[Opendnssec-commits] [keihatsu.kirei.se/svn/dnssec] r3784 - trunk/OpenDNSSEC/signer/src/signer

Matthijs Mekking matthijs at nlnetlabs.nl
Wed Aug 25 13:20:13 CEST 2010


Author: matthijs
Date: 2010-08-25 13:20:13 +0200 (Wed, 25 Aug 2010)
New Revision: 3784

Modified:
   trunk/OpenDNSSEC/signer/src/signer/hsm.c
   trunk/OpenDNSSEC/signer/src/signer/hsm.h
   trunk/OpenDNSSEC/signer/src/signer/se_key.c
   trunk/OpenDNSSEC/signer/src/signer/se_key.h
   trunk/OpenDNSSEC/signer/src/signer/zone.c
Log:
this should speed things up pivotal story http://www.pivotaltracker.com/story/show/4693887

Modified: trunk/OpenDNSSEC/signer/src/signer/hsm.c
===================================================================
--- trunk/OpenDNSSEC/signer/src/signer/hsm.c	2010-08-25 09:27:49 UTC (rev 3783)
+++ trunk/OpenDNSSEC/signer/src/signer/hsm.c	2010-08-25 11:20:13 UTC (rev 3784)
@@ -38,39 +38,45 @@
  * Get key from one of the HSMs.
  *
  */
-ldns_rr*
+int
 hsm_get_key(hsm_ctx_t* ctx, ldns_rdf* dname, key_type* key_id)
 {
-    hsm_sign_params_t* params;
-    hsm_key_t* hsmkey;
-    ldns_rr* rrkey = NULL;
-    int error = 0;
-
     se_log_assert(dname);
     se_log_assert(key_id);
 
-    params = hsm_sign_params_new();
-    params->owner = ldns_rdf_clone(dname);
-    params->algorithm = key_id->algorithm;
-    params->flags = key_id->flags;
+    if (!key_id->params) {
+        key_id->params = hsm_sign_params_new();
+        if (key_id->params) {
+            key_id->params->owner = ldns_rdf_clone(dname);
+            key_id->params->algorithm = key_id->algorithm;
+            key_id->params->flags = key_id->flags;
+        } else {
+            /* could not create params */
+            se_log_error("could not create params for key %s",
+                key_id->locator?key_id->locator:"(null)");
+            return 1;
+        }
+    }
 
     /* lookup key */
-    hsmkey = hsm_find_key_by_id(ctx, key_id->locator);
-    if (hsmkey) {
-        rrkey = hsm_get_dnskey(ctx, hsmkey, params);
-        hsm_key_free(hsmkey);
-    } else {
-        /* could not find key */
-        se_log_error("could not find key %s",
-            key_id->locator?key_id->locator:"(null)");
-        error = 1;
+    if (!key_id->hsmkey) {
+        key_id->hsmkey = hsm_find_key_by_id(ctx, key_id->locator);
+
+        if (key_id->hsmkey) {
+            key_id->dnskey = hsm_get_dnskey(ctx, key_id->hsmkey,
+                key_id->params);
+        } else {
+            /* could not find key */
+            se_log_error("could not find key %s",
+                key_id->locator?key_id->locator:"(null)");
+            return 1;
+        }
     }
-    hsm_sign_params_free(params);
 
-    if (error == 0) {
-        return rrkey;
+    if (!key_id->dnskey) {
+        return 1;
     }
-    return NULL;
+    return 0;
 }
 
 /**
@@ -81,46 +87,18 @@
 hsm_sign_rrset_with_key(hsm_ctx_t* ctx, ldns_rdf* dname, key_type* key_id,
     ldns_rr_list* rrset, time_t inception, time_t expiration)
 {
-    hsm_sign_params_t* params;
-    hsm_key_t* hsmkey;
-    ldns_rr* rrkey = NULL;
-    ldns_rr* rrsig = NULL;
-    int error = 0;
-
     se_log_assert(dname);
     se_log_assert(key_id);
+    se_log_assert(key_id->dnskey);
+    se_log_assert(key_id->hsmkey);
+    se_log_assert(key_id->params);
     se_log_assert(rrset);
     se_log_assert(inception);
     se_log_assert(expiration);
 
-    /* lookup key */
-    hsmkey = hsm_find_key_by_id(ctx, key_id->locator);
-    if (hsmkey) {
-        params = hsm_sign_params_new();
-        params->owner = ldns_rdf_clone(dname);
-        params->algorithm = key_id->algorithm;
-        params->flags = key_id->flags;
+    key_id->params->keytag = ldns_calc_keytag(key_id->dnskey);
+    key_id->params->inception = inception;
+    key_id->params->expiration = expiration;
 
-        rrkey = hsm_get_dnskey(ctx, hsmkey, params);
-
-        params->keytag = ldns_calc_keytag(rrkey);
-        params->inception = inception;
-        params->expiration = expiration;
-
-        rrsig = hsm_sign_rrset(ctx, rrset, hsmkey, params);
-
-        ldns_rr_free(rrkey);
-        hsm_sign_params_free(params);
-        hsm_key_free(hsmkey);
-    } else {
-        /* could not find key */
-        se_log_error("could not find key %s",
-            key_id->locator?key_id->locator:"(null)");
-        error = 1;
-    }
-
-    if (error == 0) {
-        return rrsig;
-    }
-    return NULL;
+    return hsm_sign_rrset(ctx, rrset, key_id->hsmkey, key_id->params);
 }

Modified: trunk/OpenDNSSEC/signer/src/signer/hsm.h
===================================================================
--- trunk/OpenDNSSEC/signer/src/signer/hsm.h	2010-08-25 09:27:49 UTC (rev 3783)
+++ trunk/OpenDNSSEC/signer/src/signer/hsm.h	2010-08-25 11:20:13 UTC (rev 3784)
@@ -45,14 +45,14 @@
 #include <libhsmdns.h>
 
 /**
- * Get key from one of the HSMs.
+ * Get key from one of the HSMs, store the DNSKEY and HSM key.
  * \param[in] ctx HSM context
  * \param[in] dname the zone owner name
  * \param[in] key_id key credentials
+ * \return int 0 on ok, 1 on error
  *
- * \return DNSKEY RR
  */
-ldns_rr* hsm_get_key(hsm_ctx_t* ctx, ldns_rdf* dname, key_type* key_id);
+int hsm_get_key(hsm_ctx_t* ctx, ldns_rdf* dname, key_type* key_id);
 
 /**
  * Get RRSIG from one of the HSMs, given a RRset and a key.
@@ -62,7 +62,7 @@
  * \param[in] rrset RRset to be signed
  * \param[in] inception signature inception
  * \param[in] expiration signature expiration
- * \return RRSIG rr
+ * \return ldns_rr* RRSIG rr
  *
  */
 ldns_rr* hsm_sign_rrset_with_key(hsm_ctx_t* ctx, ldns_rdf* dname, key_type* key_id,

Modified: trunk/OpenDNSSEC/signer/src/signer/se_key.c
===================================================================
--- trunk/OpenDNSSEC/signer/src/signer/se_key.c	2010-08-25 09:27:49 UTC (rev 3783)
+++ trunk/OpenDNSSEC/signer/src/signer/se_key.c	2010-08-25 11:20:13 UTC (rev 3784)
@@ -53,6 +53,8 @@
 
     key->locator = se_strdup(locator);
     key->dnskey = NULL;
+    key->hsmkey = NULL;
+    key->params = NULL;
     key->algorithm = algorithm;
     key->flags = flags;
     key->publish = publish;
@@ -83,6 +85,14 @@
             ldns_rr_free(key->dnskey);
             key->dnskey = NULL;
         }
+        if (key->hsmkey) {
+            hsm_key_free(key->hsmkey);
+            key->hsmkey = NULL;
+        }
+        if (key->params) {
+            hsm_sign_params_free(key->params);
+            key->params = NULL;
+        }
         se_free((void*)key);
     } else {
         se_log_warning("cleanup empty key");

Modified: trunk/OpenDNSSEC/signer/src/signer/se_key.h
===================================================================
--- trunk/OpenDNSSEC/signer/src/signer/se_key.h	2010-08-25 09:27:49 UTC (rev 3783)
+++ trunk/OpenDNSSEC/signer/src/signer/se_key.h	2010-08-25 11:20:13 UTC (rev 3784)
@@ -41,6 +41,8 @@
 # include <unistd.h>
 #endif
 #include <ldns/ldns.h>
+#include <libhsm.h>
+#include <libhsmdns.h>
 
 /**
  * Key.
@@ -50,6 +52,8 @@
 struct key_struct {
     char* locator;
     ldns_rr* dnskey;
+    hsm_key_t* hsmkey;
+    hsm_sign_params_t* params;
     uint32_t algorithm;
     uint32_t flags;
     int publish;

Modified: trunk/OpenDNSSEC/signer/src/signer/zone.c
===================================================================
--- trunk/OpenDNSSEC/signer/src/signer/zone.c	2010-08-25 09:27:49 UTC (rev 3783)
+++ trunk/OpenDNSSEC/signer/src/signer/zone.c	2010-08-25 11:20:13 UTC (rev 3784)
@@ -280,8 +280,8 @@
     for (count=0; count < zone->signconf->keys->count; count++) {
         if (key->publish) {
             if (!key->dnskey) {
-                key->dnskey = hsm_get_key(ctx, zone->dname, key);
-                if (!key->dnskey) {
+                error = hsm_get_key(ctx, zone->dname, key);
+                if (error) {
                     se_log_error("error creating DNSKEY for key %s",
                         key->locator?key->locator:"(null)");
                     error = 1;




More information about the Opendnssec-commits mailing list