From 1bad8f831a9fd506516549ac7461f97c689a0c46 Mon Sep 17 00:00:00 2001 From: Daniel Salzman Date: Mon, 11 Dec 2023 17:08:23 +0100 Subject: [PATCH] Revert "zone-sign: don't share PKCS 11 private keys by multiple signing threads" This reverts commit 7d63e8e0825e03b8e0608e87b86968c452755c93. --- src/knot/dnssec/zone-keys.c | 38 +++---------------------------------- src/libdnssec/key.h | 4 ++-- src/libdnssec/key/key.c | 24 +---------------------- tests/libdnssec/test_key.c | 4 ++-- 4 files changed, 8 insertions(+), 62 deletions(-) diff --git a/src/knot/dnssec/zone-keys.c b/src/knot/dnssec/zone-keys.c index cd6bf0bb3..d5cccc759 100644 --- a/src/knot/dnssec/zone-keys.c +++ b/src/knot/dnssec/zone-keys.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2023 CZ.NIC, z.s.p.o. +/* Copyright (C) 2022 CZ.NIC, z.s.p.o. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -642,21 +642,6 @@ int zone_key_calculate_ds(zone_key_t *for_key, dnssec_key_digest_t digesttype, return ret; } -static int dup_zone_key(const zone_key_t *src, zone_key_t *dst) -{ - assert(src); - assert(dst); - - *dst = *src; - - dst->key = dnssec_key_dup(src->key); - if (dst->key == NULL) { - return KNOT_ENOMEM; - } - - return KNOT_EOK; -} - zone_sign_ctx_t *zone_sign_ctx(const zone_keyset_t *keyset, const kdnssec_ctx_t *dnssec_ctx) { zone_sign_ctx_t *ctx = calloc(1, sizeof(*ctx) + keyset->count * sizeof(*ctx->sign_ctxs)); @@ -665,24 +650,11 @@ zone_sign_ctx_t *zone_sign_ctx(const zone_keyset_t *keyset, const kdnssec_ctx_t } ctx->sign_ctxs = (dnssec_sign_ctx_t **)(ctx + 1); - - ctx->keys = calloc(keyset->count, sizeof(*ctx->keys)); - if (ctx->keys == NULL) { - zone_sign_ctx_free(ctx); - return NULL; - } ctx->count = keyset->count; - + ctx->keys = keyset->keys; ctx->dnssec_ctx = dnssec_ctx; for (size_t i = 0; i < ctx->count; i++) { - // Clone the key to avoid thread contention on the key mutex. - int ret = dup_zone_key(&keyset->keys[i], &ctx->keys[i]); - if (ret != KNOT_EOK) { - zone_sign_ctx_free(ctx); - return NULL; - } - - ret = dnssec_sign_new(&ctx->sign_ctxs[i], ctx->keys[i].key); + int ret = dnssec_sign_new(&ctx->sign_ctxs[i], ctx->keys[i].key); if (ret != DNSSEC_EOK) { zone_sign_ctx_free(ctx); return NULL; @@ -719,12 +691,8 @@ void zone_sign_ctx_free(zone_sign_ctx_t *ctx) { if (ctx != NULL) { for (size_t i = 0; i < ctx->count; i++) { - if (ctx->keys != NULL) { - dnssec_key_free(ctx->keys[i].key); - } dnssec_sign_free(ctx->sign_ctxs[i]); } - free(ctx->keys); free(ctx); } } diff --git a/src/libdnssec/key.h b/src/libdnssec/key.h index aa8002b4a..2a69d377f 100644 --- a/src/libdnssec/key.h +++ b/src/libdnssec/key.h @@ -1,4 +1,4 @@ -/* Copyright (C) 2023 CZ.NIC, z.s.p.o. +/* Copyright (C) 2022 CZ.NIC, z.s.p.o. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -134,7 +134,7 @@ void dnssec_key_free(dnssec_key_t *key); /*! * Create a copy of a DNSSEC key. * - * Public key isn't duplicated. + * Only a public part of the key is copied. */ dnssec_key_t *dnssec_key_dup(const dnssec_key_t *key); diff --git a/src/libdnssec/key/key.c b/src/libdnssec/key/key.c index 4574bbefb..f36316712 100644 --- a/src/libdnssec/key/key.c +++ b/src/libdnssec/key/key.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2023 CZ.NIC, z.s.p.o. +/* Copyright (C) 2019 CZ.NIC, z.s.p.o. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -141,28 +141,6 @@ dnssec_key_t *dnssec_key_dup(const dnssec_key_t *key) return NULL; } - if (key->private_key != NULL) { - gnutls_privkey_init(&dup->private_key); - - gnutls_privkey_type_t type = gnutls_privkey_get_type(key->private_key); - if (type == GNUTLS_PRIVKEY_PKCS11) { -#ifdef ENABLE_PKCS11 - gnutls_pkcs11_privkey_t tmp; - gnutls_privkey_export_pkcs11(key->private_key, &tmp); - gnutls_privkey_import_pkcs11(dup->private_key, tmp, - GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE); -#else - assert(0); -#endif // ENABLE_PKCS11 - } else { - assert(type == GNUTLS_PRIVKEY_X509); - gnutls_x509_privkey_t tmp; - gnutls_privkey_export_x509(key->private_key, &tmp); - gnutls_privkey_import_x509(dup->private_key, tmp, - GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE); - } - } - return dup; } diff --git a/tests/libdnssec/test_key.c b/tests/libdnssec/test_key.c index c3643f08c..cd0aaee0e 100644 --- a/tests/libdnssec/test_key.c +++ b/tests/libdnssec/test_key.c @@ -1,4 +1,4 @@ -/* Copyright (C) 2023 CZ.NIC, z.s.p.o. +/* Copyright (C) 2021 CZ.NIC, z.s.p.o. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -148,7 +148,7 @@ static void test_private_key(const key_parameters_t *params) check_key_tag(copy, params); check_key_size(copy, params); - check_usage(copy, true, true); + check_usage(copy, true, false); dnssec_key_free(copy); dnssec_key_free(key); -- 2.34.1