From dd6cbbf955980c5a818fe67289167f9f5988607d Mon Sep 17 00:00:00 2001 From: Eduardo Date: Sat, 25 Jul 2020 23:47:54 -0400 Subject: [PATCH] adding duration config option for automated renovations --- README.md | 122 ++++++++++++++++++++++------------- cmd/sign.go | 54 +++++++++++++--- dns-tools-config.sample.json | 4 ++ tools/context.go | 53 +++++---------- tools/duration.go | 95 +++++++++++++++++++++++++++ tools/duration_test.go | 86 ++++++++++++++++++++++++ tools/file_session.go | 8 +-- tools/file_signer.go | 8 +-- tools/file_signer_test.go | 28 ++++---- tools/pkcs11_session.go | 30 ++++----- tools/pkcs11_signer.go | 12 ++-- tools/pkcs11_signer_test.go | 47 ++++++++------ tools/rr_set.go | 6 +- tools/sign_algorithm.go | 15 +++-- tools/sign_session.go | 20 +++--- tools/signer_test.go | 4 -- tools/utils.go | 13 ++-- 17 files changed, 421 insertions(+), 184 deletions(-) create mode 100644 tools/duration.go create mode 100644 tools/duration_test.go diff --git a/README.md b/README.md index 0578f16..9b1211a 100644 --- a/README.md +++ b/README.md @@ -1,18 +1,16 @@ # DNS Tools: ZONEMD digest calculator and Signer (using PKCS11 and files) - [![Go Report Card](https://goreportcard.com/badge/github.com/niclabs/dns-tools)](https://goreportcard.com/report/github.com/niclabs/dns-tools) [![Build Status](https://travis-ci.org/niclabs/dns-tools.svg?branch=master)](https://travis-ci.org/niclabs/dns-tools) - ## How to build dns-tools The following libraries should be installed in the systems which are going to use the compiled library: -* git -* gcc -* Go (1.12.3 or higher) +- git +- gcc +- Go (1.12.3 or higher) -On [Debian 10 (Buster)](https://www.debian.org), with a sudo-enabled user, the commands to run to install dependencies and +On [Debian 10 (Buster)](https://www.debian.org), with a sudo-enabled user, the commands to run to install dependencies and build are the following: ```bash @@ -22,7 +20,7 @@ sudo apt install build-essential pkg-config git To compile it, you need to have `Go` installed on your machine. You can find how to install Go on [its official page](https://golang.org/doc/install). -Then, you need to clone, execute and build the repository: +Then, you need to clone, execute and build the repository: ``` git clone https://github.com/niclabs/dns-tools --branch v1.1.0 @@ -35,35 +33,40 @@ The file `dns-tools` will be created on the same directory. ## Command Flags the command has three modes: -* **Verify** `dns-tools verify` allows to verify a previously signed and/or digested zone. It only receives one parameter, `--file (-f)`, that is used as the input file for verification. -* **Reset PKCS#11 Keys** `dns-tools reset-pkcs11-keys` Deletes all the keys from the HSM. Is a very dangerous command. It uses some parameters from `sign`, as `-p`, `-l` and `-k`. -* **Sign** allows to sign a zone. Its common parameters are: - * `--create-keys (-c)` creates the keys if they doesn't exist. - * `--zsk-expiration-date (-Z)` Allows to use a specific expiration date for RRSIG signatures with ZSK key. - * `--ksk-expiration-date (-K)` Allows to use a specific expiration date for RRSIG signatures with KSK key. - * `--file (-f)` allows to select the file that will be signed. - * `--nsec3 (-3)` Uses NSEC3 for zone signing, as specified in [RFC5155](https://tools.ietf.org/html/rfc5155). If not activated, it uses NSEC. - * `--optout (-o)` Uses Opt-out, as specified in [RFC5155](https://tools.ietf.org/html/rfc5155). - * `--p11lib (-p)` selects the library to use as pkcs11 HSM driver. - * `--sign-algorithm (-a)` Sign algorithm used. It can be 'rsa' or 'ecdsa'. - * `--zone (-z)` Zone name - * `--digest (-d)` If true, the signature also creates a [Digest](https://tools.ietf.org/html/draft-ietf-dnsop-dns-zone-digest-05.html) over the zone - - `--info (-i)` Add a TXT RR to the zone with signing information (signer software, mode and library used if PKCS#11) -* **ZONEMD calculation** Allows to generate a [ZONEMD](https://tools.ietf.org/html/draft-ietf-dnsop-dns-zone-digest-05.html) RR over the zone. It allows the following commands: + +- **Verify** `dns-tools verify` allows to verify a previously signed and/or digested zone. It only receives one parameter, `--file (-f)`, that is used as the input file for verification. +- **Reset PKCS#11 Keys** `dns-tools reset-pkcs11-keys` Deletes all the keys from the HSM. Is a very dangerous command. It uses some parameters from `sign`, as `-p`, `-l` and `-k`. +- **Sign** allows to sign a zone. Its common parameters are: + - `--create-keys (-c)` creates the keys if they doesn't exist. + - `--zsk-expiration-date` Allows to use a specific expiration date for ZSK key if it is created. It can be overrided by --zsk-duration. + - `--ksk-expiration-date` Allows to use a specific expiration date for KSK key if it is created. It can be overrided by --ksk-duration. + - `--rrsig-expiration-date` Allows to use a specific expiration date for RRSIG signatures. It can be overrided by --rrsig-duration. + - `--zsk-duration` Allows to use an expiration date for ZSK key relative to current time if it is created. It overrides --zsk-expiration-date. Default value is empty. + - `--ksk-duration` Allows to use an expiration date for KSK key relative to current time if it is created. It overrides --ksk-expiration-date. Default value is empty. + - `--rrsig-duration` Allows to use a expiration date for RRSIG signatures relative to current time. It overrides --rrsig-expiration-date. Default value is empty. + - `--file (-f)` allows to select the file that will be signed. + - `--nsec3 (-3)` Uses NSEC3 for zone signing, as specified in [RFC5155](https://tools.ietf.org/html/rfc5155). If not activated, it uses NSEC. + - `--optout (-o)` Uses Opt-out, as specified in [RFC5155](https://tools.ietf.org/html/rfc5155). + - `--p11lib (-p)` selects the library to use as pkcs11 HSM driver. + - `--sign-algorithm (-a)` Sign algorithm used. It can be 'rsa' or 'ecdsa'. + - `--zone (-z)` Zone name + - `--digest (-d)` If true, the signature also creates a [Digest](https://tools.ietf.org/html/draft-ietf-dnsop-dns-zone-digest-05.html) over the zone + * `--info (-i)` Add a TXT RR to the zone with signing information (signer software, mode and library used if PKCS#11) +- **ZONEMD calculation** Allows to generate a [ZONEMD](https://tools.ietf.org/html/draft-ietf-dnsop-dns-zone-digest-05.html) RR over the zone. It allows the following commands: - `--file (-f)` Input zone file - - `--output (-o)` Output for zone file + - `--output (-o)` Output for zone file - `--info (-i)` Add a TXT RR to the zone with signing information (signer software, mode and library used if PKCS#11) ## Signing modes Sign can be used in two modes: -* **PKCS#11**: `dns-tools sign pkcs11` connects to a PKCS#11 enabled device to sign the zone. It considers the following options: - - `--key-label (-l)` allows to choose a label for the created keys (if not, they will have dns-tools as name). - - `--user-key (-k)` HSM key, if not specified, the default key used is `1234`. -* **File**: `dns-tools sign file` uses two PEM files with PKCS#8 encoded keys. It requires to define two options: - - `--zsk-file (-Z)` ZSK PEM File location. If `--create-keys` is enabled, the file will be created and any previous key will be overriden, so use it with care. - - `--ksk-file (-K)` KSK PEM File location. If `--create-keys` is enabled, the file will be created and any previous key will be overriden, so use it with care. +- **PKCS#11**: `dns-tools sign pkcs11` connects to a PKCS#11 enabled device to sign the zone. It considers the following options: + - `--key-label (-l)` allows to choose a label for the created keys (if not, they will have dns-tools as name). + - `--user-key (-k)` HSM key, if not specified, the default key used is `1234`. +- **File**: `dns-tools sign file` uses two PEM files with PKCS#8 encoded keys. It requires to define two options: + - `--zsk-file (-Z)` ZSK PEM File location. If `--create-keys` is enabled, the file will be created and any previous key will be overriden, so use it with care. + - `--ksk-file (-K)` KSK PEM File location. If `--create-keys` is enabled, the file will be created and any previous key will be overriden, so use it with care. ### Using a PKCS#11 device @@ -101,7 +104,7 @@ The following command creates an output file with a ZONEMD RR: ## How to delete PKCS11 keys -The following command removes the created keys with an specific tag, using the [DTC](https://github.com/niclabs/dtc) library +The following command removes the created keys with an specific tag, using the [DTC](https://github.com/niclabs/dtc) library ``` ./dns-tools reset-pkcs11-keys -p ./dtc.so @@ -112,30 +115,58 @@ The following command removes the created keys with an specific tag, using the You can create a json config file with the structure of `config.sample.json` to set the variables. The config file will be looked for at the following locations: - * `/etc/dns-tools/dns-tools-config.json` - * `./dns-tools-config.json` (Current location) +- `/etc/dns-tools/dns-tools-config.json` +- `./dns-tools-config.json` (Current location) You can also set the config file path using `--config` flag. +### Duration format + +The fields `--{zsk,ksk,rrsig}-duration` are parsed using the following regular expression: + +`( )(,? + )*` + +Where: + +- `` corresponds to a non-negative integer number. +- `` is a value in the following list: + - `s`, `sec`, `secs`, `seconds` for seconds. + - `min`, `minute`, `mins`, `minutes` for minutes + - `h`, `hr`, `hour`, `hrs`, `hours` for hours + - `w`, `week`, `weeks` for weeks + - `m`, `month`, `months` for months + - `y`, `year`, `years` for years + + +In other words, the duration units are separated by one or more spaces, ignoring plurals and commas at the end of each duration definition. + +The relative duration definition is used with the time that the command is executed. + +Examples: + +* 1 year 3 months +* 1 hour 3 seconds +* 3 weeks 2 months 4 seconds 1 year + ## Features - [x] Read zone - [x] Parse zone - [x] Create keys in HSM - [x] Sign using PKCS11 (for HSMs): - - [x] RSA - - [x] ECDSA - - [ ] SHA-1 - - [ ] SHA128 - - [x] SHA256 - - [ ] SHA512 + - [x] RSA + - [x] ECDSA + - [ ] SHA-1 + - [ ] SHA128 + - [x] SHA256 + - [ ] SHA512 - [x] Sign using PKCS#8-encoded PEM keys: - - [x] RSA - - [x] ECDSA - - [ ] SHA-1 - - [ ] SHA128 - - [x] SHA256 - - [ ] SHA512 + - [x] RSA + - [x] ECDSA + - [ ] SHA-1 + - [ ] SHA128 + - [x] SHA256 + - [ ] SHA512 - [x] Calculate ZONEMD RRs - [x] Verify signed/digested zones - [x] Reuse keys @@ -143,4 +174,5 @@ You can also set the config file path using `--config` flag. - [x] Save zone to file ## Bugs -* [Some incompatibilities with some common PKCS11-enabled libraries](https://github.com/niclabs/dns-tools/issues/8) + +- [Some incompatibilities with some common PKCS11-enabled libraries](https://github.com/niclabs/dns-tools/issues/8) diff --git a/cmd/sign.go b/cmd/sign.go index 276b45e..509cf0a 100644 --- a/cmd/sign.go +++ b/cmd/sign.go @@ -2,12 +2,21 @@ package cmd import ( "fmt" - "github.com/niclabs/dns-tools/tools" - "github.com/spf13/cobra" - "github.com/spf13/viper" "os" "path/filepath" "strings" + "time" + + "github.com/niclabs/dns-tools/tools" + "github.com/spf13/cobra" + "github.com/spf13/viper" +) + +// Defaults for ZSK and KSK signature expirations +var ( + DefaultKSKExpiration time.Time = time.Now().AddDate(1, 0, 0) + DefaultZSKExpiration time.Time = time.Now().AddDate(1, 0, 0) + DefaultRRSigExpiration time.Time = time.Now().AddDate(0, 3, 0) ) func init() { @@ -18,11 +27,16 @@ func init() { signCmd.PersistentFlags().StringP("sign-algorithm", "a", "rsa", "Algorithm used in signing.") signCmd.PersistentFlags().BoolP("nsec3", "3", false, "Use NSEC3 instead of NSEC.") signCmd.PersistentFlags().BoolP("opt-out", "x", false, "Use NSEC3 with opt-out.") - signCmd.PersistentFlags().StringP("zsk-expiration-date", "Z", "", "ZSK Signature expiration Date, in YYYYMMDD format. Default is one month from now.") - signCmd.PersistentFlags().StringP("ksk-expiration-date", "K", "", "KSK Signature expiration Date, in YYYYMMDD format. Default is three months from now.") signCmd.PersistentFlags().BoolP("digest", "d", false, "If true, DigestEnabled RR is added to the signed zone") signCmd.PersistentFlags().BoolP("info", "i", false, "If true, an TXT RR is added with information about the signing process (tool and mode)") + signCmd.PersistentFlags().String("zsk-expiration-date", "", "ZSK Key expiration Date, in YYYYMMDD format. It is ignored if --zsk-duration is set. Default is three months from now.") + signCmd.PersistentFlags().String("ksk-expiration-date", "", "KSK Key expiration Date, in YYYYMMDD format. It is ignored if --ksk-duration is set. Default is one year from now.") + signCmd.PersistentFlags().String("rrsig-expiration-date", "", "RRSIG expiration Date, in YYYYMMDD format. It is ignored if --ksk-duration is set. Default is three months from now.") + signCmd.PersistentFlags().String("zsk-duration", "", "Relative ZSK Key expiration Date, in human readable format (combining numbers with labels like year(s), month(s), day(s), hour(s), minute(s), second(s)). Overrides --ksk-date-expiration. Default is empty.") + signCmd.PersistentFlags().String("ksk-duration", "", "Relative KSK Key expiration Date, in human readable format (combining numbers with labels like year(s), month(s), day(s), hour(s), minute(s), second(s)). Overrides --zsk-date-expiration. Default is empty.") + signCmd.PersistentFlags().String("rrsig-duration", "", "Relative RRSIG expiration Date, in human readable format (combining numbers with labels like year(s), month(s), day(s), hour(s), minute(s), second(s)). Overrides --rrsig-date-expiration. Default is empty.") + pkcs11Cmd.PersistentFlags().StringP("user-key", "k", "1234", "HSM User Login PKCS11Key.") pkcs11Cmd.PersistentFlags().StringP("key-label", "l", "HSM-tools", "Label of HSM Signer PKCS11Key.") pkcs11Cmd.PersistentFlags().StringP("p11lib", "p", "", "Full path to PKCS11Type lib file.") @@ -148,8 +162,7 @@ func newSignConfig() (*tools.ContextConfig, error) { path := viper.GetString("file") out := viper.GetString("output") - zskExpDateStr := viper.GetString("zsk-expiration-date") - kskExpDateStr := viper.GetString("zsk-expiration-date") + signAlgorithm := viper.GetString("sign-algorithm") if len(path) == 0 { @@ -168,6 +181,18 @@ func newSignConfig() (*tools.ContextConfig, error) { return nil, err } + kskExpDate, err := getExpDate(viper.GetString("zsk-duration"), viper.GetString("zsk-expiration-date"), DefaultZSKExpiration) + if err != nil { + return nil, err + } + zskExpDate, err := getExpDate(viper.GetString("ksk-duration"), viper.GetString("ksk-expiration-date"), DefaultKSKExpiration) + if err != nil { + return nil, err + } + rrsigExpDate, err := getExpDate(viper.GetString("rrsig-duration"), viper.GetString("rrsig-expiration-date"), DefaultRRSigExpiration) + if err != nil { + return nil, err + } return &tools.ContextConfig{ Zone: zone, CreateKeys: createKeys, @@ -175,10 +200,21 @@ func newSignConfig() (*tools.ContextConfig, error) { DigestEnabled: digest, OptOut: optOut, SignAlgorithm: signAlgorithm, - KSKExpDateStr: kskExpDateStr, - ZSKExpDateStr: zskExpDateStr, + KSKExpDate: kskExpDate, + ZSKExpDate: zskExpDate, + RRSIGExpDate: rrsigExpDate, FilePath: path, OutputPath: out, Info: info, }, nil } + +func getExpDate(durString, expDate string, def time.Time) (time.Time, error) { + if len(durString) > 0 { + return tools.DurationToTime(time.Now(), durString) + } + if len(expDate) > 0 { + return time.Parse("20060102", expDate) + } + return def, nil +} diff --git a/dns-tools-config.sample.json b/dns-tools-config.sample.json index 59e3d58..506281c 100644 --- a/dns-tools-config.sample.json +++ b/dns-tools-config.sample.json @@ -11,6 +11,10 @@ "digest": true, "zsk-expiration-date": "20300101", "ksk-expiration-date": "20300101", + "rrsig-expiration-date": "20300101", + "zsk-duration": "1 year 7 months 2 days 8 hours 3 minutes 12 seconds", + "ksk-duration": "10 years 3 months 2 days 1 hr 4 min 3 secs", + "rrsig-duration": "10 years 3 months 2 days 1 hr 4 min 3 secs", "zone": "example.com.", "zsk-keyfile": "zsk.pem", "ksk-keyfile": "ksk.pem", diff --git a/tools/context.go b/tools/context.go index 3b5495a..87a78d3 100644 --- a/tools/context.go +++ b/tools/context.go @@ -17,8 +17,6 @@ import ( // Context contains the state of a zone signing process. type Context struct { Config *ContextConfig - KSKExpDate time.Time // Expiration date for signatures with KSK Key. - ZSKExpDate time.Time // Expiration date for signatures with ZSK Key. File io.Reader // zone path Output io.WriteCloser // Out path rrs RRArray // rrs @@ -30,17 +28,18 @@ type Context struct { // ContextConfig contains the common args to sign and verify files type ContextConfig struct { - Zone string // Zone name - CreateKeys bool // If True, the sign process creates new keys for the signature. - NSEC3 bool // If true, the zone is signed using NSEC3 - OptOut bool // If true and NSEC3 is true, the zone is signed using OptOut NSEC3 flag. - DigestEnabled bool // If true, the zone is hashed and DigestEnabled is used - SignAlgorithm string // Signature algorithm - FilePath string // Output Path - OutputPath string // Output Path - KSKExpDateStr string // KSK-signed Signature Expiration Date in String - ZSKExpDateStr string // ZSK-signed Signature Expiration Date in String - Info bool // If true, a credits txt will be added to _dnstools subdomain. + Zone string // Zone name + CreateKeys bool // If True, the sign process creates new keys for the signature. + NSEC3 bool // If true, the zone is signed using NSEC3 + OptOut bool // If true and NSEC3 is true, the zone is signed using OptOut NSEC3 flag. + DigestEnabled bool // If true, the zone is hashed and DigestEnabled is used + SignAlgorithm string // Signature algorithm + FilePath string // Output Path + OutputPath string // Output Path + KSKExpDate time.Time // KSK Key Expiration Date + ZSKExpDate time.Time // ZSK Key Expiration Date + RRSIGExpDate time.Time // RRSIG Expiration Date + Info bool // If true, a credits txt will be added to _dnstools subdomain. } // NewContext creates a new context based on a configuration structure. It also receives @@ -50,8 +49,6 @@ func NewContext(config *ContextConfig, log *log.Logger) (ctx *Context, err error ctx = &Context{ Config: config, Log: log, - KSKExpDate: time.Now().AddDate(0, 3, 0), - ZSKExpDate: time.Now().AddDate(0, 1, 0), Output: os.Stdout, SignAlgorithm: algorithm, } @@ -63,22 +60,6 @@ func NewContext(config *ContextConfig, log *log.Logger) (ctx *Context, err error } } - if len(config.KSKExpDateStr) > 0 { - parsedDate, err := time.Parse("20060102", config.KSKExpDateStr) - if err != nil { - return nil, fmt.Errorf("cannot parse expiration date: %s", err) - } - ctx.KSKExpDate = parsedDate - } - - if len(config.ZSKExpDateStr) > 0 { - parsedDate, err := time.Parse("20060102", config.ZSKExpDateStr) - if err != nil { - return nil, fmt.Errorf("cannot parse expiration date: %s", err) - } - ctx.ZSKExpDate = parsedDate - } - if len(config.OutputPath) > 0 { writer, err := os.Create(config.OutputPath) if err != nil { @@ -190,23 +171,23 @@ func (ctx *Context) AddNSEC13() { func (ctx *Context) NewPKCS11Session(key, label, p11lib string) (SignSession, error) { p := pkcs11.New(p11lib) if p == nil { - return nil, fmt.Errorf("Error initializing %s: file not found\n", p11lib) + return nil, fmt.Errorf("Error initializing %s: file not found", p11lib) } err := p.Initialize() if err != nil { - return nil, fmt.Errorf("Error initializing %s: %s. (Has the .db RW permission?)\n", p11lib, err) + return nil, fmt.Errorf("Error initializing %s: %s. (Has the .db RW permission?)", p11lib, err) } slots, err := p.GetSlotList(true) if err != nil { - return nil, fmt.Errorf("Error checking slots: %s\n", err) + return nil, fmt.Errorf("Error checking slots: %s", err) } session, err := p.OpenSession(slots[0], pkcs11.CKF_SERIAL_SESSION|pkcs11.CKF_RW_SESSION) if err != nil { - return nil, fmt.Errorf("Error creating session: %s\n", err) + return nil, fmt.Errorf("Error creating session: %s", err) } err = p.Login(session, pkcs11.CKU_USER, key) if err != nil { - return nil, fmt.Errorf("Error login with provided key: %s\n", err) + return nil, fmt.Errorf("Error login with provided key: %s", err) } return &PKCS11Session{ libPath: p11lib, diff --git a/tools/duration.go b/tools/duration.go new file mode 100644 index 0000000..455bd4d --- /dev/null +++ b/tools/duration.go @@ -0,0 +1,95 @@ +package tools + +import ( + "fmt" + "strconv" + "strings" + "time" +) + +type parseableDuration int + +const ( + seconds parseableDuration = iota + minutes + hours + days + weeks + months + years +) + +var strToParseableDuration = map[string]parseableDuration{ + "s": seconds, + "sec": seconds, + "second": seconds, + + "min": minutes, + "minute": minutes, + + "h": hours, + "hour": hours, + "hr": hours, + + "w": weeks, + "week": weeks, + + "d": days, + "day": days, + + "m": months, + "month": months, + + "y": years, + "year": years, +} + +// DurationToTime parses a duration string and returns a time relative to now. +func DurationToTime(now time.Time, dStr string) (d time.Time, err error) { + parts := strings.Fields(dStr) + if len(parts)%2 != 0 { + err = fmt.Errorf("wrong duration string format (it could be like \"10 years 2 months 3 days 4 hours 22 minutes 13 seconds\"") + return + } + parsed := map[parseableDuration]int{ + seconds: 0, + minutes: 0, + hours: 0, + days: 0, + weeks: 0, + months: 0, + years: 0, + } + for i := 0; i < len(parts); i += 2 { + strType := strings.TrimRight(strings.ToLower(parts[i+1]), ",") // trims commas + if strType != "s" { // in we do not check this, we will delete the type completely + strType = strings.TrimRight(strType, "s") // trims plurals + } + durationType, ok := strToParseableDuration[strType] + if !ok { + err = fmt.Errorf("unknown duration keyword: %s", parts[i]) + return + } + var durationValue int + durationValue, err = strconv.Atoi(parts[i]) + if err != nil { + err = fmt.Errorf("cannot parse duration value \"%s\" as int: %s", parts[i+1], err) + return + } + if durationValue < 0 { + err = fmt.Errorf("duration for keyword %s is negative", strType) + } + if parsed[durationType] != 0 { + err = fmt.Errorf("duration keyword %s already defined", strType) + return + } + parsed[durationType] = durationValue + } + + d = now. + AddDate(parsed[years], parsed[months], parsed[days]+7*parsed[weeks]). + Add(time.Duration(parsed[hours])*time.Hour + + time.Duration(parsed[minutes])*time.Minute + + time.Duration(parsed[seconds])*time.Second) + return +} diff --git a/tools/duration_test.go b/tools/duration_test.go new file mode 100644 index 0000000..4831193 --- /dev/null +++ b/tools/duration_test.go @@ -0,0 +1,86 @@ +package tools_test + +import ( + "strings" + "testing" + "time" + + "github.com/niclabs/dns-tools/tools" +) + +type DurationTestCase struct { + str string + years int + months int + weeks int + days int + hours int + mins int + secs int + err string +} + +var testCases []DurationTestCase = []DurationTestCase{ + { + str: "6 months", + months: 6, + }, + { + str: "5 years 3 months 3 weeks 2 days 15 hours 7 mins 4 secs", + years: 5, + months: 3, + weeks: 3, + days: 2, + hours: 15, + mins: 7, + secs: 4, + }, + { + str: "9 y, 7 min, 4 s", + years: 9, + mins: 7, + secs: 4, + }, + { + str: "4 secs 3 hours 1 year 3 secs", + err: "already defined", + }, + { + str: "one second", + err: "cannot parse duration value", + }, + { + str: "5 milleniums", + err: "unknown duration keyword", + }, + { + str: "-2 years", + err: "is negative", + }, +} + +func Test_DurationToTime(t *testing.T) { + now := time.Now() + for _, test := range testCases { + parsedDate, err := tools.DurationToTime(now, test.str) + if err != nil { + t.Logf("\"%s\" is not parseable: %s", test.str, err) + if !strings.Contains(err.Error(), test.err) { + t.Logf("expected error %s but %s was obtained", test.err, err) + t.Fail() + } + continue + } + expectedDate := now. + AddDate(test.years, test.months, test.days+7*test.weeks). + Add(time.Duration(test.hours)*time.Hour + + time.Duration(test.mins)*time.Minute + + time.Duration(test.secs)*time.Second) + if !expectedDate.Equal(parsedDate) { + t.Logf("%s is equal to %s and not to %s", test.str, parsedDate, expectedDate) + t.Fail() + return + } + t.Logf("%s is equal to %s", test.str, expectedDate.String()) + } +} diff --git a/tools/file_session.go b/tools/file_session.go index 73f7093..84924c2 100644 --- a/tools/file_session.go +++ b/tools/file_session.go @@ -58,9 +58,9 @@ func (session *FileSession) GetPublicKeyBytes(keys *SigKeys) (zskBytes, kskBytes var keyFun func(signer crypto.Signer) ([]byte, error) ctx := session.Context() switch ctx.SignAlgorithm { - case RSA_SHA256: + case RsaSha256: keyFun = session.getRSAPubKeyBytes - case ECDSA_P256_SHA256: + case EcdsaP256Sha256: keyFun = session.getECDSAPubKeyBytes default: err = fmt.Errorf("undefined sign algorithm") @@ -89,7 +89,7 @@ func (session *FileSession) generateKeys() (err error) { ctx := session.Context() var zskBytes, kskBytes []byte switch ctx.SignAlgorithm { - case RSA_SHA256: + case RsaSha256: kskBytes, err = session.generateRSAKey(2048) if err != nil { return @@ -102,7 +102,7 @@ func (session *FileSession) generateKeys() (err error) { } session.zskFile.Write(zskBytes) session.zskFile.Seek(0, io.SeekStart) - case ECDSA_P256_SHA256: + case EcdsaP256Sha256: kskBytes, err = session.generateECDSAKey() if err != nil { return diff --git a/tools/file_signer.go b/tools/file_signer.go index 306f28a..19002c9 100644 --- a/tools/file_signer.go +++ b/tools/file_signer.go @@ -16,14 +16,14 @@ type fileRRSigner struct { func (signer *fileRRSigner) Public() crypto.PublicKey { ctx := signer.Session.Context() switch ctx.SignAlgorithm { - case RSA_SHA256: + case RsaSha256: rsaKey, ok := signer.Key.(*rsa.PrivateKey) if !ok { return nil } pubKey := rsaKey.Public() return pubKey - case ECDSA_P256_SHA256: + case EcdsaP256Sha256: ecdsaKey, ok := signer.Key.(*ecdsa.PrivateKey) if !ok { return nil @@ -36,13 +36,13 @@ func (signer *fileRRSigner) Public() crypto.PublicKey { func (signer *fileRRSigner) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) { ctx := signer.Session.Context() switch ctx.SignAlgorithm { - case RSA_SHA256: + case RsaSha256: rsaKey, ok := signer.Key.(*rsa.PrivateKey) if !ok { return nil, fmt.Errorf("wrong key type") } return rsaKey.Sign(rand, digest, opts) - case ECDSA_P256_SHA256: + case EcdsaP256Sha256: ecdsaKey, ok := signer.Key.(*ecdsa.PrivateKey) if !ok { return nil, fmt.Errorf("wrong key type") diff --git a/tools/file_signer_test.go b/tools/file_signer_test.go index 81237b3..976f934 100644 --- a/tools/file_signer_test.go +++ b/tools/file_signer_test.go @@ -2,11 +2,12 @@ package tools_test import ( "fmt" - "github.com/niclabs/dns-tools/tools" "io" "strings" "testing" "time" + + "github.com/niclabs/dns-tools/tools" ) type vFile struct { @@ -60,7 +61,7 @@ func TestSession_FileRSASign(t *testing.T) { NSEC3: false, OptOut: false, }, - SignAlgorithm: tools.RSA_SHA256, + SignAlgorithm: tools.RsaSha256, Log: Log, } zsk := &vFile{data: []byte(RSAZSK)} @@ -90,7 +91,7 @@ func TestSession_FileRSASignNSEC3(t *testing.T) { NSEC3: true, OptOut: false, }, - SignAlgorithm: tools.RSA_SHA256, + SignAlgorithm: tools.RsaSha256, Log: Log, } zsk := &vFile{data: []byte(RSAZSK)} @@ -120,7 +121,7 @@ func TestSession_FileRSASignNSEC3OptOut(t *testing.T) { NSEC3: true, OptOut: true, }, - SignAlgorithm: tools.RSA_SHA256, + SignAlgorithm: tools.RsaSha256, Log: Log, } zsk := &vFile{data: []byte(RSAZSK)} @@ -150,7 +151,7 @@ func TestSession_FileECDSASign(t *testing.T) { NSEC3: false, OptOut: false, }, - SignAlgorithm: tools.ECDSA_P256_SHA256, + SignAlgorithm: tools.EcdsaP256Sha256, Log: Log, } zsk := &vFile{data: []byte(ECZSK)} @@ -180,7 +181,7 @@ func TestSession_FileECDSASignNSEC3(t *testing.T) { NSEC3: true, OptOut: false, }, - SignAlgorithm: tools.ECDSA_P256_SHA256, + SignAlgorithm: tools.EcdsaP256Sha256, Log: Log, } zsk := &vFile{data: []byte(ECZSK)} @@ -210,7 +211,7 @@ func TestSession_FileECDSASignNSEC3OptOut(t *testing.T) { NSEC3: true, OptOut: true, }, - SignAlgorithm: tools.ECDSA_P256_SHA256, + SignAlgorithm: tools.EcdsaP256Sha256, Log: Log, } zsk := &vFile{data: []byte(ECZSK)} @@ -235,15 +236,14 @@ func TestSession_FileECDSASignNSEC3OptOut(t *testing.T) { func TestSession_FileExpiredSig(t *testing.T) { ctx := &tools.Context{ Config: &tools.ContextConfig{ - Zone: zone, - CreateKeys: true, - NSEC3: false, - OptOut: false, + Zone: zone, + CreateKeys: true, + NSEC3: false, + OptOut: false, + RRSIGExpDate: time.Now().AddDate(-1, 0, 0), }, Log: Log, - SignAlgorithm: tools.ECDSA_P256_SHA256, - KSKExpDate: time.Now().AddDate(-1, 0, 0), - ZSKExpDate: time.Now().AddDate(-1, 0, 0), + SignAlgorithm: tools.EcdsaP256Sha256, } zsk := &vFile{data: []byte(ECZSK)} ksk := &vFile{data: []byte(ECKSK)} diff --git a/tools/pkcs11_session.go b/tools/pkcs11_session.go index 9f0c657..c4e9473 100644 --- a/tools/pkcs11_session.go +++ b/tools/pkcs11_session.go @@ -5,8 +5,9 @@ import ( "encoding/asn1" "encoding/binary" "fmt" - "github.com/miekg/pkcs11" "time" + + "github.com/miekg/pkcs11" ) // PKCS11Session represents a PKCS#11 session. It includes the context, the session handle and a Label String, @@ -20,7 +21,7 @@ type PKCS11Session struct { Key string // Signature key } -// Returns the session context +// Context Returns the session context func (session *PKCS11Session) Context() *Context { return session.ctx } @@ -48,21 +49,21 @@ func (session *PKCS11Session) GetKeys() (keys *SigKeys, err error) { if err = session.expireKeys(keys); err != nil { return } - if err = session.generateSigners(keys); err != nil { + if err = session.generateSigners(keys, ctx.Config.ZSKExpDate, ctx.Config.KSKExpDate); err != nil { return } } return } -// Returns bytestrings of public zsk and ksk keys. +// GetPublicKeyBytes returns bytestrings of public zsk and ksk keys. func (session *PKCS11Session) GetPublicKeyBytes(keys *SigKeys) (zskBytes, kskBytes []byte, err error) { var keyFun func(signer crypto.Signer) ([]byte, error) ctx := session.Context() switch ctx.SignAlgorithm { - case RSA_SHA256: + case RsaSha256: keyFun = session.getRSAPubKeyBytes - case ECDSA_P256_SHA256: + case EcdsaP256Sha256: keyFun = session.getECDSAPubKeyBytes default: err = fmt.Errorf("undefined sign algorithm") @@ -145,13 +146,12 @@ func (session *PKCS11Session) expireKeys(keys *SigKeys) error { return session.expirePKCS11Key(keys.kskSigner) } -func (session *PKCS11Session) generateSigners(keys *SigKeys) error { - defaultExpDate := time.Now().AddDate(1, 0, 0) // TODO: allow to config this? +func (session *PKCS11Session) generateSigners(keys *SigKeys, zskExpDate, kskExpDate time.Time) error { session.ctx.Log.Printf("generating zsk") public, private, err := session.generateKeyPair( "zsk", true, - defaultExpDate) + zskExpDate) if err != nil { return err } @@ -159,14 +159,14 @@ func (session *PKCS11Session) generateSigners(keys *SigKeys) error { Session: session, PK: public, SK: private, - ExpDate: defaultExpDate, + ExpDate: zskExpDate, } session.ctx.Log.Printf("generating ksk") public, private, err = session.generateKeyPair( "ksk", true, - defaultExpDate) + kskExpDate) if err != nil { return err } @@ -174,7 +174,7 @@ func (session *PKCS11Session) generateSigners(keys *SigKeys) error { Session: session, PK: public, SK: private, - ExpDate: defaultExpDate, + ExpDate: kskExpDate, } session.ctx.Log.Printf("keys generated") return nil @@ -185,7 +185,7 @@ func (session *PKCS11Session) generateSigners(keys *SigKeys) error { func (session *PKCS11Session) generateKeyPair(label string, tokenPersistent bool, expDate time.Time) (pk, sk pkcs11.ObjectHandle, err error) { ctx := session.Context() switch ctx.SignAlgorithm { - case RSA_SHA256: + case RsaSha256: bitSize := 1024 if label == "ksk" { bitSize = 2048 @@ -196,7 +196,7 @@ func (session *PKCS11Session) generateKeyPair(label string, tokenPersistent bool expDate, bitSize, ) - case ECDSA_P256_SHA256: + case EcdsaP256Sha256: return session.genECDSAKeyPair( label, tokenPersistent, @@ -267,7 +267,7 @@ func (session *PKCS11Session) searchValidKeys() (*SigKeys, error) { for _, object := range objects { attr, err := session.P11Context.GetAttributeValue(session.Handle, object, DateTemplate) if err != nil { - return nil, fmt.Errorf("cannot get attributes: %s\n", err) + return nil, fmt.Errorf("cannot get attributes: %s", err) } class := uint(binary.LittleEndian.Uint32(attr[0].Value)) id := string(attr[1].Value) diff --git a/tools/pkcs11_signer.go b/tools/pkcs11_signer.go index 9c37ff9..e638d46 100644 --- a/tools/pkcs11_signer.go +++ b/tools/pkcs11_signer.go @@ -4,10 +4,11 @@ import ( "crypto" "encoding/asn1" "fmt" - "github.com/miekg/pkcs11" "io" "math/big" "time" + + "github.com/miekg/pkcs11" ) // This prefixes are used for PKCS#1 padding of signatures. @@ -19,16 +20,19 @@ var pkcs1Prefix = map[crypto.Hash][]byte{ crypto.SHA512: {0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40}, } +// PKCS11RRSigner represents a signer using a PKCS11 device to sign and store the keys type PKCS11RRSigner struct { Session *PKCS11Session // PKCS#11 PKCS11Session SK, PK pkcs11.ObjectHandle // Secret and Public PKCS11Key handles ExpDate time.Time // Expiration Date of the key } +// Public returns the public key related to the signer func (rs *PKCS11RRSigner) Public() crypto.PublicKey { return rs.PK } +// Sign signs a wire-format ww set. func (rs *PKCS11RRSigner) Sign(rand io.Reader, rr []byte, opts crypto.SignerOpts) ([]byte, error) { if rs.Session == nil || rs.Session.P11Context == nil { return nil, fmt.Errorf("session not initialized") @@ -37,7 +41,7 @@ func (rs *PKCS11RRSigner) Sign(rand io.Reader, rr []byte, opts crypto.SignerOpts T := make([]byte, 0) ctx := rs.Session.Context() switch ctx.SignAlgorithm { - case RSA_SHA256: + case RsaSha256: // Inspired in https://github.com/ThalesIgnite/crypto11/blob/38ef75346a1dc2094ffdd919341ef9827fb041c0/rsa.go#L281 oid := pkcs1Prefix[opts.HashFunc()] T = make([]byte, len(oid)+len(rr)) @@ -46,7 +50,7 @@ func (rs *PKCS11RRSigner) Sign(rand io.Reader, rr []byte, opts crypto.SignerOpts mechanisms = []*pkcs11.Mechanism{ pkcs11.NewMechanism(pkcs11.CKM_RSA_PKCS, nil), } - case ECDSA_P256_SHA256: + case EcdsaP256Sha256: T = rr mechanisms = []*pkcs11.Mechanism{ pkcs11.NewMechanism(pkcs11.CKM_ECDSA, nil), @@ -62,7 +66,7 @@ func (rs *PKCS11RRSigner) Sign(rand io.Reader, rr []byte, opts crypto.SignerOpts if err != nil { return nil, err } - if ctx.SignAlgorithm == ECDSA_P256_SHA256 { + if ctx.SignAlgorithm == EcdsaP256Sha256 { r, s := big.NewInt(0).SetBytes(sig[:32]), big.NewInt(0).SetBytes(sig[32:]) sig, err = asn1.Marshal(struct{ R, S *big.Int }{r, s}) if err != nil { diff --git a/tools/pkcs11_signer_test.go b/tools/pkcs11_signer_test.go index 76e21d1..8a0d9f4 100644 --- a/tools/pkcs11_signer_test.go +++ b/tools/pkcs11_signer_test.go @@ -2,12 +2,18 @@ package tools_test import ( "fmt" - "github.com/niclabs/dns-tools/tools" "strings" "testing" "time" + + "github.com/niclabs/dns-tools/tools" ) +// Using default softHSM configuration. Change it if necessary. +const p11Lib = "/usr/lib/softhsm/libsofthsm2.so" // Path used by Ubuntu Bionic Beaver +const p11Key = "1234" +const p11Label = "hsm" + func TestSession_PKCS11RSASign(t *testing.T) { ctx := &tools.Context{ Config: &tools.ContextConfig{ @@ -16,10 +22,10 @@ func TestSession_PKCS11RSASign(t *testing.T) { NSEC3: false, OptOut: false, }, - SignAlgorithm: tools.RSA_SHA256, + SignAlgorithm: tools.RsaSha256, Log: Log, } - session, err := ctx.NewPKCS11Session(key, rsaLabel, p11Lib) + session, err := ctx.NewPKCS11Session(p11Key, p11Label, p11Lib) if err != nil { t.Errorf("%s", err) return @@ -44,10 +50,10 @@ func TestSession_PKCS11RSASignNSEC3(t *testing.T) { NSEC3: true, OptOut: false, }, - SignAlgorithm: tools.RSA_SHA256, + SignAlgorithm: tools.RsaSha256, Log: Log, } - session, err := ctx.NewPKCS11Session(key, rsaLabel, p11Lib) + session, err := ctx.NewPKCS11Session(p11Key, p11Label, p11Lib) if err != nil { t.Errorf("%s", err) return @@ -72,10 +78,10 @@ func TestSession_PKCS11RSASignNSEC3OptOut(t *testing.T) { NSEC3: true, OptOut: true, }, - SignAlgorithm: tools.RSA_SHA256, + SignAlgorithm: tools.RsaSha256, Log: Log, } - session, err := ctx.NewPKCS11Session(key, rsaLabel, p11Lib) + session, err := ctx.NewPKCS11Session(p11Key, p11Label, p11Lib) if err != nil { t.Errorf("%s", err) return @@ -100,10 +106,10 @@ func TestSession_PKCS11ECDSASign(t *testing.T) { NSEC3: false, OptOut: false, }, - SignAlgorithm: tools.ECDSA_P256_SHA256, + SignAlgorithm: tools.EcdsaP256Sha256, Log: Log, } - session, err := ctx.NewPKCS11Session(key, rsaLabel, p11Lib) + session, err := ctx.NewPKCS11Session(p11Key, p11Label, p11Lib) if err != nil { t.Errorf("%s", err) return @@ -128,10 +134,10 @@ func TestSession_PKCS11ECDSASignNSEC3(t *testing.T) { NSEC3: true, OptOut: false, }, - SignAlgorithm: tools.ECDSA_P256_SHA256, + SignAlgorithm: tools.EcdsaP256Sha256, Log: Log, } - session, err := ctx.NewPKCS11Session(key, rsaLabel, p11Lib) + session, err := ctx.NewPKCS11Session(p11Key, p11Label, p11Lib) if err != nil { t.Errorf("%s", err) return @@ -156,10 +162,10 @@ func TestSession_PKCS11ECDSASignNSEC3OptOut(t *testing.T) { NSEC3: true, OptOut: true, }, - SignAlgorithm: tools.ECDSA_P256_SHA256, + SignAlgorithm: tools.EcdsaP256Sha256, Log: Log, } - session, err := ctx.NewPKCS11Session(key, rsaLabel, p11Lib) + session, err := ctx.NewPKCS11Session(p11Key, p11Label, p11Lib) if err != nil { t.Errorf("%s", err) return @@ -179,17 +185,16 @@ func TestSession_PKCS11ECDSASignNSEC3OptOut(t *testing.T) { func TestSession_PKCS11ExpiredSig(t *testing.T) { ctx := &tools.Context{ Config: &tools.ContextConfig{ - Zone: zone, - CreateKeys: true, - NSEC3: false, - OptOut: false, + Zone: zone, + CreateKeys: true, + NSEC3: false, + OptOut: false, + RRSIGExpDate: time.Now().AddDate(-1, 0, 0), }, - SignAlgorithm: tools.ECDSA_P256_SHA256, + SignAlgorithm: tools.EcdsaP256Sha256, Log: Log, - KSKExpDate: time.Now().AddDate(-1, 0, 0), - ZSKExpDate: time.Now().AddDate(-1, 0, 0), } - session, err := ctx.NewPKCS11Session(key, rsaLabel, p11Lib) + session, err := ctx.NewPKCS11Session(p11Key, p11Label, p11Lib) if err != nil { t.Errorf("%s", err) return diff --git a/tools/rr_set.go b/tools/rr_set.go index 1aac14e..a7f963e 100644 --- a/tools/rr_set.go +++ b/tools/rr_set.go @@ -3,9 +3,10 @@ package tools import ( "bytes" "fmt" - "github.com/miekg/dns" "sort" "strings" + + "github.com/miekg/dns" ) // RRArray represents an array of rrs @@ -317,7 +318,6 @@ func sameRRSet(rr1, rr2 dns.RR, byType bool) bool { func (array RRArray) String() string { if len(array) == 0 { return "" - } else { - return fmt.Sprintf("%s#%s#%s", array[0].Header().Name, dns.ClassToString[array[0].Header().Class], dns.TypeToString[array[0].Header().Rrtype]) } + return fmt.Sprintf("%s#%s#%s", array[0].Header().Name, dns.ClassToString[array[0].Header().Class], dns.TypeToString[array[0].Header().Rrtype]) } diff --git a/tools/sign_algorithm.go b/tools/sign_algorithm.go index 975137d..c5a28fe 100644 --- a/tools/sign_algorithm.go +++ b/tools/sign_algorithm.go @@ -4,16 +4,17 @@ package tools // The numbers are the same the RFC defined for the algorithms. type SignAlgorithm uint8 +// Signing algorithms const ( - RSA_SHA256 = 8 // RSA SHA256 - ECDSA_P256_SHA256 = 13 // ECDSA P256 SHA256 + RsaSha256 = 8 // RSA SHA256 + EcdsaP256Sha256 = 13 // ECDSA P256 SHA256 ) // StringToSignAlgorithm takes the name of an algorithm var StringToSignAlgorithm = map[string]SignAlgorithm{ - "rsa": RSA_SHA256, // Default RSA case - "rsa_sha256": RSA_SHA256, // Complete name - "ecdsa": ECDSA_P256_SHA256, // Default ECDSA case - "ecdsa_p256": ECDSA_P256_SHA256, // Alias for ecdsa_p256_sha256 - "ecdsa_p256_sha256": ECDSA_P256_SHA256, // Complete name + "rsa": RsaSha256, // Default RSA case + "rsa_sha256": RsaSha256, // Complete name + "ecdsa": EcdsaP256Sha256, // Default ECDSA case + "ecdsa_p256": EcdsaP256Sha256, // Alias for ecdsa_p256_sha256 + "ecdsa_p256_sha256": EcdsaP256Sha256, // Complete name } diff --git a/tools/sign_session.go b/tools/sign_session.go index 1901124..cc2f6b5 100644 --- a/tools/sign_session.go +++ b/tools/sign_session.go @@ -4,8 +4,9 @@ import ( "crypto" "encoding/base64" "fmt" - "github.com/miekg/dns" "sort" + + "github.com/miekg/dns" ) // ErrNoValidKeys represents an error returned when the session does not have valid keys @@ -80,7 +81,7 @@ func Sign(session SignSession) (ds *dns.DS, err error) { for try := 1; try <= numTries; try++ { rrSig := CreateNewRRSIG(ctx.Config.Zone, zsk, - ctx.ZSKExpDate, + ctx.Config.RRSIGExpDate, v[0].Header().Ttl) ctx.Log.Printf("[Signature %d/%d] Creating RRSig for RRSet %s", i+1, len(rrSet)+1, v.String()) err = rrSig.Sign(keys.zskSigner, v) @@ -88,10 +89,9 @@ func Sign(session SignSession) (ds *dns.DS, err error) { err = fmt.Errorf("cannot sign RRSig: %s", err) if try == numTries { return - } else { - ctx.Log.Printf("%s. Retrying...", err) - continue } + ctx.Log.Printf("%s. Retrying...", err) + continue } ctx.Log.Printf("[Signature %d/%d] Verifying RRSig for RRSet %s\n", i+1, len(rrSet)+1, v.String()) err = rrSig.Verify(zsk, v) @@ -99,10 +99,9 @@ func Sign(session SignSession) (ds *dns.DS, err error) { err = fmt.Errorf("cannot check RRSig: %s", err) if try == numTries { return - } else { - ctx.Log.Printf("%s. Retrying...", err) - continue } + ctx.Log.Printf("%s. Retrying...", err) + continue } ctx.rrs = append(ctx.rrs, rrSig) break @@ -113,7 +112,7 @@ func Sign(session SignSession) (ds *dns.DS, err error) { rrDNSKeySig := CreateNewRRSIG(ctx.Config.Zone, ksk, - ctx.KSKExpDate, + ctx.Config.RRSIGExpDate, ksk.Hdr.Ttl) ctx.Log.Printf("[Signature %d/%d] Creating RRSig for DNSKEY", len(rrSet)+1, len(rrSet)+1) err = rrDNSKeySig.Sign(keys.kskSigner, rrDNSKeys) @@ -140,7 +139,8 @@ func Sign(session SignSession) (ds *dns.DS, err error) { } rrSig := CreateNewRRSIG( ctx.Config.Zone, - zsk, ctx.ZSKExpDate, + zsk, + ctx.Config.RRSIGExpDate, ctx.zonemd.Header().Ttl, ) ctx.Log.Printf("Signing new zone digest...") diff --git a/tools/signer_test.go b/tools/signer_test.go index db1b287..98e381c 100644 --- a/tools/signer_test.go +++ b/tools/signer_test.go @@ -9,10 +9,6 @@ import ( "github.com/niclabs/dns-tools/tools" ) -// Using default softHSM configuration. Change it if necessary. -const p11Lib = "/usr/lib/softhsm/libsofthsm2.so" // Path used by Ubuntu Bionic Beaver -const key = "1234" -const rsaLabel = "hsm" const zone = "example.com." const fileString = ` diff --git a/tools/utils.go b/tools/utils.go index 4f6ede0..7e40c99 100644 --- a/tools/utils.go +++ b/tools/utils.go @@ -6,11 +6,12 @@ import ( "encoding/asn1" "encoding/binary" "fmt" - "github.com/miekg/dns" - "github.com/miekg/pkcs11" "sort" "strings" "time" + + "github.com/miekg/dns" + "github.com/miekg/pkcs11" ) // CreateNewDNSKEY creates a new DNSKEY RR, using the parameters provided. @@ -31,9 +32,6 @@ func CreateNewDNSKEY(zone string, flags uint16, algorithm uint8, ttl uint32, pub // CreateNewRRSIG creates a new RRSIG RR, using the parameters provided. func CreateNewRRSIG(zone string, dnsKeyRR *dns.DNSKEY, expDate time.Time, rrSetTTL uint32) *dns.RRSIG { - if expDate.IsZero() { - expDate = time.Now().AddDate(1, 0, 0) - } return &dns.RRSIG{ Hdr: dns.RR_Header{ // Uses RRset TTL, not key TTL @@ -55,7 +53,7 @@ func generateSalt() (string, error) { if err != nil { return "", err } - return fmt.Sprintf("%x",b), nil + return fmt.Sprintf("%x", b), nil } // removeDuplicates removes the duplicates from an array of object handles. @@ -124,7 +122,6 @@ func ecdsaPublicKeyToBytes(ecPoint []byte) ([]byte, error) { } - func newTypeArray(typeMap map[uint16]bool) []uint16 { typeArray := make([]uint16, 0) for k := range typeMap { @@ -135,4 +132,4 @@ func newTypeArray(typeMap map[uint16]bool) []uint16 { return typeArray[i] < typeArray[j] }) return typeArray -} \ No newline at end of file +}