Commit e69dc0db authored by Ondřej Surý's avatar Ondřej Surý
Browse files

Remove RSAMD5 support

parent 74f89574
......@@ -573,7 +573,7 @@ match_keyset_dsset(dns_rdataset_t *keyset, dns_rdataset_t *dsset,
ki->algo = dnskey.algorithm;
dns_rdata_toregion(keyrdata, &r);
ki->tag = dst_region_computeid(&r, ki->algo);
ki->tag = dst_region_computeid(&r);
ki->dst = NULL;
if (!match_key_dsset(ki, dsset, strictness)) {
......
......@@ -64,7 +64,7 @@ usage(void) {
fprintf(stderr, " name: owner of the key\n");
fprintf(stderr, "Other options:\n");
fprintf(stderr, " -a algorithm: \n"
" RSA | RSAMD5 | DH | RSASHA1 |\n"
" DH | RSASHA1 |\n"
" NSEC3RSASHA1 |\n"
" RSASHA256 | RSASHA512 |\n"
" ECDSAP256SHA256 | ECDSAP384SHA384\n");
......@@ -382,22 +382,14 @@ main(int argc, char **argv) {
fatal("no algorithm specified");
}
if (strcasecmp(algname, "RSA") == 0) {
fprintf(stderr, "The use of RSA (RSAMD5) is not "
"recommended.\nIf you still wish to "
"use RSA (RSAMD5) please specify "
"\"-a RSAMD5\"\n");
if (freeit != NULL)
free(freeit);
return (1);
} else {
r.base = algname;
r.length = strlen(algname);
ret = dns_secalg_fromtext(&alg, &r);
if (ret != ISC_R_SUCCESS)
fatal("unknown algorithm %s", algname);
if (alg == DST_ALG_DH)
options |= DST_TYPE_KEY;
r.base = algname;
r.length = strlen(algname);
ret = dns_secalg_fromtext(&alg, &r);
if (ret != ISC_R_SUCCESS) {
fatal("unknown algorithm %s", algname);
}
if (alg == DST_ALG_DH) {
options |= DST_TYPE_KEY;
}
if (use_nsec3) {
......
......@@ -105,7 +105,7 @@
<listitem>
<para>
Selects the cryptographic algorithm. The value of
<option>algorithm</option> must be one of RSAMD5, RSASHA1,
<option>algorithm</option> must be one of RSASHA1,
NSEC3RSASHA1, RSASHA256, RSASHA512,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
</para>
......
......@@ -79,14 +79,12 @@ usage(void) {
fprintf(stderr, "Options:\n");
fprintf(stderr, " -K <directory>: write keys into directory\n");
fprintf(stderr, " -a <algorithm>:\n");
fprintf(stderr, " RSA | RSAMD5 | RSASHA1 | NSEC3RSASHA1"
" |\n");
fprintf(stderr, " RSASHA1 | NSEC3RSASHA1 |\n");
fprintf(stderr, " RSASHA256 | RSASHA512 |\n");
fprintf(stderr, " ECDSAP256SHA256 | ECDSAP384SHA384 |\n");
fprintf(stderr, " ED25519 | ED448 | DH\n");
fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
fprintf(stderr, " -b <key size in bits>:\n");
fprintf(stderr, " RSAMD5:\t[1024..%d]\n", MAX_RSA);
fprintf(stderr, " RSASHA1:\t[1024..%d]\n", MAX_RSA);
fprintf(stderr, " NSEC3RSASHA1:\t[1024..%d]\n", MAX_RSA);
fprintf(stderr, " RSASHA256:\t[1024..%d]\n", MAX_RSA);
......@@ -508,23 +506,14 @@ main(int argc, char **argv) {
fatal("no algorithm specified");
}
if (strcasecmp(algname, "RSA") == 0) {
fprintf(stderr, "The use of RSA (RSAMD5) is not "
"recommended.\nIf you still wish to "
"use RSA (RSAMD5) please specify "
"\"-a RSAMD5\"\n");
INSIST(freeit == NULL);
return (1);
} else {
r.base = algname;
r.length = strlen(algname);
ret = dns_secalg_fromtext(&alg, &r);
if (ret != ISC_R_SUCCESS) {
fatal("unknown algorithm %s", algname);
}
if (alg == DST_ALG_DH) {
options |= DST_TYPE_KEY;
}
r.base = algname;
r.length = strlen(algname);
ret = dns_secalg_fromtext(&alg, &r);
if (ret != ISC_R_SUCCESS) {
fatal("unknown algorithm %s", algname);
}
if (alg == DST_ALG_DH) {
options |= DST_TYPE_KEY;
}
if (!dst_algorithm_supported(alg)) {
......@@ -698,7 +687,6 @@ main(int argc, char **argv) {
}
switch (alg) {
case DNS_KEYALG_RSAMD5:
case DNS_KEYALG_RSASHA1:
case DNS_KEYALG_NSEC3RSASHA1:
case DNS_KEYALG_RSASHA256:
......@@ -780,7 +768,6 @@ main(int argc, char **argv) {
}
switch(alg) {
case DNS_KEYALG_RSAMD5:
case DNS_KEYALG_RSASHA1:
case DNS_KEYALG_NSEC3RSASHA1:
case DNS_KEYALG_RSASHA256:
......
......@@ -122,7 +122,7 @@
<listitem>
<para>
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
of <option>algorithm</option> must be one of RSASHA1,
NSEC3RSASHA1, RSASHA256, RSASHA512,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For
TKEY, the value must be DH (Diffie Hellman); specifying
......
......@@ -239,7 +239,7 @@ main(int argc, char **argv) {
* Remove old key file, if told to (and if
* it isn't the same as the new file)
*/
if (removefile && dst_key_alg(key) != DST_ALG_RSAMD5) {
if (removefile) {
isc_buffer_init(&buf, oldname, sizeof(oldname));
dst_key_setflags(key, flags & ~DNS_KEYFLAG_REVOKE);
dst_key_buildfilename(key, DST_TYPE_PRIVATE, dir, &buf);
......
......@@ -777,8 +777,7 @@ dstkey_fromconfig(const cfg_obj_t *vconfig, const cfg_obj_t *key,
keystruct.datalen = r.length;
keystruct.data = r.base;
if ((keystruct.algorithm == DST_ALG_RSASHA1 ||
keystruct.algorithm == DST_ALG_RSAMD5) &&
if ((keystruct.algorithm == DST_ALG_RSASHA1) &&
r.length > 1 && r.base[0] == 1 && r.base[1] == 3)
cfg_obj_log(key, named_g_lctx, ISC_LOG_WARNING,
"%s key '%s' has a weak exponent",
......@@ -14911,7 +14910,7 @@ mkey_dumpzone(dns_view_t *view, isc_buffer_t **text) {
dns_rdata_toregion(&rdata, &r);
isc_region_consume(&r, 12);
keyid = dst_region_computeid(&r, kd.algorithm);
keyid = dst_region_computeid(&r);
snprintf(buf, sizeof(buf), "\n keyid: %u", keyid);
CHECK(putstr(text, buf));
......
......@@ -71,7 +71,7 @@ class PolicyLex:
return t
def t_ALGNAME(self, t):
r'(?i)\b(RSAMD5|DH|ECC|RSASHA1|NSEC3RSASHA1|RSASHA256|RSASHA512|ECDSAP256SHA256|ECDSAP384SHA384|ED25519|ED448)\b'
r'(?i)\b(DH|ECC|RSASHA1|NSEC3RSASHA1|RSASHA256|RSASHA512|ECDSAP256SHA256|ECDSAP384SHA384|ED25519|ED448)\b'
t.value = t.value.upper()
return t
......@@ -132,8 +132,7 @@ class Policy:
keyttl = None
coverage = None
directory = None
valid_key_sz_per_algo = {'RSAMD5': [1024, 4096],
'RSASHA1': [1024, 4096],
valid_key_sz_per_algo = {'RSASHA1': [1024, 4096],
'NSEC3RSASHA1': [512, 4096],
'RSASHA256': [1024, 4096],
'RSASHA512': [1024, 4096],
......@@ -322,10 +321,6 @@ class dnssec_policy:
# set default algorithm policies
# these can use default settings
self.alg_policy['RSAMD5'] = copy(p)
self.alg_policy['RSAMD5'].algorithm = "RSAMD5"
self.alg_policy['RSAMD5'].name = "RSAMD5"
self.alg_policy['RSASHA1'] = copy(p)
self.alg_policy['RSASHA1'].algorithm = "RSASHA1"
self.alg_policy['RSASHA1'].name = "RSASHA1"
......
......@@ -3132,7 +3132,7 @@ check_trusted_key(const cfg_obj_t *key, bool managed,
} else {
isc_buffer_usedregion(&b, &r);
if ((alg == DST_ALG_RSASHA1 || alg == DST_ALG_RSAMD5) &&
if ((alg == DST_ALG_RSASHA1) &&
r.length > 1 && r.base[0] == 1 && r.base[1] == 3)
cfg_obj_log(key, logctx, ISC_LOG_WARNING,
"%s key '%s' has a weak exponent",
......
......@@ -108,7 +108,7 @@ dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
ds.common.rdclass = key->rdclass;
ds.common.rdtype = dns_rdatatype_ds;
ds.algorithm = r.base[3];
ds.key_tag = dst_region_computeid(&r, ds.algorithm);
ds.key_tag = dst_region_computeid(&r);
ds.digest_type = digest_type;
ds.digest = digest;
ds.length = digestlen;
......
......@@ -143,8 +143,6 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) {
RETERR(dst__openssl_init(mctx, engine));
RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH]));
#if USE_OPENSSL
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5],
DST_ALG_RSAMD5));
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1],
DST_ALG_RSASHA1));
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1],
......@@ -165,7 +163,6 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) {
#if USE_PKCS11
RETERR(dst__pkcs11_init(mctx, engine));
RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSAMD5]));
RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA1]));
RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1]));
RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA256]));
......@@ -643,8 +640,8 @@ dst_key_fromdns(const dns_name_t *name, dns_rdataclass_t rdclass,
proto = isc_buffer_getuint8(source);
alg = isc_buffer_getuint8(source);
id = dst_region_computeid(&r, alg);
rid = dst_region_computerid(&r, alg);
id = dst_region_computeid(&r);
rid = dst_region_computerid(&r);
if ((flags & DNS_KEYFLAG_EXTENDED) != 0) {
if (isc_buffer_remaininglength(source) < 2)
......@@ -986,8 +983,6 @@ comparekeys(const dst_key_t *key1, const dst_key_t *key2,
if (key1->key_id != key2->key_id) {
if (!match_revoked_key)
return (false);
if (key1->key_alg == DST_ALG_RSAMD5)
return (false);
if ((key1->key_flags & DNS_KEYFLAG_REVOKE) ==
(key2->key_flags & DNS_KEYFLAG_REVOKE))
return (false);
......@@ -1143,7 +1138,6 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) {
/* XXXVIX this switch statement is too sparse to gen a jump table. */
switch (key->key_alg) {
case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
case DST_ALG_RSASHA256:
......@@ -1473,7 +1467,6 @@ issymmetric(const dst_key_t *key) {
/* XXXVIX this switch statement is too sparse to gen a jump table. */
switch (key->key_alg) {
case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
case DST_ALG_RSASHA256:
......@@ -1697,8 +1690,8 @@ computeid(dst_key_t *key) {
return (ret);
isc_buffer_usedregion(&dnsbuf, &r);
key->key_id = dst_region_computeid(&r, key->key_alg);
key->key_rid = dst_region_computerid(&r, key->key_alg);
key->key_id = dst_region_computeid(&r);
key->key_rid = dst_region_computerid(&r);
return (ISC_R_SUCCESS);
}
......
......@@ -186,7 +186,7 @@ check_rsa(const dst_private_t *priv, bool external) {
for (j = 0; j < priv->nelements; j++) {
for (i = 0; i < RSA_NTAGS; i++)
if (priv->elements[j].tag == TAG(DST_ALG_RSAMD5, i))
if (priv->elements[j].tag == TAG(DST_ALG_RSA, i))
break;
if (i == RSA_NTAGS)
return (-1);
......@@ -336,7 +336,7 @@ check_data(const dst_private_t *priv, const unsigned int alg,
{
/* XXXVIX this switch statement is too sparse to gen a jump table. */
switch (alg) {
case DST_ALG_RSAMD5:
case DST_ALG_RSA:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
case DST_ALG_RSASHA256:
......@@ -661,9 +661,6 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
/* XXXVIX this switch statement is too sparse to gen a jump table. */
switch (dst_key_alg(key)) {
case DST_ALG_RSAMD5:
fprintf(fp, "(RSA)\n");
break;
case DST_ALG_DH:
fprintf(fp, "(DH)\n");
break;
......
......@@ -44,18 +44,18 @@
#define TAG_ALG(tag) ((unsigned int)(tag) >> TAG_SHIFT)
#define TAG(alg, off) (((alg) << TAG_SHIFT) + (off))
/* These are used by both RSA-MD5 and RSA-SHA1 */
/* These are used by RSA-SHA1, RSASHA256 and RSASHA512 */
#define RSA_NTAGS 11
#define TAG_RSA_MODULUS ((DST_ALG_RSAMD5 << TAG_SHIFT) + 0)
#define TAG_RSA_PUBLICEXPONENT ((DST_ALG_RSAMD5 << TAG_SHIFT) + 1)
#define TAG_RSA_PRIVATEEXPONENT ((DST_ALG_RSAMD5 << TAG_SHIFT) + 2)
#define TAG_RSA_PRIME1 ((DST_ALG_RSAMD5 << TAG_SHIFT) + 3)
#define TAG_RSA_PRIME2 ((DST_ALG_RSAMD5 << TAG_SHIFT) + 4)
#define TAG_RSA_EXPONENT1 ((DST_ALG_RSAMD5 << TAG_SHIFT) + 5)
#define TAG_RSA_EXPONENT2 ((DST_ALG_RSAMD5 << TAG_SHIFT) + 6)
#define TAG_RSA_COEFFICIENT ((DST_ALG_RSAMD5 << TAG_SHIFT) + 7)
#define TAG_RSA_ENGINE ((DST_ALG_RSAMD5 << TAG_SHIFT) + 8)
#define TAG_RSA_LABEL ((DST_ALG_RSAMD5 << TAG_SHIFT) + 9)
#define TAG_RSA_MODULUS ((DST_ALG_RSA << TAG_SHIFT) + 0)
#define TAG_RSA_PUBLICEXPONENT ((DST_ALG_RSA << TAG_SHIFT) + 1)
#define TAG_RSA_PRIVATEEXPONENT ((DST_ALG_RSA << TAG_SHIFT) + 2)
#define TAG_RSA_PRIME1 ((DST_ALG_RSA << TAG_SHIFT) + 3)
#define TAG_RSA_PRIME2 ((DST_ALG_RSA << TAG_SHIFT) + 4)
#define TAG_RSA_EXPONENT1 ((DST_ALG_RSA << TAG_SHIFT) + 5)
#define TAG_RSA_EXPONENT2 ((DST_ALG_RSA << TAG_SHIFT) + 6)
#define TAG_RSA_COEFFICIENT ((DST_ALG_RSA << TAG_SHIFT) + 7)
#define TAG_RSA_ENGINE ((DST_ALG_RSA << TAG_SHIFT) + 8)
#define TAG_RSA_LABEL ((DST_ALG_RSA << TAG_SHIFT) + 9)
#define DH_NTAGS 4
#define TAG_DH_PRIME ((DST_ALG_DH << TAG_SHIFT) + 0)
......
......@@ -53,7 +53,7 @@
/* The Algorithm field of the KEY and SIG RR's is an integer, {1..254} */
#define DNS_KEYALG_RSAMD5 1 /*%< RSA with MD5 */
#define DNS_KEYALG_RSA DNS_KEYALG_RSAMD5
#define DNS_KEYALG_RSA 1 /*%< Used just for tagging */
#define DNS_KEYALG_DH 2 /*%< Diffie Hellman KEY */
#define DNS_KEYALG_DSA 3 /*%< DSA KEY */
#define DNS_KEYALG_NSEC3DSA 6
......
......@@ -46,8 +46,8 @@ typedef struct dst_context dst_context_t;
/* DST algorithm codes */
#define DST_ALG_UNKNOWN 0
#define DST_ALG_RSA 1 /* Used for parsing RSASHA1, RSASHA256 and RSASHA512 */
#define DST_ALG_RSAMD5 1
#define DST_ALG_RSA DST_ALG_RSAMD5 /*%< backwards compatibility */
#define DST_ALG_DH 2
#define DST_ALG_DSA 3
#define DST_ALG_ECC 4
......@@ -751,12 +751,12 @@ dst_key_secretsize(const dst_key_t *key, unsigned int *n);
*/
uint16_t
dst_region_computeid(const isc_region_t *source, unsigned int alg);
dst_region_computeid(const isc_region_t *source);
uint16_t
dst_region_computerid(const isc_region_t *source, unsigned int alg);
dst_region_computerid(const isc_region_t *source);
/*%<
* Computes the (revoked) key id of the key stored in the provided
* region with the given algorithm.
* region.
*
* Requires:
*\li "source" contains a valid, non-NULL region.
......
......@@ -27,7 +27,7 @@
#include "dst_internal.h"
uint16_t
dst_region_computeid(const isc_region_t *source, unsigned int alg) {
dst_region_computeid(const isc_region_t *source) {
uint32_t ac;
const unsigned char *p;
int size;
......@@ -38,9 +38,6 @@ dst_region_computeid(const isc_region_t *source, unsigned int alg) {
p = source->base;
size = source->length;
if (alg == DST_ALG_RSAMD5)
return ((p[size - 3] << 8) + p[size - 2]);
for (ac = 0; size > 1; size -= 2, p += 2)
ac += ((*p) << 8) + *(p + 1);
......@@ -52,7 +49,7 @@ dst_region_computeid(const isc_region_t *source, unsigned int alg) {
}
uint16_t
dst_region_computerid(const isc_region_t *source, unsigned int alg) {
dst_region_computerid(const isc_region_t *source) {
uint32_t ac;
const unsigned char *p;
int size;
......@@ -63,9 +60,6 @@ dst_region_computerid(const isc_region_t *source, unsigned int alg) {
p = source->base;
size = source->length;
if (alg == DST_ALG_RSAMD5)
return ((p[size - 3] << 8) + p[size - 2]);
ac = ((*p) << 8) + *(p + 1);
ac |= DNS_KEYFLAG_REVOKE;
for (size -= 2, p +=2; size > 1; size -= 2, p += 2)
......
......@@ -191,8 +191,7 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
const EVP_MD *type = NULL;
UNUSED(key);
REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
dctx->key->key_alg == DST_ALG_RSASHA1 ||
REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
dctx->key->key_alg == DST_ALG_RSASHA512);
......@@ -201,7 +200,6 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
* Reject incorrect RSA key lengths.
*/
switch (dctx->key->key_alg) {
case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
/* From RFC 3110 */
......@@ -230,9 +228,6 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
return (ISC_R_NOMEMORY);
switch (dctx->key->key_alg) {
case DST_ALG_RSAMD5:
type = EVP_md5(); /* MD5 + RSA */
break;
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
type = EVP_sha1(); /* SHA1 + RSA */
......@@ -263,8 +258,7 @@ static void
opensslrsa_destroyctx(dst_context_t *dctx) {
EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
dctx->key->key_alg == DST_ALG_RSASHA1 ||
REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
dctx->key->key_alg == DST_ALG_RSASHA512);
......@@ -279,8 +273,7 @@ static isc_result_t
opensslrsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
dctx->key->key_alg == DST_ALG_RSASHA1 ||
REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
dctx->key->key_alg == DST_ALG_RSASHA512);
......@@ -301,8 +294,7 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
EVP_PKEY *pkey = key->keydata.pkey;
REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
dctx->key->key_alg == DST_ALG_RSASHA1 ||
REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
dctx->key->key_alg == DST_ALG_RSASHA512);
......@@ -333,8 +325,7 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
RSA *rsa;
int bits;
REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
dctx->key->key_alg == DST_ALG_RSASHA1 ||
REQUIRE(dctx->key->key_alg == DST_ALG_RSASHA1 ||
dctx->key->key_alg == DST_ALG_NSEC3RSASHA1 ||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
dctx->key->key_alg == DST_ALG_RSASHA512);
......@@ -462,7 +453,6 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
* Reject incorrect RSA key lengths.
*/
switch (key->key_alg) {
case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
/* From RFC 3110 */
......
......@@ -81,8 +81,7 @@ pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
isc_result_t ret;
unsigned int i;
REQUIRE(key->key_alg == DST_ALG_RSAMD5 ||
key->key_alg == DST_ALG_RSASHA1 ||
REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
key->key_alg == DST_ALG_NSEC3RSASHA1 ||
key->key_alg == DST_ALG_RSASHA256 ||
key->key_alg == DST_ALG_RSASHA512);
......@@ -91,7 +90,6 @@ pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
* Reject incorrect RSA key lengths.
*/
switch (dctx->key->key_alg) {
case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
/* From RFC 3110 */
......@@ -233,9 +231,6 @@ pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
token_key:
switch (dctx->key->key_alg) {
case DST_ALG_RSAMD5:
mech.mechanism = CKM_MD5_RSA_PKCS;
break;
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
mech.mechanism = CKM_SHA1_RSA_PKCS;
......@@ -310,8 +305,7 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
isc_result_t ret;
unsigned int i;
REQUIRE(key->key_alg == DST_ALG_RSAMD5 ||
key->key_alg == DST_ALG_RSASHA1 ||
REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
key->key_alg == DST_ALG_NSEC3RSASHA1 ||
key->key_alg == DST_ALG_RSASHA256 ||
key->key_alg == DST_ALG_RSASHA512);
......@@ -320,7 +314,6 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
* Reject incorrect RSA key lengths.
*/
switch (dctx->key->key_alg) {
case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
/* From RFC 3110 */
......@@ -394,9 +387,6 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
ISC_R_FAILURE);
switch (dctx->key->key_alg) {
case DST_ALG_RSAMD5:
mech.mechanism = CKM_MD5_RSA_PKCS;
break;
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
mech.mechanism = CKM_SHA1_RSA_PKCS;
......@@ -577,8 +567,7 @@ pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) {
pk11_context_t *pk11_ctx;
isc_result_t ret;
REQUIRE(key->key_alg == DST_ALG_RSAMD5 ||
key->key_alg == DST_ALG_RSASHA1 ||
REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
key->key_alg == DST_ALG_NSEC3RSASHA1 ||
key->key_alg == DST_ALG_RSASHA256 ||
key->key_alg == DST_ALG_RSASHA512);
......@@ -588,7 +577,6 @@ pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) {
* Reject incorrect RSA key lengths.
*/
switch (dctx->key->key_alg) {
case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
/* From RFC 3110 */
......@@ -613,9 +601,6 @@ pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) {
}
switch (key->key_alg) {
case DST_ALG_RSAMD5:
mech.mechanism = CKM_MD5;
break;
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
mech.mechanism = CKM_SHA_1;
......@@ -726,8 +711,7 @@ pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
isc_result_t ret = ISC_R_SUCCESS;
unsigned int i;
REQUIRE(key->key_alg == DST_ALG_RSAMD5 ||
key->key_alg == DST_ALG_RSASHA1 ||
REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
key->key_alg == DST_ALG_NSEC3RSASHA1 ||
key->key_alg == DST_ALG_RSASHA256 ||
key->key_alg == DST_ALG_RSASHA512);
......@@ -737,7 +721,6 @@ pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
* Reject incorrect RSA key lengths.
*/
switch (dctx->key->key_alg) {
case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
/* From RFC 3110 */
......@@ -762,11 +745,6 @@ pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
}
switch (key->key_alg) {
case DST_ALG_RSAMD5:
der = md5_der;
derlen = sizeof(md5_der);
hashlen = ISC_MD5_DIGESTLENGTH;
break;
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
der = sha1_der;
......@@ -970,19 +948,13 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
isc_result_t ret = ISC_R_SUCCESS;
unsigned int i;
REQUIRE(key->key_alg == DST_ALG_RSAMD5 ||
key->key_alg == DST_ALG_RSASHA1 ||
REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
key->key_alg == DST_ALG_NSEC3RSASHA1 ||
key->key_alg == DST_ALG_RSASHA256 ||
key->key_alg == DST_ALG_RSASHA512);
REQUIRE(rsa != NULL);
switch (key->key_alg) {
case DST_ALG_RSAMD5:
der = md5_der;
derlen = sizeof(md5_der);
hashlen = ISC_MD5_DIGESTLENGTH;
break;
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
der = sha1_der;
......@@ -1172,7 +1144,6 @@ pkcs11rsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
* Reject incorrect RSA key lengths.
*/
switch (key->key_alg) {
case DST_ALG_RSAMD5:
case DST_ALG_RSASHA1:
case DST_ALG_NSEC3RSASHA1:
/* From RFC 3110 */
......
......@@ -106,7 +106,6 @@
#define SECALGNAMES \
{ DNS_KEYALG_RSAMD5, "RSAMD5", 0 }, \