Commit b0908725 authored by Daniel Salzman's avatar Daniel Salzman

Merge branch 'master' into new_config

parents 03b64bb3 d735f7c3
......@@ -9,6 +9,7 @@
*.orig
*.lo
*.rej
*.pyc
.libs/
.deps/
.dirstamp
......@@ -83,6 +84,9 @@
/src/knsec3hash
/src/rosedb_tool
# Plugin binaries
/src/rosedb_tool
# Code coverage
*.gcda
*.gcno
......
#!/usr/bin/python -Es
# vim: et:ts=4:sw=4:colorcolumn=100
#
# Configuration for You Complete Me (YCM) code-completion engine for Vim.
#
# This file is released into the public domain.
#
import sys
import os
DIR = os.path.dirname(__file__)
FLAGS = [
'-std=gnu99',
'-Wall', '-Wno-unused', '-Werror=implicit',
'-DCONFIG_DIR=', '-DRUN_DIR=', '-DSTORAGE_DIR=',
]
CONFIG_H = 'src/config.h'
INCLUDES = [
('src/dnssec/shared', ['src/dnssec/lib', 'src/dnssec/lib/dnssec']),
('src/dnssec/lib', ['src/dnssec/shared', 'src/dnssec/lib/dnssec']),
('src/dnssec/utils', ['src/dnssec/shared', 'src/dnssec/lib', 'src']),
('src/dnssec/tests', ['src/dnssec/shared', 'src/dnssec/lib', 'src/dnssec/lib/dnssec', 'libtap']),
('src', ['src/dnssec/lib']),
('tests', ['src', 'src/dnssec/lib', 'libtap']),
]
def relative_path(filename):
return os.path.relpath(filename, DIR)
def absolute_path(filename):
return os.path.normpath(os.path.join(DIR, filename))
def includes_for(filename):
relative = relative_path(filename)
for prefix, includes in INCLUDES:
if relative.startswith(prefix + '/'):
return [prefix] + includes
return []
def include_flag(path):
return "-I%s" % absolute_path(path)
def FlagsForFile(filename):
# input filename is an absolute path
config = ["-include", absolute_path(CONFIG_H)]
includes = [include_flag(f) for f in includes_for(filename)]
return {'flags': FLAGS + config + includes, 'do_cache': True}
if __name__ == '__main__':
print >>sys.stderr, "Not runnable."
sys.exit(1)
libtap
src
src/dnssec/lib
\ No newline at end of file
src/dnssec/lib
src/dnssec/lib/dnssec
src/dnssec/shared
src/dnssec/utils
src/zscanner
ACLOCAL_AMFLAGS = -I m4
SUBDIRS = libtap src tests samples doc man patches
SUBDIRS = libtap src tests tests-fuzz samples doc man
AM_DISTCHECK_CONFIGURE_FLAGS = \
--disable-code-coverage
......
......@@ -397,10 +397,10 @@ AC_CONFIG_FILES([Makefile
doc/Makefile
man/Makefile
samples/Makefile
patches/Makefile
libtap/Makefile
src/Makefile
tests/Makefile
tests-fuzz/Makefile
src/dnstap/Makefile
src/zscanner/Makefile
src/dnssec/Makefile
......
......@@ -178,6 +178,9 @@ Use EDNS version (default is 0).
Disable IDN transformation to ASCII and vice versa.
IDNA2003 support depends on libidn availability during project building!
.TP
.BR +generic
Use the generic representation format when printing resource record types and data.
.TP
.BI +client= SUBN
Set EDNS client subnet SUBN=IP/prefix.
.TP
......
EXTRA_DIST = strptime_susv3.patch
diff --git a/src/libknot/dnssec/key.c b/src/libknot/dnssec/key.c
index 7dc0540..3e351bb 100644
--- a/src/libknot/dnssec/key.c
+++ b/src/libknot/dnssec/key.c
@@ -260,7 +260,15 @@ static int key_param_time(const void *save_to, char *value)
struct tm parsed = { 0 };
- if (!strptime(value, "%Y%m%d%H%M%S", &parsed)) {
+ if (strlen(value) != 14) {
+ return KNOT_EINVAL;
+ }
+
+ char *v = value;
+ char buf[32] = "";
+ int ret = sprintf(buf, "%.4s %.2s %.2s %.2s %.2s %.2s",
+ v, v + 4, v + 6, v + 8, v + 10, v + 12);
+ if (ret != 19 || !strptime(buf, "%Y %m %d %H %M %S", &parsed)) {
return KNOT_EINVAL;
}
......@@ -165,7 +165,7 @@ libknot_la_LDFLAGS = $(AM_LDFLAGS) $(RELEASE_INFO) $(VERSION_INFO)
libknot_la_LIBADD = libknot-int.la dnssec/libdnssec.la zscanner/libzscanner.la
# pkg-config
pkgconfig_DATA = libknot.pc libknot-int.pc
pkgconfig_DATA = libknot.pc libknot-int.pc libknot-yparser.pc
if !HAVE_LMDB
libknot_int_la_SOURCES += \
......
......@@ -188,10 +188,6 @@ int dnssec_binary_from_base64(const dnssec_binary_t *base64,
return DNSSEC_EINVAL;
}
if (real_size < raw_size) {
raw = realloc(raw, real_size);
}
binary->data = raw;
binary->size = real_size;
......
......@@ -105,11 +105,13 @@
#include <dnssec/binary.h>
#include <dnssec/crypto.h>
#include <dnssec/error.h>
#include <dnssec/event.h>
#include <dnssec/kasp.h>
#include <dnssec/key.h>
#include <dnssec/keyid.h>
#include <dnssec/keystore.h>
#include <dnssec/keytag.h>
#include <dnssec/list.h>
#include <dnssec/nsec.h>
#include <dnssec/random.h>
#include <dnssec/sign.h>
......
......@@ -24,8 +24,9 @@
enum dnssec_event_type {
DNSSEC_EVENT_NONE = 0,
DNSSEC_EVENT_GENERATE_INITIAL_KEY,
DNSSEC_EVENT_ZSK_ROTATION_INIT,
DNSSEC_EVENT_ZSK_ROTATION_FINISH,
DNSSEC_EVENT_ZSK_ROLL_PUBLISH_NEW_KEY,
DNSSEC_EVENT_ZSK_ROLL_REPLACE_SIGNATURES,
DNSSEC_EVENT_ZSK_ROLL_REMOVE_OLD_KEY,
};
typedef enum dnssec_event_type dnssec_event_type_t;
......@@ -53,6 +54,12 @@ struct dnssec_event_ctx {
typedef struct dnssec_event_ctx dnssec_event_ctx_t;
/*!
* Get next DNSSEC event to be executed.
*/
int dnssec_event_get_next(dnssec_event_ctx_t *ctx, dnssec_event_t *event);
/*!
* Execute given DNSSEC event.
*/
int dnssec_event_execute(dnssec_event_ctx_t *ctx, dnssec_event_t *event);
......@@ -116,8 +116,6 @@ typedef enum dnssec_nsec_algorithm {
/*!
* DNSSEC NSEC3 parameters.
*
* \todo Disclose this and add setters?
*/
typedef struct dnssec_nsec3_params {
dnssec_nsec3_algorithm_t algorithm; /*!< NSEC3 algorithm. */
......
......@@ -53,7 +53,7 @@ int dnssec_random_buffer(uint8_t *data, size_t size);
/*!
* Fill a binary structure with random data.
*
* \param data Preallocated binary structure to be filled..
* \param data Preallocated binary structure to be filled.
*
* \return Error code, DNSEC_EOK if successful.
*/
......
......@@ -24,6 +24,16 @@
#include "key/internal.h"
#include "shared.h"
/*
* Three stage ZSK key pre-publish rollover:
*
* 1. The new key is introduced in the key set.
* 2. All signatures are replaced with new ones.
* 3. The old key is removed from the key set.
*
* RFC 6781 (Section 4.1.1.1)
*/
typedef bool (*key_match_cb)(const dnssec_kasp_key_t *key, void *data);
static bool newer_key(const dnssec_kasp_key_t *prev, const dnssec_kasp_key_t *cur)
......@@ -32,17 +42,25 @@ static bool newer_key(const dnssec_kasp_key_t *prev, const dnssec_kasp_key_t *cu
cur->timing.created >= prev->timing.created;
}
static dnssec_kasp_key_t *last_key(dnssec_kasp_zone_t *zone,
key_match_cb match_cb, void *data)
static bool zsk_match(const dnssec_kasp_key_t *key, time_t now, key_state_t state)
{
return dnssec_key_get_flags(key->key) == DNSKEY_FLAGS_ZSK &&
get_key_state(key, now) == state;
}
static dnssec_kasp_key_t *last_key(dnssec_event_ctx_t *ctx, key_state_t state)
{
assert(zone);
assert(ctx);
assert(ctx->zone);
dnssec_kasp_key_t *match = NULL;
dnssec_list_t *keys = dnssec_kasp_zone_get_keys(zone);
dnssec_list_t *keys = dnssec_kasp_zone_get_keys(ctx->zone);
dnssec_list_foreach(i, keys) {
dnssec_kasp_key_t *key = dnssec_item_get(i);
if ((match == NULL || newer_key(match, key)) && match_cb(key, data)) {
if ((match == NULL || newer_key(match, key)) &&
zsk_match(key, ctx->now, state)
) {
match = key;
}
}
......@@ -50,74 +68,82 @@ static dnssec_kasp_key_t *last_key(dnssec_kasp_zone_t *zone,
return match;
}
static bool is_active_zsk(const dnssec_kasp_key_t *key, void *data)
{
time_t now = (time_t)data;
return dnssec_key_get_flags(key->key) == DNSKEY_FLAGS_ZSK &&
get_key_state(key, now) == DNSSEC_KEY_STATE_ACTIVE;
}
static bool is_rolling_zsk(const dnssec_kasp_key_t *key, void *data)
{
time_t now = (time_t)data;
return dnssec_key_get_flags(key->key) == DNSKEY_FLAGS_ZSK &&
get_key_state(key, now) == DNSSEC_KEY_STATE_PUBLISHED;
}
static bool responds_to(dnssec_event_type_t event)
{
return event == DNSSEC_EVENT_ZSK_ROTATION_INIT ||
event == DNSSEC_EVENT_ZSK_ROTATION_FINISH;
switch (event) {
case DNSSEC_EVENT_ZSK_ROLL_PUBLISH_NEW_KEY:
case DNSSEC_EVENT_ZSK_ROLL_REPLACE_SIGNATURES:
case DNSSEC_EVENT_ZSK_ROLL_REMOVE_OLD_KEY:
return true;
default:
return false;
}
}
#define subzero(a, b) ((a) > (b) ? (a) - (b) : 0)
static int plan(dnssec_event_ctx_t *ctx, dnssec_event_t *event)
{
assert(ctx);
assert(event);
dnssec_kasp_key_t *active = last_key(ctx->zone, is_active_zsk, (void *)ctx->now);
if (!active) {
return DNSSEC_EINVAL;
}
/*
* We should not start another rollover, if there is a rollover
* in progress. Therefore we will check the keys in reverse order
* to make sure all stages are finished.
*/
if (ctx->now < active->timing.publish) {
return DNSSEC_EINVAL;
}
dnssec_kasp_key_t *retired = last_key(ctx, DNSSEC_KEY_STATE_RETIRED);
if (retired) {
if (ctx->now < retired->timing.retire) {
return DNSSEC_EINVAL;
}
uint32_t retired_time = ctx->now - retired->timing.retire;
uint32_t retired_need = ctx->policy->propagation_delay +
ctx->policy->zone_maximal_ttl;
event->type = DNSSEC_EVENT_ZSK_ROLL_REMOVE_OLD_KEY;
event->time = ctx->now + subzero(retired_need, retired_time);
uint32_t active_age = ctx->now - active->timing.publish;
if (active_age < ctx->policy->zsk_lifetime) {
event->type = DNSSEC_EVENT_ZSK_ROTATION_INIT;
event->time = ctx->now + (ctx->policy->zsk_lifetime - active_age);
return DNSSEC_EOK;
}
dnssec_kasp_key_t *rolling = last_key(ctx->zone, is_rolling_zsk, (void *)ctx->now);
if (!rolling) {
event->type = DNSSEC_EVENT_ZSK_ROTATION_INIT;
event->time = ctx->now;
dnssec_kasp_key_t *rolling = last_key(ctx, DNSSEC_KEY_STATE_PUBLISHED);
if (rolling) {
if (ctx->now < rolling->timing.publish) {
return DNSSEC_EINVAL;
}
uint32_t rolling_time = ctx->now - rolling->timing.publish;
uint32_t rolling_need = ctx->policy->propagation_delay +
ctx->policy->dnskey_ttl;
event->type = DNSSEC_EVENT_ZSK_ROLL_REPLACE_SIGNATURES;
event->time = ctx->now + subzero(rolling_need, rolling_time);
return DNSSEC_EOK;
}
if (ctx->now < rolling->timing.publish) {
return DNSSEC_EINVAL;
}
dnssec_kasp_key_t *active = last_key(ctx, DNSSEC_KEY_STATE_ACTIVE);
if (active) {
if (ctx->now < active->timing.publish) {
return DNSSEC_EINVAL;
}
uint32_t active_age = ctx->now - active->timing.publish;
uint32_t active_max = ctx->policy->zsk_lifetime;
event->type = DNSSEC_EVENT_ZSK_ROLL_PUBLISH_NEW_KEY;
event->time = ctx->now + subzero(active_max, active_age);
uint32_t rolling_age = ctx->now - rolling->timing.publish;
uint32_t rolling_known = ctx->policy->dnskey_ttl + ctx->policy->propagation_delay;
if (rolling_age < rolling_known) {
event->type = DNSSEC_EVENT_ZSK_ROTATION_FINISH;
event->time = ctx->now + (rolling_known - rolling_age);
return DNSSEC_EOK;
} else {
event->type = DNSSEC_EVENT_ZSK_ROTATION_FINISH;
event->time = ctx->now;
return DNSSEC_EOK;
}
return DNSSEC_EINVAL;
}
static int exec_init(dnssec_event_ctx_t *ctx)
static int exec_new_key(dnssec_event_ctx_t *ctx)
{
dnssec_kasp_key_t *new_key = NULL;
int r = generate_key(ctx, false, &new_key);
......@@ -125,25 +151,35 @@ static int exec_init(dnssec_event_ctx_t *ctx)
return r;
}
#warning TODO: Cannot set "active" to zero, using upper bound instead.
//! \todo Cannot set "active" to zero, using upper bound instead.
new_key->timing.publish = ctx->now;
new_key->timing.active = UINT32_MAX;
return dnssec_kasp_zone_save(ctx->kasp, ctx->zone);
}
static int exec_finish(dnssec_event_ctx_t *ctx)
static int exec_new_signatures(dnssec_event_ctx_t *ctx)
{
dnssec_kasp_key_t *active = last_key(ctx->zone, is_active_zsk, (void *)ctx->now);
dnssec_kasp_key_t *rolling = last_key(ctx->zone, is_rolling_zsk, (void *)ctx->now);
dnssec_kasp_key_t *active = last_key(ctx, DNSSEC_KEY_STATE_ACTIVE);
dnssec_kasp_key_t *rolling = last_key(ctx, DNSSEC_KEY_STATE_PUBLISHED);
if (!active || !rolling) {
return DNSSEC_EINVAL;
}
active->timing.retire = ctx->now;
rolling->timing.active = ctx->now;
active->timing.retire = ctx->now;
active->timing.remove = ctx->now;
return dnssec_kasp_zone_save(ctx->kasp, ctx->zone);
}
static int exec_remove_old_key(dnssec_event_ctx_t *ctx)
{
dnssec_kasp_key_t *retired = last_key(ctx, DNSSEC_KEY_STATE_RETIRED);
if (!retired) {
return DNSSEC_EINVAL;
}
retired->timing.remove = ctx->now;
return dnssec_kasp_zone_save(ctx->kasp, ctx->zone);
}
......@@ -154,14 +190,19 @@ static int exec(dnssec_event_ctx_t *ctx, const dnssec_event_t *event)
assert(event);
switch (event->type) {
case DNSSEC_EVENT_ZSK_ROTATION_INIT: return exec_init(ctx);
case DNSSEC_EVENT_ZSK_ROTATION_FINISH: return exec_finish(ctx);
case DNSSEC_EVENT_ZSK_ROLL_PUBLISH_NEW_KEY:
return exec_new_key(ctx);
case DNSSEC_EVENT_ZSK_ROLL_REPLACE_SIGNATURES:
return exec_new_signatures(ctx);
case DNSSEC_EVENT_ZSK_ROLL_REMOVE_OLD_KEY:
return exec_remove_old_key(ctx);
default:
assert_unreachable();
return DNSSEC_EINVAL;
};
}
/*! Event API. */
const event_action_functions_t event_action_zsk_rollover = {
.responds_to = responds_to,
.plan = plan,
......
......@@ -30,10 +30,12 @@ const char *dnssec_event_name(dnssec_event_type_t event)
return "no event";
case DNSSEC_EVENT_GENERATE_INITIAL_KEY:
return "generate initial keys";
case DNSSEC_EVENT_ZSK_ROTATION_INIT:
return "initialize ZSK rotation";
case DNSSEC_EVENT_ZSK_ROTATION_FINISH:
return "finish ZSK rotation";
case DNSSEC_EVENT_ZSK_ROLL_PUBLISH_NEW_KEY:
return "ZSK rollover, publish new key";
case DNSSEC_EVENT_ZSK_ROLL_REPLACE_SIGNATURES:
return "ZSK rollover, replace signatures";
case DNSSEC_EVENT_ZSK_ROLL_REMOVE_OLD_KEY:
return "ZSK rollover, remove old key";
default:
return "unknown event";
}
......
......@@ -107,13 +107,13 @@ static int read_unsafe(wire_ctx_t *dest, wire_ctx_t *src)
char buffer[3] = { 0 };
wire_read(src, (uint8_t *)buffer, sizeof(buffer));
int value = 0;
unsigned value = 0;
int read = sscanf(buffer, "x%02x", &value);
if (read != 1 || value == 0) {
return DNSSEC_MALFORMED_DATA;
}
assert(0 < value && value <= UINT8_MAX);
assert(value <= UINT8_MAX);
wire_write_u8(dest, value);
return DNSSEC_EOK;
......
......@@ -23,7 +23,7 @@
* \param type Entity type.
* \param name Entity name.
*
* \return File name '<dir>/<type><escaped-name>.json'
* \return File name '<dir>/<type>_<escaped-name>.json'
*/
char *file_from_entity(const char *dir, const char *type, const char *name);
......
......@@ -323,6 +323,9 @@ int encode_time(const void *value, json_t **result)
return DNSSEC_EOK;
}
/*!
* Encode object according to attributes description.
*/
int encode_object(const encode_attr_t attrs[], const void *object, json_t **encoded_ptr)
{
assert(attrs);
......@@ -359,6 +362,9 @@ int encode_object(const encode_attr_t attrs[], const void *object, json_t **enco
return DNSSEC_EOK;
}
/*!
* Decode object according to attributes description.
*/
int decode_object(const encode_attr_t attrs[], const json_t *encoded, void *object)
{
assert(attrs);
......
......@@ -345,14 +345,13 @@ int load_zone_config(dnssec_kasp_zone_t *zone, const char *filename)
assert(zone);
assert(filename);
FILE *file = fopen(filename, "r");
_cleanup_fclose_ FILE *file = fopen(filename, "r");
if (!file) {
return DNSSEC_NOT_FOUND;
}
json_error_t error = { 0 };
_json_cleanup_ json_t *config = json_loadf(file, JSON_LOAD_OPTIONS, &error);
fclose(file);
if (!config) {
return DNSSEC_CONFIG_MALFORMED;
}
......
......@@ -142,7 +142,7 @@ static int dsa_pubkey_to_rdata(gnutls_pubkey_t key, dnssec_binary_t *rdata)
/*!
* Convert ECDSA public key to DNSSEC format.
*/
int ecdsa_pubkey_to_rdata(gnutls_pubkey_t key, dnssec_binary_t *rdata)
static int ecdsa_pubkey_to_rdata(gnutls_pubkey_t key, dnssec_binary_t *rdata)
{
assert(key);
assert(rdata);
......@@ -267,7 +267,7 @@ static uint8_t expected_t_size(size_t size)
/*!
* Convert DSA key in DNSSEC format to crypto key.
*/
int dsa_rdata_to_pubkey(const dnssec_binary_t *rdata, gnutls_pubkey_t key)
static int dsa_rdata_to_pubkey(const dnssec_binary_t *rdata, gnutls_pubkey_t key)
{
assert(rdata);
assert(key);
......
......@@ -199,16 +199,21 @@ const uint8_t *dnssec_key_get_dname(const dnssec_key_t *key)
_public_
int dnssec_key_set_dname(dnssec_key_t *key, const uint8_t *dname)
{
if (!key || !dname) {
if (!key) {
return DNSSEC_EINVAL;
}
uint8_t *copy = dname_copy(dname);
if (!copy) {
return DNSSEC_ENOMEM;
uint8_t *copy = NULL;
if (dname) {
copy = dname_copy(dname);
if (!copy) {
return DNSSEC_ENOMEM;
}
dname_normalize(copy);
}
dname_normalize(copy);
free(key->dname);
key->dname = copy;
return DNSSEC_EOK;
......@@ -270,7 +275,7 @@ int dnssec_key_set_protocol(dnssec_key_t *key, uint8_t protocol)
return DNSSEC_EOK;
}
/* -- restriced attributes ------------------------------------------------- */
/* -- restricted attributes ------------------------------------------------ */
/*!
* Check if current public key algorithm matches with the new algorithm.
......@@ -283,15 +288,15 @@ static bool can_change_algorithm(dnssec_key_t *key, uint8_t algorithm)
return true;
}
gnutls_pk_algorithm_t new = algorithm_to_gnutls(algorithm);
if (new == GNUTLS_PK_UNKNOWN) {
gnutls_pk_algorithm_t update = algorithm_to_gnutls(algorithm);
if (update == GNUTLS_PK_UNKNOWN) {
return false;
}
int current = gnutls_pubkey_get_pk_algorithm(key->public_key, NULL);
assert(current >= 0);
return current == new;
return current == update;
}
_public_
......@@ -351,23 +356,21 @@ int dnssec_key_set_pubkey(dnssec_key_t *key, const dnssec_binary_t *pubkey)
return DNSSEC_KEY_ALREADY_PRESENT;
}
dnssec_binary_t new_rdata = key->rdata;
int result = dnskey_rdata_set_pubkey(&new_rdata, pubkey);
if (dnssec_key_get_algorithm(key) == 0) {
return DNSSEC_INVALID_KEY_ALGORITHM;
}
int result = dnskey_rdata_set_pubkey(&key->rdata, pubkey);
if (result != DNSSEC_EOK) {
return result;
}
gnutls_pubkey_t new_pubkey = NULL;
result = dnskey_rdata_to_crypto_key(&new_rdata, &new_pubkey);
result = dnskey_rdata_to_crypto_key(&key->rdata, &key->public_key);
if (result != DNSSEC_EOK) {
key->rdata.size = DNSKEY_RDATA_OFFSET_PUBKEY; // downsize
return result;
}
// commit result
key->rdata = new_rdata;
key->public_key = new_pubkey;
key_update_identifiers(key);
return DNSSEC_EOK;
......
......@@ -20,12 +20,13 @@
#include "binary.h"
#include "error.h"
#include "key/dnskey.h"
#include "shared.h"
/*!
* Compute keytag for RSA/MD5 key.
*
* \see RFC 2537 (section 2) , RFC 4034 (appendix B.1)
* \see RFC 2537 (section 2), RFC 4034 (appendix B.1)
*/
static uint16_t keytag_compat(const dnssec_binary_t *rdata)
{
......@@ -57,8 +58,7 @@ static uint16_t keytag_current(const dnssec_binary_t *rdata)
ac += (i & 1) ? rdata->data[i] : rdata->data[i] << 8;
}
ac += (ac >> 16) & 0xFFFF;
return ac & 0xFFFF;
return (ac >> 16) + ac;
}
/* -- public API ----------------------------------------------------------- */
......@@ -73,11 +73,11 @@ int dnssec_keytag(const dnssec_binary_t *rdata, uint16_t *keytag)
return DNSSEC_EINVAL;
}
if (!rdata->data || rdata->size < 4) {
if (!rdata->data || rdata->size < DNSKEY_RDATA_OFFSET_PUBKEY) {
return DNSSEC_MALFORMED_DATA;
}
uint8_t algorithm = rdata->data[3];
uint8_t algorithm = rdata->data[DNSKEY_RDATA_OFFSET_ALGORITHM];
if (algorithm == 1) {
*keytag = keytag_compat(rdata);
} else {
......
......@@ -26,19 +26,6 @@
#include "pem.h"
#include "shared.h"
/* -- internal functions --------------------------------------------------- */
/*!
* Check if DNSKEY has and algorithm set.
*/
static bool has_algorithm(dnssec_key_t *key)
{
assert(key);
uint8_t algorithm = dnssec_key_get_algorithm(key);
return algorithm != 0;
}
/* -- public API ----------------------------------------------------------- */
_public_
......@@ -48,7 +35,7 @@ int dnssec_key_load_pkcs8(dnssec_key_t *key, const dnssec_binary_t *pem)
return DNSSEC_EINVAL;
}
if (!key->public_key && !has_algorithm(key)) {
if (dnssec_key_get_algorithm(key) == 0) {
return DNSSEC_INVALID_KEY_ALGORITHM;
}