From 33a741f8973938e4b09f094f7a281d2740e60ae9 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Tue, 31 Jan 2023 13:30:12 -0800
Subject: [PATCH] add dns_view_addtrustedkey()

the new dns_view_addtrustedkey() function allows a view's trust
anchors to be updated directly. this code was formerly in
dns_client_addtrustedkey(), which is now a wrapper around
dns_view_addtrustedkey().
---
 lib/dns/client.c             | 39 +--------------------------------
 lib/dns/include/dns/client.h |  9 ++++----
 lib/dns/include/dns/view.h   | 25 +++++++++++++++++++++
 lib/dns/view.c               | 42 ++++++++++++++++++++++++++++++++++++
 4 files changed, 73 insertions(+), 42 deletions(-)

diff --git a/lib/dns/client.c b/lib/dns/client.c
index a32f33645b..579b9c3aab 100644
--- a/lib/dns/client.c
+++ b/lib/dns/client.c
@@ -1074,45 +1074,8 @@ isc_result_t
 dns_client_addtrustedkey(dns_client_t *client, dns_rdataclass_t rdclass,
 			 dns_rdatatype_t rdtype, const dns_name_t *keyname,
 			 isc_buffer_t *databuf) {
-	isc_result_t result;
-	dns_keytable_t *secroots = NULL;
-	dns_name_t *name = NULL;
-	char rdatabuf[DST_KEY_MAXSIZE];
-	unsigned char digest[ISC_MAX_MD_SIZE];
-	dns_rdata_ds_t ds;
-	dns_rdata_t rdata;
-	isc_buffer_t b;
-
 	REQUIRE(DNS_CLIENT_VALID(client));
 	REQUIRE(rdclass == dns_rdataclass_in);
 
-	CHECK(dns_view_getsecroots(client->view, &secroots));
-
-	DE_CONST(keyname, name);
-
-	if (rdtype != dns_rdatatype_dnskey && rdtype != dns_rdatatype_ds) {
-		result = ISC_R_NOTIMPLEMENTED;
-		goto cleanup;
-	}
-
-	isc_buffer_init(&b, rdatabuf, sizeof(rdatabuf));
-	dns_rdata_init(&rdata);
-	isc_buffer_setactive(databuf, isc_buffer_usedlength(databuf));
-	CHECK(dns_rdata_fromwire(&rdata, rdclass, rdtype, databuf,
-				 DNS_DECOMPRESS_NEVER, &b));
-
-	if (rdtype == dns_rdatatype_ds) {
-		CHECK(dns_rdata_tostruct(&rdata, &ds, NULL));
-	} else {
-		CHECK(dns_ds_fromkeyrdata(name, &rdata, DNS_DSDIGEST_SHA256,
-					  digest, &ds));
-	}
-
-	CHECK(dns_keytable_add(secroots, false, false, name, &ds, NULL, NULL));
-
-cleanup:
-	if (secroots != NULL) {
-		dns_keytable_detach(&secroots);
-	}
-	return (result);
+	return (dns_view_addtrustedkey(client->view, rdtype, keyname, databuf));
 }
diff --git a/lib/dns/include/dns/client.h b/lib/dns/include/dns/client.h
index 166822433b..543a5ffb5d 100644
--- a/lib/dns/include/dns/client.h
+++ b/lib/dns/include/dns/client.h
@@ -279,10 +279,11 @@ dns_client_addtrustedkey(dns_client_t *client, dns_rdataclass_t rdclass,
 			 dns_rdatatype_t rdtype, const dns_name_t *keyname,
 			 isc_buffer_t *keydatabuf);
 /*%<
- * Add a DNSSEC trusted key for the 'rdclass' class.  A view for the 'rdclass'
- * class must be created beforehand.  'rdtype' is the type of the RR data
- * for the key, either DNSKEY or DS.  'keyname' is the DNS name of the key,
- * and 'keydatabuf' stores the RR data.
+ * Add a DNSSEC trusted key for the 'rdclass' class (only class 'IN' is
+ * currently supported).  A view for the 'rdclass' class must be created
+ * beforehand.  'rdtype' is the type of the RR data for the key, either
+ * DNSKEY or DS.  'keyname' is the DNS name of the key, and 'keydatabuf'
+ * stores the RR data.
  *
  * Requires:
  *
diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h
index 0a697fc8c0..71f7541019 100644
--- a/lib/dns/include/dns/view.h
+++ b/lib/dns/include/dns/view.h
@@ -1262,4 +1262,29 @@ dns_view_getdispatchmgr(dns_view_t *view);
  * by the resolver and request managers to send and receive DNS
  * messages.
  */
+
+isc_result_t
+dns_view_addtrustedkey(dns_view_t *view, dns_rdatatype_t rdtype,
+		       const dns_name_t *keyname, isc_buffer_t *databuf);
+/*%<
+ * Add a DNSSEC trusted key to a view of class 'IN'.  'rdtype' is the type
+ * of the RR data for the key, either DNSKEY or DS.  'keyname' is the DNS
+ * name of the key, and 'databuf' stores the RR data.
+
+ * Requires:
+ *
+ *\li	'view' is a valid view.
+
+ *\li	'view' is class 'IN'.
+ *
+ *\li	'keyname' is a valid name.
+ *
+ *\li	'keydatabuf' is a valid buffer.
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS				On success.
+ *
+ *\li	Anything else				Failure.
+ */
 ISC_LANG_ENDDECLS
diff --git a/lib/dns/view.c b/lib/dns/view.c
index 551b1ebd4c..686075b309 100644
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@@ -26,6 +26,7 @@
 #include <isc/file.h>
 #include <isc/hash.h>
 #include <isc/lex.h>
+#include <isc/md.h>
 #include <isc/result.h>
 #include <isc/stats.h>
 #include <isc/string.h>
@@ -2323,3 +2324,44 @@ dns_view_getdispatchmgr(dns_view_t *view) {
 	REQUIRE(DNS_VIEW_VALID(view));
 	return (view->dispatchmgr);
 }
+
+isc_result_t
+dns_view_addtrustedkey(dns_view_t *view, dns_rdatatype_t rdtype,
+		       const dns_name_t *keyname, isc_buffer_t *databuf) {
+	isc_result_t result;
+	dns_name_t *name = NULL;
+	char rdatabuf[DST_KEY_MAXSIZE];
+	unsigned char digest[ISC_MAX_MD_SIZE];
+	dns_rdata_ds_t ds;
+	dns_rdata_t rdata;
+	isc_buffer_t b;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(view->rdclass == dns_rdataclass_in);
+
+	DE_CONST(keyname, name);
+
+	if (rdtype != dns_rdatatype_dnskey && rdtype != dns_rdatatype_ds) {
+		result = ISC_R_NOTIMPLEMENTED;
+		goto cleanup;
+	}
+
+	isc_buffer_init(&b, rdatabuf, sizeof(rdatabuf));
+	dns_rdata_init(&rdata);
+	isc_buffer_setactive(databuf, isc_buffer_usedlength(databuf));
+	CHECK(dns_rdata_fromwire(&rdata, view->rdclass, rdtype, databuf,
+				 DNS_DECOMPRESS_NEVER, &b));
+
+	if (rdtype == dns_rdatatype_ds) {
+		CHECK(dns_rdata_tostruct(&rdata, &ds, NULL));
+	} else {
+		CHECK(dns_ds_fromkeyrdata(name, &rdata, DNS_DSDIGEST_SHA256,
+					  digest, &ds));
+	}
+
+	CHECK(dns_keytable_add(view->secroots_priv, false, false, name, &ds,
+			       NULL, NULL));
+
+cleanup:
+	return (result);
+}