Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DNSSEC signer #866

Merged
merged 36 commits into from
Dec 13, 2022
Merged

DNSSEC signer #866

merged 36 commits into from
Dec 13, 2022

Conversation

jschlyter
Copy link
Contributor

@jschlyter jschlyter commented Dec 7, 2022
edited
Loading

RRset signer

This PR implements a RRset signer via the following new functions:

  • make_dnskey() - convert a cryptography public key to DNSKEY Rdata (also available as Create DNSKEY from public key #864)
  • sign() - Sign RRset using a cryptography private key

Implementations Notes

The logic for calculating signature data (_make_rrsig_signature_data()) is shared between _validate_rrsig() and _sign().

Signer timestamps can be specified as datetime, string in YYYYmmddHHMMSS format or as an int/float.

The signer implements all RSA, DSA, ECDSA and EDDSA algorithms, but does not implement GOST.

Testing

  • Key test vectors generated using OpenSSL has been added to tests/keys.py. Matching DNSKEY RRs was generated using Knot DNS.
  • Signature testing implemented for all algorithms (generate key, sign, validate)

Closes #864
Discussed in #862

@jschlyter
first cut at key_to_dnskey
2cd9faf
@jschlyter
update docs
45b28ab
@jschlyter
typo
a6381b4
@jschlyter
use real test vectors for DNSKEY
25d7def
@jschlyter
comment
0a18479
@jschlyter
split
bbdc4b8
@jschlyter
add test for large exponent size
e53e8a2
@jschlyter
rename to make_dnskey
b9a59ea
@jschlyter
no default algorithm
02d09e8
@jschlyter
rename and add comment
1360525
@jschlyter
split out function to create rrsig signature data
bf412a1
@jschlyter
docs
5d9d5a1
@jschlyter
add type for public key
55b2293
@jschlyter
more typing
8b5306f
@jschlyter
make RSA exponent key test easier to read
3949ae4
@jschlyter
Merge branch 'make_dnskey' into rrset_signer
fba6599
@jschlyter
work in progress for dns.dnssec.sign
fdb620f
@jschlyter
better docs
1add4ba
@jschlyter
docs
6f5165d
@jschlyter
simplify
b4fde4b
@jschlyter
add test with RSASHA1
274b0eb
@jschlyter
initial support for DSA
041ac03
@jschlyter
update docs
576595b
@jschlyter
clean up DSA, t still not clear
f29ab89
@jschlyter
allow inception/expiration to be specified as datetime, string, float…
8b4e74f 
… or in
@jschlyter
allow rrset to be specified as a tuple
19e1029
@jschlyter
calculate dsa_t
e27468f
@jschlyter
reformat
3b7ede3
@jschlyter
more rrset tuple fixes
7b86191
@jschlyter
support DSA
faf8afd
@rthalley rthalley merged commit 6fa40bd into rthalley:master Dec 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jschlyter @rthalley