static const knot_dname_t *signature_authority(knot_pkt_t *pkt) { for (knot_section_t i = KNOT_ANSWER; i <= KNOT_AUTHORITY; ++i) { const knot_pktsection_t *sec = knot_pkt_section(pkt, i); for (unsigned k = 0; k < sec->count; ++k) { const knot_rrset_t *rr = knot_pkt_rr(sec, k); if (rr->type == KNOT_RRTYPE_RRSIG) { return knot_rrsig_signer_name(&rr->rrs, 0); } } } return NULL; }
/** * Check the RRSIG RR validity according to RFC4035 5.3.1 . * @param flags The flags are going to be set according to validation result. * @param cov_labels Covered RRSet owner label count. * @param rrsigs RRSet containing the signatures. * @param sig_pos Specifies the signature within the RRSIG RRSet. * @param keys Associated DNSKEY RRSet. * @param key_pos Specifies the key within the DNSKEY RRSet, * @param keytag Used key tag. * @param zone_name The name of the zone cut. * @param timestamp Validation time. */ static int validate_rrsig_rr(int *flags, int cov_labels, const knot_rrset_t *rrsigs, size_t sig_pos, const knot_rrset_t *keys, size_t key_pos, uint16_t keytag, const knot_dname_t *zone_name, uint32_t timestamp) { if (!flags || !rrsigs || !keys || !zone_name) { return kr_error(EINVAL); } /* bullet 5 */ if (knot_rrsig_sig_expiration(&rrsigs->rrs, sig_pos) < timestamp) { return kr_error(EINVAL); } /* bullet 6 */ if (knot_rrsig_sig_inception(&rrsigs->rrs, sig_pos) > timestamp) { return kr_error(EINVAL); } /* bullet 2 */ const knot_dname_t *signer_name = knot_rrsig_signer_name(&rrsigs->rrs, sig_pos); if (!signer_name || !knot_dname_is_equal(signer_name, zone_name)) { return kr_error(EINVAL); } /* bullet 4 */ { int rrsig_labels = knot_rrsig_labels(&rrsigs->rrs, sig_pos); if (rrsig_labels > cov_labels) { return kr_error(EINVAL); } if (rrsig_labels < cov_labels) { *flags |= FLG_WILDCARD_EXPANSION; } } /* bullet 7 */ if ((!knot_dname_is_equal(keys->owner, signer_name)) || (knot_dnskey_alg(&keys->rrs, key_pos) != knot_rrsig_algorithm(&rrsigs->rrs, sig_pos)) || (keytag != knot_rrsig_key_tag(&rrsigs->rrs, sig_pos))) { return kr_error(EINVAL); } /* bullet 8 */ /* Checked somewhere else. */ /* bullet 9 and 10 */ /* One of the requirements should be always fulfilled. */ return kr_ok(); }