rm eW0J9mWlf9hsD7ShIhh1+0kRYGCOCaU25wIe3SLVkN3HgqiCBDYnBY0u nMkqRadiUnoEa3Tcvc9kJx9r9gDstR2A9A5sBhFLI/XQ0gViHHLVpQ4x hz+rTLb/xrBoAb5sQJT3xUjhhdNo9HuL6kwdLdSu//PCl1QnY9NpYPVV SKUo
diff --git a/bin/tests/optional/Kchild.example.+003+04017.private b/bin/tests/optional/Kchild.example.+003+04017.private
deleted file mode 100644
index 176ff98421..0000000000
--- a/bin/tests/optional/Kchild.example.+003+04017.private
+++ /dev/null
@@ -1,7 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 3 (DSA)
-Prime(p): vGT/gqZmLH7tGboofcPSfyhh1hpwdxZgJ26d/gynWMGVSYzaXfzsxpPoNeYn+qeevQoJOaxXXlfcy8Ik52RmeQ==
-Subprime(q): t6JgYVduKXo+AeeSblkTrvKARUM=
-Base(g): bQn2ZaV/2GwPtKEiGHX7SRFgYI4JpTbnAh7dItWQ3ceCqIIENicFjS6cySpFp2JSegRrdNy9z2QnH2v2AOy1HQ==
-Private_value(x): J1Ctez8+w1PTR56Hze3pGoe0Wag=
-Public_value(y): gPQObAYRSyP10NIFYhxy1aUOMYc/q0y2/8awaAG+bECU98VI4YXTaPR7i+pMHS3Urv/zwpdUJ2PTaWD1VUilKA==
diff --git a/bin/tests/optional/Kchild.example.+005+33180.key b/bin/tests/optional/Kchild.example.+005+33180.key
new file mode 100644
index 0000000000..ab92a6af4d
--- /dev/null
+++ b/bin/tests/optional/Kchild.example.+005+33180.key
@@ -0,0 +1,5 @@
+; This is a zone-signing key, keyid 33180, for child.example.
+; Created: 20181025104746 (Thu Oct 25 12:47:46 2018)
+; Publish: 20181025104746 (Thu Oct 25 12:47:46 2018)
+; Activate: 20181025104746 (Thu Oct 25 12:47:46 2018)
+child.example. IN DNSKEY 256 3 5 AwEAAb9eatC8ASzDnRApcZuxyBrvJRANRQjCXQ1FWK+8vEyXV5NIE9Km hKIV2wbq2tLBPfjNQz4BTJ9RmDINf1RayDlt6L+IQV1JCaDaMjd1zU3n SQK18Y7fMu0ww4AMKOnoVRbkIxa3zlA0chImXcfPE0q2AvKBYLzPfkPO cfplAuRkLcGUxdADCipNzCOakpcd5gfm9Sa2HlaXcw3gyI1WcE8=
diff --git a/bin/tests/optional/Kchild.example.+005+33180.private b/bin/tests/optional/Kchild.example.+005+33180.private
new file mode 100644
index 0000000000..83a50dfe42
--- /dev/null
+++ b/bin/tests/optional/Kchild.example.+005+33180.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 5 (RSASHA1)
+Modulus: v15q0LwBLMOdEClxm7HIGu8lEA1FCMJdDUVYr7y8TJdXk0gT0qaEohXbBura0sE9+M1DPgFMn1GYMg1/VFrIOW3ov4hBXUkJoNoyN3XNTedJArXxjt8y7TDDgAwo6ehVFuQjFrfOUDRyEiZdx88TSrYC8oFgvM9+Q85x+mUC5GQtwZTF0AMKKk3MI5qSlx3mB+b1JrYeVpdzDeDIjVZwTw==
+PublicExponent: AQAB
+PrivateExponent: WDsn9GU6BXGLENCK2MX3BLQN2oDDu24hiOTYJu5VwtpkPjuVKCIuNKzu9xmBGnqOIBBDWGsw8KOmEC247yOL/S53iRdBS8lI7yiqznc52RhlmrdPKXbNpVnPwil8wocw+oQYa7uvdPYxI2Yy3B/tRgUxlxSlc/LW/dr0BX2L7qr/aeOBeGSRUlCpc7tYU9a2RUaLpVxF6SlqicCpC91MAQ==
+Prime1: 466f+JL66Bl4qYnkj0s9+1N3pYmdcM9Ja1AN66X4VLslA9Cm1JEaC5V9HOptfcXUk0XYEVnKeKM2lIQnvcLG0yuQHIa+pGi7P8vgQfdaRUE=
+Prime2: 1yuUkTVRSbUWeUreEcHgeeBBJ61UshX7t07gnGgIr3artGdo2CVEb5//+2Mvj5bgjCQBvjBbmHNZrR0jKDRBTIGtqbBerOuhEN4AXdAEgY8=
+Exponent1: KzUXbJ/P973ltR7S/hKEV66WVRbRhvf/cdsGWULs5n+BXcD59/r1W19qF9OxJZ4mYjBt+ZT1pIEsuXB+7jcJbkelGJTFlwO9DTVOgJZFTkE=
+Exponent2: FTPsLertGbBIiKdB/sn2Dsx0Xy6LXAkihsu1AnSV9oRhIyPVhwcVGVLQ7Lq3YxThB648pbsqK3miapamcj3D+YAF1uTUT4Hgm0LlEll/OC0=
+Coefficient: Vulw9kmmjKc+wmOukLdzheoA2hNPDVtgiynfzHybyXdqvapCoK+ZVmNFzjO0M41ATcpvya3iX0bekMQqYnBhLURNZUIyqz2nGskOjV8I5Jg=
+Created: 20181025104746
+Publish: 20181025104746
+Activate: 20181025104746
diff --git a/bin/tests/optional/dst_test.c b/bin/tests/optional/dst_test.c
index 951bf3a4d5..ed6aa532cd 100644
--- a/bin/tests/optional/dst_test.c
+++ b/bin/tests/optional/dst_test.c
@@ -254,11 +254,9 @@ main(void) {
result = dns_name_fromtext(name, &b, NULL, 0, NULL);
if (result != ISC_R_SUCCESS)
return (1);
- io(name, 23616, DST_ALG_DSA, DST_TYPE_PRIVATE|DST_TYPE_PUBLIC, mctx);
io(name, 54622, DST_ALG_RSAMD5, DST_TYPE_PRIVATE|DST_TYPE_PUBLIC,
mctx);
- io(name, 49667, DST_ALG_DSA, DST_TYPE_PRIVATE|DST_TYPE_PUBLIC, mctx);
io(name, 2, DST_ALG_RSAMD5, DST_TYPE_PRIVATE|DST_TYPE_PUBLIC, mctx);
isc_buffer_constinit(&b, "dh.", 3);
@@ -270,7 +268,6 @@ main(void) {
generate(DST_ALG_RSAMD5, mctx);
generate(DST_ALG_DH, mctx);
- generate(DST_ALG_DSA, mctx);
generate(DST_ALG_HMACMD5, mctx);
dst_lib_destroy();
diff --git a/bin/tests/optional/sig0_test.c b/bin/tests/optional/sig0_test.c
index f400254f32..cf00896409 100644
--- a/bin/tests/optional/sig0_test.c
+++ b/bin/tests/optional/sig0_test.c
@@ -255,7 +255,7 @@ main(int argc, char *argv[]) {
CHECK("dns_name_fromtext", result);
key = NULL;
- result = dst_key_fromfile(name, 4017, DNS_KEYALG_DSA,
+ result = dst_key_fromfile(name, 33180, DNS_KEYALG_RSASHA1,
DST_TYPE_PUBLIC | DST_TYPE_PRIVATE,
NULL, mctx, &key);
CHECK("dst_key_fromfile", result);
diff --git a/config.h.in b/config.h.in
index 0c4f456cad..08e2f9c483 100644
--- a/config.h.in
+++ b/config.h.in
@@ -99,9 +99,6 @@
/* Define to 1 to enable dnstap support */
#undef HAVE_DNSTAP
-/* Define to 1 if you have the `DSA_get0_pqg' function. */
-#undef HAVE_DSA_GET0_PQG
-
/* Define to 1 if you have the `ECDSA_sign' function. */
#undef HAVE_ECDSA_SIGN
diff --git a/config.h.win32 b/config.h.win32
index 00aa5267a3..ec25b14eba 100644
--- a/config.h.win32
+++ b/config.h.win32
@@ -111,15 +111,6 @@
/* Define if you have h_errno */
#define HAVE_H_ERRNO
-/* Define if you have RSA_generate_key(). */
-#define HAVE_RSA_GENERATE_KEY
-
-/* Define if you have DSA_generate_parameters(). */
-#define HAVE_DSA_GENERATE_PARAMETERS
-
-/* Define if you have DH_generate_parameters(). */
-#define HAVE_DH_GENERATE_PARAMETERS
-
/* Define if you have getpassphrase in the C library. */
#define HAVE_GETPASSPHRASE
@@ -289,9 +280,6 @@ typedef __int64 off_t;
/* Define if your OpenSSL version supports DH functions. */
@HAVE_DH_GET0_KEY@
-/* Define if your OpenSSL version supports DSA functions. */
-@HAVE_DSA_GET0_PQG@
-
/* Define if your OpenSSL version supports ECDSA functions. */
@HAVE_ECDSA_SIG_GET0@
diff --git a/configure b/configure
index 1448dd39b2..4608e44aa6 100755
--- a/configure
+++ b/configure
@@ -15787,7 +15787,7 @@ done
#
# Check for OpenSSL 1.1.x/LibreSSL functions
#
-for ac_func in DH_get0_key ECDSA_SIG_get0 RSA_set0_key DSA_get0_pqg
+for ac_func in DH_get0_key ECDSA_SIG_get0 RSA_set0_key
do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
diff --git a/configure.ac b/configure.ac
index 3d280e8321..71fca091a1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -857,7 +857,7 @@ AC_CHECK_FUNCS([EVP_aes_128_ecb EVP_aes_192_ecb EVP_aes_256_ecb], [:],
#
# Check for OpenSSL 1.1.x/LibreSSL functions
#
-AC_CHECK_FUNCS([DH_get0_key ECDSA_SIG_get0 RSA_set0_key DSA_get0_pqg])
+AC_CHECK_FUNCS([DH_get0_key ECDSA_SIG_get0 RSA_set0_key])
#
# Check whether FIPS mode is available and whether we should enable it
diff --git a/lib/dns/dst_parse.h b/lib/dns/dst_parse.h
index 5ec58463a4..f8964b9da8 100644
--- a/lib/dns/dst_parse.h
+++ b/lib/dns/dst_parse.h
@@ -63,13 +63,6 @@
#define TAG_DH_PRIVATE ((DST_ALG_DH << TAG_SHIFT) + 2)
#define TAG_DH_PUBLIC ((DST_ALG_DH << TAG_SHIFT) + 3)
-#define DSA_NTAGS 5
-#define TAG_DSA_PRIME ((DST_ALG_DSA << TAG_SHIFT) + 0)
-#define TAG_DSA_SUBPRIME ((DST_ALG_DSA << TAG_SHIFT) + 1)
-#define TAG_DSA_BASE ((DST_ALG_DSA << TAG_SHIFT) + 2)
-#define TAG_DSA_PRIVATE ((DST_ALG_DSA << TAG_SHIFT) + 3)
-#define TAG_DSA_PUBLIC ((DST_ALG_DSA << TAG_SHIFT) + 4)
-
#define ECDSA_NTAGS 4
#define TAG_ECDSA_PRIVATEKEY ((DST_ALG_ECDSA256 << TAG_SHIFT) + 0)
#define TAG_ECDSA_ENGINE ((DST_ALG_ECDSA256 << TAG_SHIFT) + 1)
diff --git a/lib/dns/include/dns/keyvalues.h b/lib/dns/include/dns/keyvalues.h
index 003d63f114..bf895696a4 100644
--- a/lib/dns/include/dns/keyvalues.h
+++ b/lib/dns/include/dns/keyvalues.h
@@ -90,12 +90,6 @@
#define DNS_SIG_RSAMINSIZE ((DNS_SIG_RSAMINBITS+7)/8)
#define DNS_SIG_RSAMAXSIZE ((DNS_SIG_RSAMAXBITS+7)/8)
-#define DNS_SIG_DSASIGSIZE 41
-#define DNS_SIG_DSAMINBITS 512
-#define DNS_SIG_DSAMAXBITS 1024
-#define DNS_SIG_DSAMINBYTES 213
-#define DNS_SIG_DSAMAXBYTES 405
-
#define DNS_SIG_ECDSA256SIZE 64
#define DNS_SIG_ECDSA384SIZE 96
diff --git a/lib/dns/nsec.c b/lib/dns/nsec.c
index 5c6ff442ab..3fa975d830 100644
--- a/lib/dns/nsec.c
+++ b/lib/dns/nsec.c
@@ -274,9 +274,7 @@ dns_nsec_nseconly(dns_db_t *db, dns_dbversion_t *version,
RUNTIME_CHECK(result == ISC_R_SUCCESS);
if (dnskey.algorithm == DST_ALG_RSAMD5 ||
- dnskey.algorithm == DST_ALG_RSASHA1 ||
- dnskey.algorithm == DST_ALG_DSA ||
- dnskey.algorithm == DST_ALG_ECC)
+ dnskey.algorithm == DST_ALG_RSASHA1)
break;
}
dns_rdataset_disassociate(&rdataset);
diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c
index 41fc88e893..546c82904c 100644
--- a/lib/dns/rcode.c
+++ b/lib/dns/rcode.c
@@ -108,8 +108,9 @@
{ DNS_KEYALG_RSAMD5, "RSAMD5", 0 }, \
{ DNS_KEYALG_RSAMD5, "RSA", 0 }, \
{ DNS_KEYALG_DH, "DH", 0 }, \
- { DNS_KEYALG_ECC, "ECC", 0 }, \
+ { DNS_KEYALG_DSA, "DSA", 0 }, \
{ DNS_KEYALG_RSASHA1, "RSASHA1", 0 }, \
+ { DNS_KEYALG_NSEC3DSA, "NSEC3DSA", 0 }, \
{ DNS_KEYALG_NSEC3RSASHA1, "NSEC3RSASHA1", 0 }, \
{ DNS_KEYALG_RSASHA256, "RSASHA256", 0 }, \
{ DNS_KEYALG_RSASHA512, "RSASHA512", 0 }, \
diff --git a/lib/dns/tests/dst_test.c b/lib/dns/tests/dst_test.c
index 54a91a4009..7ad69e72aa 100644
--- a/lib/dns/tests/dst_test.c
+++ b/lib/dns/tests/dst_test.c
@@ -19,6 +19,7 @@
#include
#include
+#include
#include
#include
#include
@@ -185,10 +186,39 @@ check_sig(const char *datapath, const char *sigpath, const char *keyname,
ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
result = dst_context_verify(ctx, &sigreg);
+ if (expect && result != ISC_R_SUCCESS) {
+ isc_result_t result2;
+ result2 = dst_context_create(key, mctx, DNS_LOGCATEGORY_GENERAL,
+ false, 0, &ctx);
+ ATF_REQUIRE_EQ(result2, ISC_R_SUCCESS);
+
+ result2 = dst_context_adddata(ctx, &datareg);
+ ATF_REQUIRE_EQ(result2, ISC_R_SUCCESS);
+
+ char sigbuf2[4096];
+ isc_buffer_t sigb;
+ isc_buffer_init(&sigb, sigbuf2, sizeof(sigbuf2));
+
+ result2 = dst_context_sign(ctx, &sigb);
+ ATF_REQUIRE_EQ(result2, ISC_R_SUCCESS);
+
+ isc_region_t r;
+ isc_buffer_usedregion(&sigb, &r);
+
+ char hexbuf[4096] = { 0 };
+ isc_buffer_t hb;
+ isc_buffer_init(&hb, hexbuf, sizeof(hexbuf));
+
+ isc_hex_totext(&r, 0, "", &hb);
+
+ fprintf(stderr, "%s\n", hexbuf);
+
+ dst_context_destroy(&ctx);
+ }
+
ATF_REQUIRE((expect && (result == ISC_R_SUCCESS)) ||
(!expect && (result != ISC_R_SUCCESS)));
-
isc_mem_put(mctx, data, size + 1);
dst_context_destroy(&ctx);
dst_key_free(&key);
@@ -211,27 +241,28 @@ ATF_TC_BODY(sig, tc) {
dns_secalg_t alg;
bool expect;
} testcases[] = {
+ /* XXXOND: Why the heck isn't this failing? */
{
"testdata/dst/test1.data",
- "testdata/dst/test1.dsasig",
- "test.", 23616, DST_ALG_DSA, true
+ "testdata/dst/test1.ecdsa256sig",
+ "test.", 49130, DST_ALG_ECDSA256, true
},
{
"testdata/dst/test1.data",
- "testdata/dst/test1.rsasig",
- "test.", 54622, DST_ALG_RSAMD5, true
+ "testdata/dst/test1.rsasha256sig",
+ "test.", 11349, DST_ALG_RSASHA256, true
},
{
/* wrong sig */
"testdata/dst/test1.data",
- "testdata/dst/test1.dsasig",
- "test.", 54622, DST_ALG_RSAMD5, false
+ "testdata/dst/test1.ecdsa256sig",
+ "test.", 11349, DST_ALG_RSASHA256, false
},
{
/* wrong data */
"testdata/dst/test2.data",
- "testdata/dst/test1.dsasig",
- "test.", 23616, DST_ALG_DSA, false
+ "testdata/dst/test1.ecdsa256sig",
+ "test.", 49130, DST_ALG_ECDSA256, false
},
};
unsigned int i;
diff --git a/lib/dns/tests/testdata/dst/Ktest.+001+00002.key b/lib/dns/tests/testdata/dst/Ktest.+001+00002.key
deleted file mode 100644
index a8b4b4d6a4..0000000000
--- a/lib/dns/tests/testdata/dst/Ktest.+001+00002.key
+++ /dev/null
@@ -1 +0,0 @@
-test. IN DNSKEY 49152 2 1
diff --git a/lib/dns/tests/testdata/dst/Ktest.+001+54622.key b/lib/dns/tests/testdata/dst/Ktest.+001+54622.key
deleted file mode 100644
index b0277e3381..0000000000
--- a/lib/dns/tests/testdata/dst/Ktest.+001+54622.key
+++ /dev/null
@@ -1 +0,0 @@
-test. IN DNSKEY 257 3 1 AQPQjwSpaVzxIgRCpiUoozUQKGh2oX8NIFKDOvtxK+tn536OZg2cROKTlgGEHXJK9YHfW/6nzQULTVpb63P+SQMmjCCidb8IYyhItixRztVeJQ==
diff --git a/lib/dns/tests/testdata/dst/Ktest.+001+54622.private b/lib/dns/tests/testdata/dst/Ktest.+001+54622.private
deleted file mode 100644
index c97ac30b2b..0000000000
--- a/lib/dns/tests/testdata/dst/Ktest.+001+54622.private
+++ /dev/null
@@ -1,10 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 1 (RSA)
-Modulus: 0I8EqWlc8SIEQqYlKKM1EChodqF/DSBSgzr7cSvrZ+d+jmYNnETik5YBhB1ySvWB31v+p80FC01aW+tz/kkDJowgonW/CGMoSLYsUc7VXiU=
-PublicExponent: Aw==
-PrivateExponent: iwoDG5uTS2wC1xluGxd4tXBFpGuqCMA3AidSS3Kc7++ptEQJEtiXC9kfCJMvZhGfQLaujft2OgrmkcuDVtPIbQWEENhyJhb4Lk82kFXbfus=
-Prime1: /rSKuzcZY7R5cY2YWD4CiBNyj9WJMq1wWmBnb9+5M08nTl5E9NW5qQ==
-Prime2: 0Z5shXQYd16E2Gs6e5WxtO0Oqlly2KkSqXohwTQWDWTb8Pw0WTZmHQ==
-Exponent1: qc2x0iS7l82mS7O65X6sWrehtTkGIcj1kZWaSpUmIjTE3umDTePRGw==
-Exponent2: i77zA6K6+j8DOvIm/Q52eJ4JxuZMkHC3G6bBK3gOs5iSoKgi5iREEw==
-Coefficient: 3+wYZB0SJad7z2EsjzgbSlg6CawoaOvrROGSbwSiW5DCsMFROudOTw==
diff --git a/lib/dns/tests/testdata/dst/Ktest.+003+23616.key b/lib/dns/tests/testdata/dst/Ktest.+003+23616.key
deleted file mode 100644
index 958d5857fe..0000000000
--- a/lib/dns/tests/testdata/dst/Ktest.+003+23616.key
+++ /dev/null
@@ -1 +0,0 @@
-test. IN DNSKEY 16641 3 3 ANp1//lqDlEfTavcFI+cyudNfgEz73V/K7fSDvkA0eDYcGg/kSvEjAEO/oLWCERltkuC55ZcM/mSv17WF1d/wR6kww/pLI9eXwkjftAYqs5sNxk+mbEGl6zwve9wq5z7IoTY5/J4l7XLCKftg/wGvrzXQhggIkRvEh3myhxd+ouILcpfvTIthWlTKiH59tSJpmgmiSMTE7nDYaf10iVRWN6DMSprgejiH05/fpmyZAt44tyAh4m1wXS5u4tam1PXDJYJozn7EfQ8e2weIv1yC+t6PHSx
diff --git a/lib/dns/tests/testdata/dst/Ktest.+003+23616.private b/lib/dns/tests/testdata/dst/Ktest.+003+23616.private
deleted file mode 100644
index 5781c9db19..0000000000
--- a/lib/dns/tests/testdata/dst/Ktest.+003+23616.private
+++ /dev/null
@@ -1,7 +0,0 @@
-Private-key-format: v1.2
-Algorithm: 3 (DSA)
-Prime(p): 73V/K7fSDvkA0eDYcGg/kSvEjAEO/oLWCERltkuC55ZcM/mSv17WF1d/wR6kww/pLI9eXwkjftAYqs5sNxk+mQ==
-Subprime(q): 2nX/+WoOUR9Nq9wUj5zK501+ATM=
-Base(g): sQaXrPC973CrnPsihNjn8niXtcsIp+2D/Aa+vNdCGCAiRG8SHebKHF36i4gtyl+9Mi2FaVMqIfn21ImmaCaJIw==
-Private_value(x): Nky4tvIwg6xlcyeHXr4k2DEZg0E=
-Public_value(y): ExO5w2Gn9dIlUVjegzEqa4Ho4h9Of36ZsmQLeOLcgIeJtcF0ubuLWptT1wyWCaM5+xH0PHtsHiL9cgvrejx0sQ==
diff --git a/lib/dns/tests/testdata/dst/Ktest.+003+49667.key b/lib/dns/tests/testdata/dst/Ktest.+003+49667.key
deleted file mode 100644
index fb73f570d5..0000000000
--- a/lib/dns/tests/testdata/dst/Ktest.+003+49667.key
+++ /dev/null
@@ -1 +0,0 @@
-test. IN DNSKEY 49152 2 3
diff --git a/lib/dns/tests/testdata/dst/Ktest.+008+11349.key b/lib/dns/tests/testdata/dst/Ktest.+008+11349.key
new file mode 100644
index 0000000000..a1bd768ba8
--- /dev/null
+++ b/lib/dns/tests/testdata/dst/Ktest.+008+11349.key
@@ -0,0 +1,5 @@
+; This is a zone-signing key, keyid 11349, for test.
+; Created: 20181025090713 (Thu Oct 25 11:07:13 2018)
+; Publish: 20181025090713 (Thu Oct 25 11:07:13 2018)
+; Activate: 20181025090713 (Thu Oct 25 11:07:13 2018)
+test. IN DNSKEY 256 3 8 AwEAAdqPwPScyURzeCUzEadKNYgQW50LPDV/ir9nWIbiSn2yMkymxiby BQH+Hk1neE9qa9X4XaEnKf5YZx7o14rRikmOb2lomtOkI9ovh1K/SvLO Zd1E3e61F29g1eCq52mMY3xAdEcBNqEq+6mgEwGmwl83+mAh5anxXNHa 2rcfdG+L
diff --git a/lib/dns/tests/testdata/dst/Ktest.+008+11349.private b/lib/dns/tests/testdata/dst/Ktest.+008+11349.private
new file mode 100644
index 0000000000..5dfef79e09
--- /dev/null
+++ b/lib/dns/tests/testdata/dst/Ktest.+008+11349.private
@@ -0,0 +1,13 @@
+Private-key-format: v1.3
+Algorithm: 8 (RSASHA256)
+Modulus: 2o/A9JzJRHN4JTMRp0o1iBBbnQs8NX+Kv2dYhuJKfbIyTKbGJvIFAf4eTWd4T2pr1fhdoScp/lhnHujXitGKSY5vaWia06Qj2i+HUr9K8s5l3UTd7rUXb2DV4KrnaYxjfEB0RwE2oSr7qaATAabCXzf6YCHlqfFc0dratx90b4s=
+PublicExponent: AQAB
+PrivateExponent: a4qmX/YxlmvWpz8spYr/MhcSbQCVPKGoLKv2RFBeZODknRDGmW0mh6d5U47hBPqRWvRdZak2oX7wJqZdQGIAT25bC09rLNMctfxXKtzwSaXFjXZGHGv+bDHcqIltvIYmRbb0pK/LinFaLZqfpVe0WOfKuT9BT03BlwSZV8GKgZE=
+Prime1: 8oZLQoVpIqsiQw7bX5pTm/O0gEUnEzNOVEoLGsfIl68Lz/1CBm9ypTp8QOB0B9IpnH8vOS+NJM1az1d0RhqKow==
+Prime2: 5rSbE6duWIb90uICkAUJn4OztHX0fkd9GKNYdsHVReFBH2poXGojVGkW6i/IaYl4NEXXr5Z89dWtR+RNH2Z9+Q==
+Exponent1: 2IcuCmYyR9Gi9Vv+YIzYuRQMw7j5+hqEhJzW7UIRxdtzIG9s03INWZet9/5tmc35eM/Uyam6ynDN8vCRz0VDIQ==
+Exponent2: vKcdVKIKWrvwXXzRaaGk79rLnZsDFiwxQG96TIpOczkyfpUNx9xHDaRtx4zRTnPKZrxiFkRx5LkZXHt1EWNHSQ==
+Coefficient: pb9dFRZA2IRXDCGCM1ikp+QCs72wNn3hgURZLRLmtcBbQcYhP/dcp80SpInviwJPNRcKrfxninqygEARzfHtqQ==
+Created: 20181025090713
+Publish: 20181025090713
+Activate: 20181025090713
diff --git a/lib/dns/tests/testdata/dst/Ktest.+013+49130.key b/lib/dns/tests/testdata/dst/Ktest.+013+49130.key
new file mode 100644
index 0000000000..e3ff931a16
--- /dev/null
+++ b/lib/dns/tests/testdata/dst/Ktest.+013+49130.key
@@ -0,0 +1,5 @@
+; This is a zone-signing key, keyid 49130, for test.
+; Created: 20181025090718 (Thu Oct 25 11:07:18 2018)
+; Publish: 20181025090718 (Thu Oct 25 11:07:18 2018)
+; Activate: 20181025090718 (Thu Oct 25 11:07:18 2018)
+test. IN DNSKEY 256 3 13 uP04fwB/DuBBqdjPLseIoFT7vgtP8Lr/be1NhRBvibwQ+Hr+3GQhIKIK XbamgOUxXJ9JDjWFAT2KXw0V3sAN9w==
diff --git a/lib/dns/tests/testdata/dst/Ktest.+013+49130.private b/lib/dns/tests/testdata/dst/Ktest.+013+49130.private
new file mode 100644
index 0000000000..754d9f9282
--- /dev/null
+++ b/lib/dns/tests/testdata/dst/Ktest.+013+49130.private
@@ -0,0 +1,6 @@
+Private-key-format: v1.3
+Algorithm: 13 (ECDSAP256SHA256)
+PrivateKey: feGDRABRCbcsCqssKK5B5518y95smrv/cJnz2pa/UVA=
+Created: 20181025090718
+Publish: 20181025090718
+Activate: 20181025090718
diff --git a/lib/dns/tests/testdata/dst/test1.dsasig b/lib/dns/tests/testdata/dst/test1.dsasig
deleted file mode 100644
index 5dd12e13d5..0000000000
--- a/lib/dns/tests/testdata/dst/test1.dsasig
+++ /dev/null
@@ -1,3 +0,0 @@
-0009B55FDB62034326278C9371F32D92
-3D0E1161A32D491BEC38546FC452D903
-A91D806345B2F7F22E
diff --git a/lib/dns/tests/testdata/dst/test1.ecdsa256sig b/lib/dns/tests/testdata/dst/test1.ecdsa256sig
new file mode 100644
index 0000000000..42f10de171
--- /dev/null
+++ b/lib/dns/tests/testdata/dst/test1.ecdsa256sig
@@ -0,0 +1 @@
+8A7D4670BCC3DC8299E62AAE0A2DCB84E5B972BC8CB97422DD61E58B74440645626CC11D421570745B2D84EE38DA64BBF27DEF66F951B88A3647BFE3730EADE5
diff --git a/lib/dns/tests/testdata/dst/test1.rsasha256sig b/lib/dns/tests/testdata/dst/test1.rsasha256sig
new file mode 100644
index 0000000000..a344586061
--- /dev/null
+++ b/lib/dns/tests/testdata/dst/test1.rsasha256sig
@@ -0,0 +1 @@
+65DE879EDCD21C9B22BDF383424C3F513C15A4F217FF2BEE555D1AE31E24C9FF5BBA1CB32A331C2236FC4FAFBD80F597E7CF6B19DB867FB75DC4AD41F8FA66D13D8B44F6B2A44624A88EAE168A8E3DB5E32946868BFD2BB3D562E85C492A89B1A93279B8B73D4785C09DFCE54485914B2BCDA5C537A842AAA2D3B2E5228E8A11
diff --git a/lib/dns/tests/testdata/dst/test1.rsasig b/lib/dns/tests/testdata/dst/test1.rsasig
deleted file mode 100644
index 5ba62b4a14..0000000000
--- a/lib/dns/tests/testdata/dst/test1.rsasig
+++ /dev/null
@@ -1,5 +0,0 @@
-A8A20D2F26F792B3CE76DD0E12A85DFE
-FF66AB866EF0BDB0F515001E234E699B
-F5CD6FB41FB15D4213705ABE9B563896
-2196228648E0F8AA7F2F4EED3C19165C
-1B4C70C9D69B93A1F2BE5B2F948CE023
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index e4f1d3f4e3..edb64235ce 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -17861,8 +17861,7 @@ dnskey_sane(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
continue;
alg = tuple->rdata.data[3];
- if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1 ||
- alg == DST_ALG_DSA || alg == DST_ALG_ECC) {
+ if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1) {
nseconly = true;
break;
}
diff --git a/lib/isc/include/pk11/pk11.h b/lib/isc/include/pk11/pk11.h
index 4e41a2c64f..5354d1c34d 100644
--- a/lib/isc/include/pk11/pk11.h
+++ b/lib/isc/include/pk11/pk11.h
@@ -58,7 +58,6 @@ typedef struct pk11_object pk11_object_t;
typedef enum {
OP_ANY = 0,
OP_RSA = 1,
- OP_DSA = 2,
OP_DH = 3,
OP_ECDSA = 4,
OP_EDDSA = 5,
diff --git a/lib/isc/pk11.c b/lib/isc/pk11.c
index 4b7efce0fb..6b77ed9fea 100644
--- a/lib/isc/pk11.c
+++ b/lib/isc/pk11.c
@@ -559,35 +559,6 @@ scan_slots(void) {
}
}
- /* Check for DH support */
- bad = false;
- rv = pkcs_C_GetMechanismInfo(slot, CKM_DH_PKCS_PARAMETER_GEN,
- &mechInfo);
- if ((rv != CKR_OK) || ((mechInfo.flags & CKF_GENERATE) == 0)) {
- PK11_TRACEM(CKM_DH_PKCS_PARAMETER_GEN);
- }
- rv = pkcs_C_GetMechanismInfo(slot, CKM_DH_PKCS_KEY_PAIR_GEN,
- &mechInfo);
- if ((rv != CKR_OK) ||
- ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) {
-#ifndef PK11_DH_PKCS_PARAMETER_GEN_SKIP
- bad = true;
-#endif
- PK11_TRACEM(CKM_DH_PKCS_KEY_PAIR_GEN);
- }
- rv = pkcs_C_GetMechanismInfo(slot, CKM_DH_PKCS_DERIVE,
- &mechInfo);
- if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DERIVE) == 0)) {
- bad = true;
- PK11_TRACEM(CKM_DH_PKCS_DERIVE);
- }
- if (!bad) {
- token->operations |= 1 << OP_DH;
- if (best_dh_token == NULL) {
- best_dh_token = token;
- }
- }
-
/* Check for ECDSA support */
bad = false;
rv = pkcs_C_GetMechanismInfo(slot, CKM_EC_KEY_PAIR_GEN,
@@ -651,9 +622,6 @@ pk11_get_best_token(pk11_optype_t optype) {
case OP_RSA:
token = best_rsa_token;
break;
- case OP_DH:
- token = best_dh_token;
- break;
case OP_ECDSA:
token = best_ecdsa_token;
break;
@@ -999,8 +967,6 @@ pk11_parse_uri(pk11_object_t *obj, const char *label,
if (token == NULL) {
if (optype == OP_RSA) {
token = best_rsa_token;
- } else if (optype == OP_DH) {
- token = best_dh_token;
} else if (optype == OP_ECDSA) {
token = best_ecdsa_token;
} else if (optype == OP_EDDSA) {
@@ -1058,12 +1024,6 @@ pk11_dump_tokens(void) {
first = false;
printf("RSA");
}
- if (token->operations & (1 << OP_DH)) {
- if (!first)
- printf(",");
- first = false;
- printf("DH");
- }
if (token->operations & (1 << OP_ECDSA)) {
if (!first)
printf(",");
diff --git a/lib/ns/update.c b/lib/ns/update.c
index c1d3e70b7b..bfe2290246 100644
--- a/lib/ns/update.c
+++ b/lib/ns/update.c
@@ -1960,8 +1960,7 @@ check_dnssec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
if (tuple->rdata.type == dns_rdatatype_dnskey) {
uint8_t alg;
alg = tuple->rdata.data[3];
- if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1 ||
- alg == DST_ALG_DSA || alg == DST_ALG_ECC) {
+ if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1) {
nseconly = true;
break;
}
diff --git a/util/copyrights b/util/copyrights
index 40708bb8ff..6f4b833408 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -302,8 +302,8 @@
./bin/tests/headerdep_test.sh.in SH 2000,2001,2004,2007,2012,2016,2018
./bin/tests/makejournal.c C 2013,2015,2016,2017,2018
./bin/tests/named.conf CONF-C 1999,2000,2001,2004,2007,2011,2015,2016,2018
-./bin/tests/optional/Kchild.example.+003+04017.key X 2000,2001,2018
-./bin/tests/optional/Kchild.example.+003+04017.private X 2000,2001,2018
+./bin/tests/optional/Kchild.example.+005+33180.key X 2018
+./bin/tests/optional/Kchild.example.+005+33180.private X 2018
./bin/tests/optional/adb_test.c C 1999,2000,2001,2004,2005,2007,2009,2011,2012,2013,2015,2016,2018
./bin/tests/optional/backtrace_test.c C 2009,2013,2015,2016,2018
./bin/tests/optional/byaddr_test.c C 2000,2001,2002,2004,2005,2007,2012,2015,2016,2018
@@ -3221,15 +3221,13 @@
./lib/dns/tests/testdata/dnstap/query.recursive X 2015,2018
./lib/dns/tests/testdata/dnstap/response.auth X 2015,2018
./lib/dns/tests/testdata/dnstap/response.recursive X 2015,2018
-./lib/dns/tests/testdata/dst/Ktest.+001+00002.key X 2018
-./lib/dns/tests/testdata/dst/Ktest.+001+54622.key X 2018
-./lib/dns/tests/testdata/dst/Ktest.+001+54622.private X 2018
-./lib/dns/tests/testdata/dst/Ktest.+003+23616.key X 2018
-./lib/dns/tests/testdata/dst/Ktest.+003+23616.private X 2018
-./lib/dns/tests/testdata/dst/Ktest.+003+49667.key X 2018
+./lib/dns/tests/testdata/dst/Ktest.+008+11349.key X 2018
+./lib/dns/tests/testdata/dst/Ktest.+008+11349.private X 2018
+./lib/dns/tests/testdata/dst/Ktest.+013+49130.key X 2018
+./lib/dns/tests/testdata/dst/Ktest.+013+49130.private X 2018
./lib/dns/tests/testdata/dst/test1.data X 2018
-./lib/dns/tests/testdata/dst/test1.dsasig X 2018
-./lib/dns/tests/testdata/dst/test1.rsasig X 2018
+./lib/dns/tests/testdata/dst/test1.ecdsa256sig X 2018
+./lib/dns/tests/testdata/dst/test1.rsasha256sig X 2018
./lib/dns/tests/testdata/dst/test2.data X 2018
./lib/dns/tests/testdata/dstrandom/random.data X 2017,2018
./lib/dns/tests/testdata/master/master1.data X 2011,2018
diff --git a/win32utils/Configure b/win32utils/Configure
index 0e52a17baa..dfa5edaee3 100644
--- a/win32utils/Configure
+++ b/win32utils/Configure
@@ -203,7 +203,6 @@ my @substdefh = ("AES_CC",
"HAVE_OPENSSL_ED25519",
"HAVE_OPENSSL_ED448",
"HAVE_DH_GET0_KEY",
- "HAVE_DSA_GET0_PQG",
"HAVE_ECDSA_SIG_GET0",
"HAVE_RSA_SET0_KEY",
"USE_BACKTRACE",
@@ -1483,7 +1482,7 @@ int main() {
}
printf("\n\nFound OPENSSL_VERSION_NUMBER %#010x\n",
OPENSSL_VERSION_NUMBER);
- printf("This version has no built-in support for DH/DSA/ECDSA/RSA functions.\n\n");
+ printf("This version has no built-in support for DH/ECDSA/RSA functions.\n\n");
return (1);
}
EOF
@@ -1495,7 +1494,6 @@ EOF
`.\\testosslfunc.exe`;
if ($? == 0) {
$configdefh{"HAVE_DH_GET0_KEY"} = 1;
- $configdefh{"HAVE_DSA_GET0_PQG"} = 1;
$configdefh{"HAVE_ECDSA_SIG_GET0"} = 1;
$configdefh{"HAVE_RSA_SET0_KEY"} = 1;
}