keystate.c 2.07 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71
/*  Copyright (C) 2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

#include <assert.h>
#include <time.h>
#include <string.h>

#include "dnssec/kasp.h"
#include "knot/dnssec/kasp/keystate.h"

key_state_t get_key_state(const dnssec_kasp_key_t *key, time_t moment)
{
	if (!key || moment <= 0)
	{
		return DNSSEC_KEY_STATE_INVALID;
	}

	/*
	 * The meaning of unset timing parameter is different for key
	 * introduction and withdrawal. This is expected by the server.
	 * The keys can be used without timing metadata.
	 *
	 * However, it creates a lot of complications. It would be easier
	 * to find a different approach (persistent key states, different
	 * meaning of unset parameter when policy is used, etc.).
	 */

	const dnssec_kasp_key_timing_t *t = &key->timing;

	bool removed = t->remove != 0 && t->remove <= moment;
	bool retired = t->retire != 0 && t->retire <= moment;

	bool published = !removed && (t->publish == 0 || t->publish <= moment);
	bool activated = !retired && (t->active  == 0 || t->active  <= moment);

	/*
	 * Evaluate special transition states as invalid. E.g., when signatures
	 * are pre-published during algorithm rotation.
	 */

	if (retired && removed) {
		return DNSSEC_KEY_STATE_REMOVED;
	}

	if (retired && !removed) {
		return DNSSEC_KEY_STATE_RETIRED;
	}

	if (published && activated) {
		return DNSSEC_KEY_STATE_ACTIVE;
	}

	if (published && !activated) {
		return DNSSEC_KEY_STATE_PUBLISHED;
	}

	return DNSSEC_KEY_STATE_INVALID;
}