Merge branch '3014-broken-ecdsa-signatures-may-be-generated-with-certain-private-keys' into 'main'
Resolve "Broken ECDSA signatures may be generated with certain private keys" Closes #3014 See merge request isc-projects/bind9!5580
This commit is contained in:
Mark Andrews
4
CHANGES
4
CHANGES
@@ -1,3 +1,7 @@
|
||||
5761. [bug] OpenSSL 3.0.0 support could fail to correctly read
|
||||
ECDSA private keys leading to incorrect signatures
|
||||
being generated. [GL #3014]
|
||||
|
||||
5760. [bug] Prevent a possible use-after-free error in resolver.
|
||||
[GL #3018]
|
||||
|
||||
|
||||
@@ -94,6 +94,7 @@ rm -f ./ns3/ttlpatch.example.db ./ns3/ttlpatch.example.db.signed
|
||||
rm -f ./ns3/ttlpatch.example.db.patched
|
||||
rm -f ./ns3/unsecure.example.db ./ns3/bogus.example.db ./ns3/keyless.example.db
|
||||
rm -f ./ns3/unsupported.managed.db.tmp ./ns3/unsupported.trusted.db.tmp
|
||||
rm -f ./ns3/NSEC ./ns3/NSEC3
|
||||
rm -f ./ns4/managed-keys.bind*
|
||||
rm -f ./ns4/named_dump.db*
|
||||
rm -f ./ns6/optout-tld.db
|
||||
|
||||
@@ -36,7 +36,7 @@ zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
|
||||
|
||||
cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile"
|
||||
|
||||
"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
|
||||
"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
|
||||
|
||||
# Configure the resolving server with a staitc key.
|
||||
keyfile_to_static_ds "$ksk" > trusted.conf
|
||||
|
||||
@@ -36,7 +36,7 @@ keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zo
|
||||
|
||||
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
|
||||
|
||||
"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
|
||||
"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
|
||||
|
||||
zone=trusted.
|
||||
infile=key.db.in
|
||||
@@ -47,7 +47,7 @@ keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zo
|
||||
|
||||
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
|
||||
|
||||
"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
|
||||
"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
|
||||
|
||||
# The "example." zone.
|
||||
zone=example.
|
||||
@@ -72,7 +72,7 @@ keyname2=$("$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -n zo
|
||||
|
||||
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
|
||||
|
||||
"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
|
||||
"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
|
||||
|
||||
#
|
||||
# lower/uppercase the signature bits with the exception of the last characters
|
||||
@@ -134,7 +134,7 @@ keyname1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KS
|
||||
keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
|
||||
|
||||
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
|
||||
"$SIGNER" -P -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
|
||||
"$SIGNER" -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
|
||||
|
||||
# Sign the badparam secure file
|
||||
|
||||
@@ -147,7 +147,7 @@ keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zon
|
||||
|
||||
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
|
||||
|
||||
"$SIGNER" -P -3 - -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
|
||||
"$SIGNER" -3 - -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
|
||||
|
||||
sed -e 's/IN NSEC3 1 0 1 /IN NSEC3 1 0 10 /' "$zonefile.signed" > "$zonefile.bad"
|
||||
|
||||
@@ -162,7 +162,7 @@ keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zon
|
||||
|
||||
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
|
||||
|
||||
"$SIGNER" -P -3 - -A -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
|
||||
"$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$keyname1" "$zonefile" "$keyname2" > /dev/null 2>&1
|
||||
|
||||
#
|
||||
# algroll has just has the old DNSKEY records removed and is waiting
|
||||
@@ -180,7 +180,7 @@ keynew2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
|
||||
|
||||
cat "$infile" "$keynew1.key" "$keynew2.key" > "$zonefile"
|
||||
|
||||
"$SIGNER" -P -o "$zone" -k "$keyold1" -k "$keynew1" "$zonefile" "$keyold1" "$keyold2" "$keynew1" "$keynew2" > /dev/null 2>&1
|
||||
"$SIGNER" -o "$zone" -k "$keyold1" -k "$keynew1" "$zonefile" "$keyold1" "$keyold2" "$keynew1" "$keynew2" > /dev/null 2>&1
|
||||
|
||||
#
|
||||
# Make a zone big enough that it takes several seconds to generate a new
|
||||
@@ -204,7 +204,7 @@ done >> "$zonefile"
|
||||
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
|
||||
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
|
||||
cat "$key1.key" "$key2.key" >> "$zonefile"
|
||||
"$SIGNER" -P -3 - -A -H 1 -g -o "$zone" -k "$key1" "$zonefile" "$key2" > /dev/null 2>&1
|
||||
"$SIGNER" -3 - -A -H 1 -g -o "$zone" -k "$key1" "$zonefile" "$key2" > /dev/null 2>&1
|
||||
|
||||
zone=cds.secure
|
||||
infile=cds.secure.db.in
|
||||
@@ -213,7 +213,7 @@ key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$
|
||||
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
|
||||
"$DSFROMKEY" -C "$key1.key" > "$key1.cds"
|
||||
cat "$infile" "$key1.key" "$key2.key" "$key1.cds" >$zonefile
|
||||
"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
|
||||
"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
|
||||
|
||||
zone=cds-x.secure
|
||||
infile=cds.secure.db.in
|
||||
@@ -223,7 +223,7 @@ key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$
|
||||
key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
|
||||
"$DSFROMKEY" -C "$key2.key" > "$key2.cds"
|
||||
cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key2.cds" > "$zonefile"
|
||||
"$SIGNER" -P -g -x -o "$zone" "$zonefile" > /dev/null 2>&1
|
||||
"$SIGNER" -g -x -o "$zone" "$zonefile" > /dev/null 2>&1
|
||||
|
||||
zone=cds-update.secure
|
||||
infile=cds-update.secure.db.in
|
||||
@@ -231,7 +231,7 @@ zonefile=cds-update.secure.db
|
||||
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
|
||||
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
|
||||
cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
|
||||
"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
|
||||
"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
|
||||
|
||||
zone=cds-kskonly.secure
|
||||
infile=cds-kskonly.secure.db.in
|
||||
@@ -239,7 +239,7 @@ zonefile=cds-kskonly.secure.db
|
||||
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
|
||||
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
|
||||
cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
|
||||
"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
|
||||
"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
|
||||
keyfile_to_key_id "$key1" > cds-kskonly.secure.id
|
||||
|
||||
zone=cds-auto.secure
|
||||
@@ -257,7 +257,7 @@ key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$
|
||||
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
|
||||
sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds"
|
||||
cat "$infile" "$key1.key" "$key2.key" "$key1.cds" > "$zonefile"
|
||||
"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
|
||||
"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
|
||||
|
||||
zone=cdnskey-x.secure
|
||||
infile=cdnskey.secure.db.in
|
||||
@@ -267,7 +267,7 @@ key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$
|
||||
key3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
|
||||
sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cds"
|
||||
cat "$infile" "$key1.key" "$key2.key" "$key3.key" "$key1.cds" > "$zonefile"
|
||||
"$SIGNER" -P -g -x -o "$zone" "$zonefile" > /dev/null 2>&1
|
||||
"$SIGNER" -g -x -o "$zone" "$zonefile" > /dev/null 2>&1
|
||||
|
||||
zone=cdnskey-update.secure
|
||||
infile=cdnskey-update.secure.db.in
|
||||
@@ -275,7 +275,7 @@ zonefile=cdnskey-update.secure.db
|
||||
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
|
||||
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
|
||||
cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
|
||||
"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
|
||||
"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
|
||||
|
||||
zone=cdnskey-kskonly.secure
|
||||
infile=cdnskey-kskonly.secure.db.in
|
||||
@@ -283,7 +283,7 @@ zonefile=cdnskey-kskonly.secure.db
|
||||
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
|
||||
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
|
||||
cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
|
||||
"$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
|
||||
"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
|
||||
keyfile_to_key_id "$key1" > cdnskey-kskonly.secure.id
|
||||
|
||||
zone=cdnskey-auto.secure
|
||||
|
||||
@@ -49,7 +49,7 @@ do
|
||||
|
||||
keyname4=$("$KEYGEN" -f KSK -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
|
||||
cat "$infile" "$keyname4.key" > "$zonefile"
|
||||
"$SIGNER" -z -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null
|
||||
"$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null
|
||||
awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed
|
||||
|
||||
# Make trusted-keys and managed keys conf sections for ns8.
|
||||
@@ -86,7 +86,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
|
||||
|
||||
cat "$infile" "$cnameandkey.key" "$dnameandkey.key" "$keyname.key" > "$zonefile"
|
||||
|
||||
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
|
||||
"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null
|
||||
|
||||
zone=bogus.example.
|
||||
infile=bogus.example.db.in
|
||||
@@ -96,7 +96,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
|
||||
|
||||
cat "$infile" "$keyname.key" > "$zonefile"
|
||||
|
||||
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
|
||||
"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null
|
||||
|
||||
zone=dynamic.example.
|
||||
infile=dynamic.example.db.in
|
||||
@@ -107,7 +107,7 @@ keyname2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KS
|
||||
|
||||
cat "$infile" "$keyname1.key" "$keyname2.key" > "$zonefile"
|
||||
|
||||
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
|
||||
"$SIGNER" -o "$zone" "$zonefile" > /dev/null
|
||||
|
||||
zone=keyless.example.
|
||||
infile=generic.example.db.in
|
||||
@@ -117,7 +117,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
|
||||
|
||||
cat "$infile" "$keyname.key" > "$zonefile"
|
||||
|
||||
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
|
||||
"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null
|
||||
|
||||
# Change the signer field of the a.b.keyless.example SIG A
|
||||
# to point to a provably nonexistent KEY record.
|
||||
@@ -138,7 +138,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
|
||||
|
||||
cat "$infile" "$keyname.key" > "$zonefile"
|
||||
|
||||
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
|
||||
"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null
|
||||
|
||||
#
|
||||
# NSEC3/NSEC3 test zone
|
||||
@@ -151,7 +151,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
|
||||
|
||||
cat "$infile" "$keyname.key" > "$zonefile"
|
||||
|
||||
"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null
|
||||
"$SIGNER" -z -3 - -o "$zone" "$zonefile" > /dev/null
|
||||
|
||||
#
|
||||
# OPTOUT/NSEC3 test zone
|
||||
@@ -164,7 +164,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
|
||||
|
||||
cat "$infile" "$keyname.key" > "$zonefile"
|
||||
|
||||
"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null
|
||||
"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" > /dev/null
|
||||
|
||||
#
|
||||
# A nsec3 zone (non-optout).
|
||||
@@ -177,7 +177,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
|
||||
|
||||
cat "$infile" "$keyname.key" > "$zonefile"
|
||||
|
||||
"$SIGNER" -P -g -3 - -o "$zone" "$zonefile" > /dev/null
|
||||
"$SIGNER" -z -g -3 - -o "$zone" "$zonefile" > /dev/null
|
||||
|
||||
#
|
||||
# OPTOUT/NSEC test zone
|
||||
@@ -190,7 +190,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
|
||||
|
||||
cat "$infile" "$keyname.key" > "$zonefile"
|
||||
|
||||
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
|
||||
"$SIGNER" -z -o "$zone" "$zonefile" > /dev/null
|
||||
|
||||
#
|
||||
# OPTOUT/NSEC3 test zone
|
||||
@@ -203,7 +203,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
|
||||
|
||||
cat "$infile" "$keyname.key" > "$zonefile"
|
||||
|
||||
"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null
|
||||
"$SIGNER" -z -3 - -o "$zone" "$zonefile" > /dev/null
|
||||
|
||||
#
|
||||
# OPTOUT/OPTOUT test zone
|
||||
@@ -216,7 +216,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
|
||||
|
||||
cat "$infile" "$keyname.key" > "$zonefile"
|
||||
|
||||
"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null
|
||||
"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" > /dev/null
|
||||
|
||||
#
|
||||
# A optout nsec3 zone.
|
||||
@@ -229,7 +229,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
|
||||
|
||||
cat "$infile" "$keyname.key" > "$zonefile"
|
||||
|
||||
"$SIGNER" -P -g -3 - -A -o "$zone" "$zonefile" > /dev/null
|
||||
"$SIGNER" -z -g -3 - -A -o "$zone" "$zonefile" > /dev/null
|
||||
|
||||
#
|
||||
# A nsec3 zone (non-optout) with unknown nsec3 hash algorithm (-U).
|
||||
@@ -242,7 +242,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
|
||||
|
||||
cat "$infile" "$keyname.key" > "$zonefile"
|
||||
|
||||
"$SIGNER" -P -3 - -U -o "$zone" "$zonefile" > /dev/null
|
||||
"$SIGNER" -z -3 - -PU -o "$zone" "$zonefile" > /dev/null
|
||||
|
||||
#
|
||||
# A optout nsec3 zone with a unknown nsec3 hash algorithm (-U).
|
||||
@@ -255,7 +255,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
|
||||
|
||||
cat "$infile" "$keyname.key" > "$zonefile"
|
||||
|
||||
"$SIGNER" -P -3 - -U -A -o "$zone" "$zonefile" > /dev/null
|
||||
"$SIGNER" -z -3 - -PU -A -o "$zone" "$zonefile" > /dev/null
|
||||
|
||||
#
|
||||
# A zone that is signed with an unknown DNSKEY algorithm.
|
||||
@@ -269,7 +269,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
|
||||
|
||||
cat "$infile" "$keyname.key" > "$zonefile"
|
||||
|
||||
"$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null
|
||||
"$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null
|
||||
|
||||
awk '$4 == "DNSKEY" { $7 = 100 } $4 == "RRSIG" { $6 = 100 } { print }' ${zonefile}.tmp > ${zonefile}.signed
|
||||
|
||||
@@ -288,7 +288,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
|
||||
|
||||
cat "$infile" "$keyname.key" > "$zonefile"
|
||||
|
||||
"$SIGNER" -P -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null
|
||||
"$SIGNER" -z -3 - -o "$zone" -O full -f ${zonefile}.tmp "$zonefile" > /dev/null
|
||||
|
||||
awk '$4 == "DNSKEY" { $7 = 255 } $4 == "RRSIG" { $6 = 255 } { print }' ${zonefile}.tmp > ${zonefile}.signed
|
||||
|
||||
@@ -308,7 +308,7 @@ zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
|
||||
|
||||
cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key > "$zonefile"
|
||||
|
||||
"$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null
|
||||
"$SIGNER" -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null
|
||||
|
||||
#
|
||||
# A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U).
|
||||
@@ -322,7 +322,7 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
|
||||
|
||||
cat "$infile" "$keyname.key" > "$zonefile"
|
||||
|
||||
"$SIGNER" -P -3 - -o "$zone" -U -O full -f ${zonefile}.tmp "$zonefile" > /dev/null
|
||||
"$SIGNER" -z -3 - -o "$zone" -PU -O full -f ${zonefile}.tmp "$zonefile" > /dev/null
|
||||
|
||||
awk '$4 == "DNSKEY" { $7 = 100; print } $4 == "RRSIG" { $6 = 100; print } { print }' ${zonefile}.tmp > ${zonefile}.signed
|
||||
|
||||
@@ -340,17 +340,18 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
|
||||
|
||||
cat "$infile" "$keyname.key" > "$zonefile"
|
||||
|
||||
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
|
||||
mv "$zonefile".signed "$zonefile"
|
||||
"$SIGNER" -P -u3 - -o "$zone" "$zonefile" > /dev/null
|
||||
mv "$zonefile".signed "$zonefile"
|
||||
"$SIGNER" -P -u3 AAAA -o "$zone" "$zonefile" > /dev/null
|
||||
mv "$zonefile".signed "$zonefile"
|
||||
"$SIGNER" -P -u3 BBBB -o "$zone" "$zonefile" > /dev/null
|
||||
mv "$zonefile".signed "$zonefile"
|
||||
"$SIGNER" -P -u3 CCCC -o "$zone" "$zonefile" > /dev/null
|
||||
mv "$zonefile".signed "$zonefile"
|
||||
"$SIGNER" -P -u3 DDDD -o "$zone" "$zonefile" > /dev/null
|
||||
"$SIGNER" -z -O full -o "$zone" "$zonefile" > /dev/null
|
||||
awk '$4 == "NSEC" || ( $4 == "RRSIG" && $5 == "NSEC" ) { print }' "$zonefile".signed > NSEC
|
||||
"$SIGNER" -z -O full -u3 - -o "$zone" "$zonefile" > /dev/null
|
||||
awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed > NSEC3
|
||||
"$SIGNER" -z -O full -u3 AAAA -o "$zone" "$zonefile" > /dev/null
|
||||
awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >> NSEC3
|
||||
"$SIGNER" -z -O full -u3 BBBB -o "$zone" "$zonefile" > /dev/null
|
||||
awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >> NSEC3
|
||||
"$SIGNER" -z -O full -u3 CCCC -o "$zone" "$zonefile" > /dev/null
|
||||
awk '$4 == "NSEC3" || ( $4 == "RRSIG" && $5 == "NSEC3" ) { print }' "$zonefile".signed >> NSEC3
|
||||
"$SIGNER" -z -O full -u3 DDDD -o "$zone" "$zonefile" > /dev/null
|
||||
cat NSEC NSEC3 >> "$zonefile".signed
|
||||
|
||||
#
|
||||
# A RSASHA256 zone.
|
||||
|
||||
@@ -24,4 +24,4 @@ keyname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone
|
||||
|
||||
cat "$infile" "$keyname.key" > "$zonefile"
|
||||
|
||||
"$SIGNER" -P -3 - -A -o "$zone" "$zonefile" > /dev/null 2>&1
|
||||
"$SIGNER" -z -3 - -A -o "$zone" "$zonefile" > /dev/null 2>&1
|
||||
|
||||
@@ -58,7 +58,7 @@
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||
static isc_result_t
|
||||
raw_key_to_ossl(unsigned int key_alg, int private, const unsigned char *key,
|
||||
size_t *key_len, EVP_PKEY **pkey) {
|
||||
size_t key_len, EVP_PKEY **pkey) {
|
||||
isc_result_t ret;
|
||||
int status;
|
||||
const char *groupname;
|
||||
@@ -66,24 +66,16 @@ raw_key_to_ossl(unsigned int key_alg, int private, const unsigned char *key,
|
||||
OSSL_PARAM *params = NULL;
|
||||
EVP_PKEY_CTX *ctx = NULL;
|
||||
BIGNUM *priv = NULL;
|
||||
size_t len = 0;
|
||||
unsigned char buf[DNS_KEY_ECDSA384SIZE + 1];
|
||||
|
||||
if (key_alg == DST_ALG_ECDSA256) {
|
||||
groupname = "P-256";
|
||||
len = private ? DNS_KEY_ECDSA256SIZE / 2 : DNS_KEY_ECDSA256SIZE;
|
||||
} else if (key_alg == DST_ALG_ECDSA384) {
|
||||
groupname = "P-384";
|
||||
len = private ? DNS_KEY_ECDSA384SIZE / 2 : DNS_KEY_ECDSA384SIZE;
|
||||
} else {
|
||||
DST_RET(ISC_R_NOTIMPLEMENTED);
|
||||
}
|
||||
|
||||
ret = (private ? DST_R_INVALIDPRIVATEKEY : DST_R_INVALIDPUBLICKEY);
|
||||
if (*key_len < len) {
|
||||
DST_RET(ret);
|
||||
}
|
||||
|
||||
bld = OSSL_PARAM_BLD_new();
|
||||
if (bld == NULL) {
|
||||
DST_RET(dst__openssl_toresult2("OSSL_PARAM_BLD_new",
|
||||
@@ -98,7 +90,7 @@ raw_key_to_ossl(unsigned int key_alg, int private, const unsigned char *key,
|
||||
}
|
||||
|
||||
if (private) {
|
||||
priv = BN_bin2bn(key, len, NULL);
|
||||
priv = BN_bin2bn(key, key_len, NULL);
|
||||
if (priv == NULL) {
|
||||
DST_RET(dst__openssl_toresult2("BN_bin2bn",
|
||||
DST_R_OPENSSLFAILURE));
|
||||
@@ -111,11 +103,12 @@ raw_key_to_ossl(unsigned int key_alg, int private, const unsigned char *key,
|
||||
DST_R_OPENSSLFAILURE));
|
||||
}
|
||||
} else {
|
||||
INSIST(key_len < sizeof(buf));
|
||||
buf[0] = POINT_CONVERSION_UNCOMPRESSED;
|
||||
memmove(buf + 1, key, len);
|
||||
memmove(buf + 1, key, key_len);
|
||||
|
||||
status = OSSL_PARAM_BLD_push_octet_string(
|
||||
bld, OSSL_PKEY_PARAM_PUB_KEY, buf, 1 + len);
|
||||
bld, OSSL_PKEY_PARAM_PUB_KEY, buf, 1 + key_len);
|
||||
if (status != 1) {
|
||||
DST_RET(dst__openssl_toresult2("OSSL_PARAM_BLD_push_"
|
||||
"octet_string",
|
||||
@@ -146,7 +139,6 @@ raw_key_to_ossl(unsigned int key_alg, int private, const unsigned char *key,
|
||||
DST_R_OPENSSLFAILURE));
|
||||
}
|
||||
|
||||
*key_len = len;
|
||||
ret = ISC_R_SUCCESS;
|
||||
|
||||
err:
|
||||
@@ -760,7 +752,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
||||
if (r.length == 0) {
|
||||
DST_RET(ISC_R_SUCCESS);
|
||||
}
|
||||
if (r.length < len) {
|
||||
if (r.length != len) {
|
||||
DST_RET(DST_R_INVALIDPUBLICKEY);
|
||||
}
|
||||
|
||||
@@ -796,8 +788,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
||||
DST_RET(dst__openssl_toresult(ISC_R_FAILURE));
|
||||
}
|
||||
#else
|
||||
len = r.length;
|
||||
ret = raw_key_to_ossl(key->key_alg, 0, r.base, &len, &pkey);
|
||||
ret = raw_key_to_ossl(key->key_alg, 0, r.base, len, &pkey);
|
||||
if (ret != ISC_R_SUCCESS) {
|
||||
DST_RET(ret);
|
||||
}
|
||||
@@ -1184,8 +1175,6 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
EC_KEY *eckey = NULL;
|
||||
EC_KEY *pubeckey = NULL;
|
||||
#else
|
||||
size_t len;
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
const char *engine = NULL;
|
||||
const char *label = NULL;
|
||||
@@ -1257,14 +1246,9 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
key->keydata.pkey = NULL;
|
||||
}
|
||||
|
||||
if (key->key_alg == DST_ALG_ECDSA256) {
|
||||
len = DNS_KEY_ECDSA256SIZE / 2;
|
||||
} else {
|
||||
len = DNS_KEY_ECDSA384SIZE / 2;
|
||||
}
|
||||
|
||||
ret = raw_key_to_ossl(key->key_alg, 1,
|
||||
priv.elements[privkey_index].data, &len,
|
||||
priv.elements[privkey_index].data,
|
||||
priv.elements[privkey_index].length,
|
||||
&key->keydata.pkey);
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
|
||||
|
||||
Reference in New Issue
Block a user