ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

[master] rationalize external key handling

Browse Source 
3723.	[cleanup]	Imported keys are now handled the same way
			regardless of DNSSEC algorithm. [RT #35215]
This commit is contained in:
Evan Hunt
2014-01-30 17:48:10 -08:00
parent e83a742219
commit 3249da26fc
14 changed files with 237 additions and 139 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
lib/dns/opensslecdsa_link.c
View File

@@ -519,9 +519,8 @@ static isc_result_t
opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
dst_private_t priv;
isc_result_t ret;
EVP_PKEY *pkey, *pubpkey;
EC_KEY *eckey = NULL, *pubeckey = NULL;
const EC_POINT *pubkey;
EVP_PKEY *pkey;
EC_KEY *eckey = NULL;
BIGNUM *privkey = NULL;
int group_nid;
isc_mem_t *mctx = key->mctx;
@@ -529,6 +528,23 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
key->key_alg == DST_ALG_ECDSA384);
/* read private key file */
ret = dst__privstruct_parse(key, DST_ALG_ECDSA256, lexer, mctx, &priv);
if (ret != ISC_R_SUCCESS)
goto err;
if (key->external) {
if (priv.nelements != 0)
DST_RET(DST_R_INVALIDPRIVATEKEY);
if (pub == NULL)
DST_RET(DST_R_INVALIDPRIVATEKEY);
key->keydata.pkey = pub->keydata.pkey;
pub->keydata.pkey = NULL;
dst__privstruct_free(&priv, mctx);
memset(&priv, 0, sizeof(priv));
return (ISC_R_SUCCESS);
}
if (key->key_alg == DST_ALG_ECDSA256)
group_nid = NID_X9_62_prime256v1;
else
@@ -538,40 +554,14 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
if (eckey == NULL)
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
/* read private key file */
ret = dst__privstruct_parse(key, DST_ALG_ECDSA256, lexer, mctx, &priv);
if (ret != ISC_R_SUCCESS)
goto err;
if (key->external) {
/*
* Copy the public key to this new key.
*/
if (pub == NULL)
DST_RET(DST_R_INVALIDPRIVATEKEY);
pubpkey = pub->keydata.pkey;
pubeckey = EVP_PKEY_get1_EC_KEY(pubpkey);
if (pubeckey == NULL)
DST_RET(DST_R_INVALIDPRIVATEKEY);
pubkey = EC_KEY_get0_public_key(pubeckey);
if (pubkey == NULL)
DST_RET(DST_R_INVALIDPRIVATEKEY);
if (EC_KEY_set_public_key(eckey, pubkey) != 1)
DST_RET(DST_R_INVALIDPRIVATEKEY);
if (EC_KEY_check_key(eckey) != 1)
DST_RET(DST_R_INVALIDPRIVATEKEY);
} else {
privkey = BN_bin2bn(priv.elements[0].data,
priv.elements[0].length, NULL);
if (privkey == NULL)
DST_RET(ISC_R_NOMEMORY);
if (!EC_KEY_set_private_key(eckey, privkey))
DST_RET(ISC_R_NOMEMORY);
if (ecdsa_check(eckey, pub) != ISC_R_SUCCESS)
DST_RET(DST_R_INVALIDPRIVATEKEY);
dst__privstruct_free(&priv, mctx);
memset(&priv, 0, sizeof(priv));
}
privkey = BN_bin2bn(priv.elements[0].data,
priv.elements[0].length, NULL);
if (privkey == NULL)
DST_RET(ISC_R_NOMEMORY);
if (!EC_KEY_set_private_key(eckey, privkey))
DST_RET(ISC_R_NOMEMORY);
if (ecdsa_check(eckey, pub) != ISC_R_SUCCESS)
DST_RET(DST_R_INVALIDPRIVATEKEY);
pkey = EVP_PKEY_new();
if (pkey == NULL)
@@ -588,8 +578,6 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
BN_clear_free(privkey);
if (eckey != NULL)
EC_KEY_free(eckey);
if (pubeckey != NULL)
EC_KEY_free(pubeckey);
dst__privstruct_free(&priv, mctx);
memset(&priv, 0, sizeof(priv));
return (ret);