2709. [func] Added some data fields, currently unused, to the

private key file format, to allow implementation of explicit key rollover in a future release without impairing backward or forward compatibility. [RT #20310]
2025-09-01 06:55:30 +00:00 · 2009-10-09 06:09:21 +00:00
parent b05106c7e6
commit 315a1514a5
9 changed files with 156 additions and 38 deletions
--- a/6
+++ b/6
@@ -1,3 +1,9 @@
+2709.	[func]		Added some data fields, currently unused, to the
+			private key file format, to allow implementation
+			of explicit key rollover in a future release
+			without impairing backward or forward compatibility.
+			[RT #20310]
+
 2708.	[func]		Insecure to secure and NSEC3 parameter changes via
 			update are now fully supported and no longer require
 			defines to enable.  We now no longer overload the
--- a/bin/dnssec/dnssec-revoke.c
+++ b/bin/dnssec/dnssec-revoke.c
@@ -14,7 +14,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: dnssec-revoke.c,v 1.14 2009/10/05 17:30:49 fdupont Exp $ */
+/* $Id: dnssec-revoke.c,v 1.15 2009/10/09 06:09:21 each Exp $ */

 /*! \file */

@@ -105,7 +105,7 @@ main(int argc, char **argv) {

 	isc_commandline_errprint = ISC_FALSE;

-	while ((ch = isc_commandline_parse(argc, argv, "EfK:rhv:")) != -1) {
+	while ((ch = isc_commandline_parse(argc, argv, "E:fK:rhv:")) != -1) {
 		switch (ch) {
 		    case 'E':
 			engine = isc_commandline_argument;
--- a/bin/dnssec/dnssec-settime.c
+++ b/bin/dnssec/dnssec-settime.c
@@ -14,7 +14,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: dnssec-settime.c,v 1.15 2009/10/05 17:30:49 fdupont Exp $ */
+/* $Id: dnssec-settime.c,v 1.16 2009/10/09 06:09:21 each Exp $ */

 /*! \file */

@@ -161,7 +161,7 @@ main(int argc, char **argv) {
 	isc_stdtime_get(&now);

 	while ((ch = isc_commandline_parse(argc, argv,
-					   "EfK:uhp:v:P:A:R:I:D:")) != -1) {
+					   "E:fK:uhp:v:P:A:R:I:D:")) != -1) {
 		switch (ch) {
 		case 'E':
 			engine = isc_commandline_argument;
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -29,7 +29,7 @@
 * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: dnssec-signzone.c,v 1.241 2009/10/05 17:30:49 fdupont Exp $ */
+/* $Id: dnssec-signzone.c,v 1.242 2009/10/09 06:09:21 each Exp $ */

 /*! \file */

@@ -3424,7 +3424,7 @@ main(int argc, char *argv[]) {
 	isc_boolean_t set_iter = ISC_FALSE;

 #define CMDLINE_FLAGS \
-	"3:AaCc:Dd:Ee:f:FghH:i:I:j:K:k:l:m:n:N:o:O:pPr:s:ST:tuUv:z"
+	"3:AaCc:Dd:E:e:f:FghH:i:I:j:K:k:l:m:n:N:o:O:pPr:s:ST:tuUv:z"

 	/*
 	 * Process memory debugging argument first.
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -31,7 +31,7 @@

 /*
 * Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.34 2009/10/05 17:30:49 fdupont Exp $
+ * $Id: dst_api.c,v 1.35 2009/10/09 06:09:21 each Exp $
 */

 /*! \file */
@@ -109,7 +109,7 @@ static isc_result_t	frombuffer(dns_name_t *name,

 static isc_result_t	algorithm_status(unsigned int alg);

-static isc_result_t	addsuffix(char *filename, unsigned int len,
+static isc_result_t	addsuffix(char *filename, int len,
 				  const char *dirname, const char *ofilename,
 				  const char *suffix);

@@ -792,6 +792,35 @@ dst_key_generate(dns_name_t *name, unsigned int alg,
 	return (ISC_R_SUCCESS);
 }

+isc_result_t
+dst_key_getnum(const dst_key_t *key, int type, isc_uint32_t *valuep)
+{
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(valuep != NULL);
+	REQUIRE(type <= DST_MAX_NUMERIC);
+	if (!key->numset[type])
+		return (ISC_R_NOTFOUND);
+	*valuep = key->nums[type];
+	return (ISC_R_SUCCESS);
+}
+
+void
+dst_key_setnum(dst_key_t *key, int type, isc_uint32_t value)
+{
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(type <= DST_MAX_NUMERIC);
+	key->nums[type] = value;
+	key->numset[type] = ISC_TRUE;
+}
+
+void
+dst_key_unsetnum(dst_key_t *key, int type)
+{
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(type <= DST_MAX_NUMERIC);
+	key->numset[type] = ISC_FALSE;
+}
+
 isc_result_t
 dst_key_gettime(const dst_key_t *key, int type, isc_stdtime_t *timep) {
 	REQUIRE(VALID_KEY(key));
@@ -1499,7 +1528,7 @@ algorithm_status(unsigned int alg) {
 }

 static isc_result_t
-addsuffix(char *filename, unsigned int len, const char *odirname,
+addsuffix(char *filename, int len, const char *odirname,
 	  const char *ofilename, const char *suffix)
 {
 	int olen = strlen(ofilename);
--- a/lib/dns/dst_internal.h
+++ b/lib/dns/dst_internal.h
@@ -29,7 +29,7 @@
 * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: dst_internal.h,v 1.19 2009/10/05 17:30:49 fdupont Exp $ */
+/* $Id: dst_internal.h,v 1.20 2009/10/09 06:09:21 each Exp $ */

 #ifndef DST_DST_INTERNAL_H
 #define DST_DST_INTERNAL_H 1
@@ -116,8 +116,10 @@ struct dst_key {

 	} keydata;			/*%< pointer to key in crypto pkg fmt */

-	isc_stdtime_t	times[DST_MAX_TIMES + 1];    /*%< key timing metadata */
-	isc_boolean_t	timeset[DST_MAX_TIMES + 1];  /*%< metadata set? */
+	isc_stdtime_t	times[DST_MAX_TIMES + 1];    /*%< timing metadata */
+	isc_boolean_t	timeset[DST_MAX_TIMES + 1];  /*%< data set? */
+	isc_stdtime_t	nums[DST_MAX_NUMERIC + 1];   /*%< numeric metadata */
+	isc_boolean_t	numset[DST_MAX_NUMERIC + 1]; /*%< data set? */

 	int		fmt_major;     /*%< private key format, major version */
 	int		fmt_minor;     /*%< private key format, minor version */
--- a/lib/dns/dst_parse.c
+++ b/lib/dns/dst_parse.c
@@ -31,7 +31,7 @@

 /*%
 * Principal Author: Brian Wellington
- * $Id: dst_parse.c,v 1.20 2009/09/02 06:29:01 each Exp $
+ * $Id: dst_parse.c,v 1.21 2009/10/09 06:09:21 each Exp $
 */

 #include <config.h>
@@ -56,14 +56,23 @@
 #define PRIVATE_KEY_STR "Private-key-format:"
 #define ALGORITHM_STR "Algorithm:"

-#define METADATA_NTAGS 6
-static const char *metatags[METADATA_NTAGS] = {
+#define TIMING_NTAGS (DST_MAX_TIMES + 1)
+static const char *timetags[TIMING_NTAGS] = {
 	"Created:",
 	"Publish:",
 	"Activate:",
 	"Revoke:",
 	"Unpublish:",
-	"Delete:"
+	"Delete:",
+	"DSPublish:"
+};
+
+#define NUMERIC_NTAGS (DST_MAX_NUMERIC + 1)
+static const char *numerictags[NUMERIC_NTAGS] = {
+	"Predecessor:",
+	"Successor:",
+	"MaxTTL:",
+	"RollPeriod:"
 };

 struct parse_map {
@@ -128,18 +137,6 @@ find_value(const char *s, const unsigned int alg) {
 	return (-1);
 }

-static int
-find_metadata(const char *s) {
-	int i;
-
-	for (i = 0; i < METADATA_NTAGS; i++) {
-		if (strcasecmp(s, metatags[i]) == 0)
-			return (i);
-	}
-
-	return (-1);
-}
-
 static const char *
 find_tag(const int value) {
 	int i;
@@ -152,6 +149,28 @@ find_tag(const int value) {
 	}
 }

+static int
+find_metadata(const char *s, const char *tags[], int ntags) {
+	int i;
+
+	for (i = 0; i < ntags; i++) {
+		if (strcasecmp(s, tags[i]) == 0)
+			return (i);
+	}
+
+	return (-1);
+}
+
+static int
+find_timedata(const char *s) {
+	return (find_metadata(s, timetags, TIMING_NTAGS));
+}
+
+static int
+find_numericdata(const char *s) {
+	return (find_metadata(s, numerictags, NUMERIC_NTAGS));
+}
+
 static int
 check_rsa(const dst_private_t *priv) {
 	int i, j;
@@ -420,10 +439,25 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
 			goto fail;
 		}

-		/* Key timing metadata */
-		tag = find_metadata(DST_AS_STR(token));
+		/* Numeric metadata */
+		tag = find_numericdata(DST_AS_STR(token));
 		if (tag >= 0) {
-			INSIST(tag < METADATA_NTAGS);
+			INSIST(tag < NUMERIC_NTAGS);
+
+			NEXTTOKEN(lex, opt | ISC_LEXOPT_NUMBER, &token);
+			if (token.type != isc_tokentype_number) {
+				ret = DST_R_INVALIDPRIVATEKEY;
+				goto fail;
+			}
+
+			dst_key_setnum(key, tag, token.value.as_ulong);
+			goto next;
+		}
+
+		/* Timing metadata */
+		tag = find_timedata(DST_AS_STR(token));
+		if (tag >= 0) {
+			INSIST(tag < TIMING_NTAGS);

 			NEXTTOKEN(lex, opt, &token);
 			if (token.type != isc_tokentype_string) {
@@ -490,6 +524,7 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
 	char buffer[MAXFIELDSIZE * 2];
 	isc_fsaccess_t access;
 	isc_stdtime_t when;
+	isc_uint32_t value;
 	isc_buffer_t b;
 	isc_region_t r;
 	int major, minor;
@@ -587,9 +622,15 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
 		fprintf(fp, "\n");
 	}

-	/* Add the timing metadata tags */
+	/* Add the metadata tags */
 	if (major > 1 || (major == 1 && minor >= 3)) {
-		for (i = 0; i < METADATA_NTAGS; i++) {
+		for (i = 0; i < NUMERIC_NTAGS; i++) {
+			result = dst_key_getnum(key, i, &value);
+			if (result != ISC_R_SUCCESS)
+				continue;
+			fprintf(fp, "%s %u\n", numerictags[i], value);
+		}
+		for (i = 0; i < TIMING_NTAGS; i++) {
 			result = dst_key_gettime(key, i, &when);
 			if (result != ISC_R_SUCCESS)
 				continue;
@@ -601,7 +642,7 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,

 			isc_buffer_usedregion(&b, &r);

-			fprintf(fp, "%s ", metatags[i]);
+			fprintf(fp, "%s ", timetags[i]);
 			fwrite(r.base, 1, r.length, fp);
 			fprintf(fp, "\n");
 		}
--- a/lib/dns/hmac_link.c
+++ b/lib/dns/hmac_link.c
@@ -31,7 +31,7 @@

 /*
 * Principal Author: Brian Wellington
- * $Id: hmac_link.c,v 1.13 2009/09/03 23:48:12 tbox Exp $
+ * $Id: hmac_link.c,v 1.14 2009/10/09 06:09:21 each Exp $
 */

 #include <config.h>
@@ -277,7 +277,8 @@ hmacmd5_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {

 	UNUSED(pub);
 	/* read private key file */
-	result = dst__privstruct_parse(key, DST_ALG_HMACMD5, lexer, mctx, &priv);
+	result = dst__privstruct_parse(key, DST_ALG_HMACMD5, lexer, mctx,
+				       &priv);
 	if (result != ISC_R_SUCCESS)
 		return (result);

--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: dst.h,v 1.20 2009/10/05 17:30:49 fdupont Exp $ */
+/* $Id: dst.h,v 1.21 2009/10/09 06:09:21 each Exp $ */

 #ifndef DST_DST_H
 #define DST_DST_H 1
@@ -86,7 +86,15 @@ typedef struct dst_context 	dst_context_t;
 #define DST_TIME_REVOKE 	3
 #define DST_TIME_INACTIVE	4
 #define DST_TIME_DELETE 	5
-#define DST_MAX_TIMES		5
+#define DST_TIME_DSPUBLISH 	6
+#define DST_MAX_TIMES		6
+
+/* Numeric metadata definitions */
+#define DST_NUM_PREDECESSOR	0
+#define DST_NUM_SUCCESSOR	1
+#define DST_NUM_MAXTTL		2
+#define DST_NUM_ROLLPERIOD	3
+#define DST_MAX_NUMERIC		3

 /***
 *** Functions
@@ -690,6 +698,37 @@ dst_key_setflags(dst_key_t *key, isc_uint32_t flags);
 *	"key" is a valid key.
 */

+isc_result_t
+dst_key_getnum(const dst_key_t *key, int type, isc_uint32_t *valuep);
+/*%<
+ * Get a member of the numeric metadata array and place it in '*valuep'.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ *	"type" is no larger than DST_MAX_NUMERIC
+ *	"timep" is not null.
+ */
+
+void
+dst_key_setnum(dst_key_t *key, int type, isc_uint32_t value);
+/*%<
+ * Set a member of the numeric metadata array.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ *	"type" is no larger than DST_MAX_NUMERIC
+ */
+
+void
+dst_key_unsetnum(dst_key_t *key, int type);
+/*%<
+ * Flag a member of the numeric metadata array as "not set".
+ *
+ * Requires:
+ *	"key" is a valid key.
+ *	"type" is no larger than DST_MAX_NUMERIC
+ */
+
 isc_result_t
 dst_key_gettime(const dst_key_t *key, int type, isc_stdtime_t *timep);
 /*%<