mgmt: ignore ksk when dsk is specified in ManagementTool::createZone
Change-Id: I41f530753ded411a0a5c3611fce6c9c8731cde94
Refs: #2249
diff --git a/src/mgmt/management-tool.cpp b/src/mgmt/management-tool.cpp
index a53b0aa..75deeea 100644
--- a/src/mgmt/management-tool.cpp
+++ b/src/mgmt/management-tool.cpp
@@ -70,17 +70,17 @@
throw Error(parentZoneName.toUri() + " is not a prefix of " + zoneName.toUri());
}
- if (kskCertName != DEFAULT_CERT) {
- if (!matchCertificate(kskCertName, zoneName)) {
- throw Error("Cannot verify KSK certificate");
- }
- }
-
+ // if dsk is provided, there is no need to check ksk
if (dskCertName != DEFAULT_CERT) {
if (!matchCertificate(dskCertName, zoneName)) {
throw Error("Cannot verify DSK certificate");
}
}
+ else if (kskCertName != DEFAULT_CERT) {
+ if (!matchCertificate(kskCertName, zoneName)) {
+ throw Error("Cannot verify KSK certificate");
+ }
+ }
if (kskCertName == DEFAULT_CERT && isRoot) {
throw Error("Cannot generate KSK for root zone");
@@ -88,29 +88,30 @@
//first generate KSK and DSK to the keyChain system, and add DSK as default
NDNS_LOG_INFO("Start generating KSK and DSK and their corresponding certificates");
- time::system_clock::TimePoint notBefore = time::system_clock::now();
- time::system_clock::TimePoint notAfter = notBefore + certValidity;
- shared_ptr<IdentityCertificate> kskCert;
-
- if (kskCertName == DEFAULT_CERT) {
- //create KSK's certificate
- Name kskName = m_keyChain.generateRsaKeyPair(zoneName, true);
- std::vector<CertificateSubjectDescription> kskDesc;
- kskCert = m_keyChain.prepareUnsignedIdentityCertificate(kskName, zoneName, notBefore, notAfter,
- kskDesc, parentZoneName);
- kskCert->setFreshnessPeriod(cacheTtl);
-
- m_keyChain.selfSign(*kskCert);
- m_keyChain.addCertificate(*kskCert);
- NDNS_LOG_INFO("Generated KSK: " << kskCert->getName());
- }
- else {
- kskCert = m_keyChain.getCertificate(kskCertName);
- }
-
Name dskName;
shared_ptr<IdentityCertificate> dskCert;
if (dskCertName == DEFAULT_CERT) {
+ // if no dsk provided, then generate a dsk either signed by ksk auto generated or user provided
+ time::system_clock::TimePoint notBefore = time::system_clock::now();
+ time::system_clock::TimePoint notAfter = notBefore + certValidity;
+ shared_ptr<IdentityCertificate> kskCert;
+
+ if (kskCertName == DEFAULT_CERT) {
+ //create KSK's certificate
+ Name kskName = m_keyChain.generateRsaKeyPair(zoneName, true);
+ std::vector<CertificateSubjectDescription> kskDesc;
+ kskCert = m_keyChain.prepareUnsignedIdentityCertificate(kskName, zoneName, notBefore,
+ notAfter, kskDesc, parentZoneName);
+ kskCert->setFreshnessPeriod(cacheTtl);
+
+ m_keyChain.selfSign(*kskCert);
+ m_keyChain.addCertificate(*kskCert);
+ NDNS_LOG_INFO("Generated KSK: " << kskCert->getName());
+ }
+ else {
+ kskCert = m_keyChain.getCertificate(kskCertName);
+ }
+
dskName = m_keyChain.generateRsaKeyPairAsDefault(zoneName, false);
//create DSK's certificate
std::vector<CertificateSubjectDescription> dskDesc;
diff --git a/src/mgmt/management-tool.hpp b/src/mgmt/management-tool.hpp
index 5eabffe..bb13c1e 100644
--- a/src/mgmt/management-tool.hpp
+++ b/src/mgmt/management-tool.hpp
@@ -91,8 +91,9 @@
* @param cacheTtl default TTL for RR sets in the zone
* @param certValidity validity for automatically created DSK certificate (@p dskCertName
* should not be empty)
- * @param kskCertName if given, a zone will be created with this ksk certificate and its key
- * @param dskCertName if given, a zone will be created with this dsk certificate and its key
+ * @param kskCertName if given, a zone will be created with this ksk certificate
+ * @param dskCertName if given, a zone will be created with this dsk certificate and provided
+ * ksk certificate will be ignored
*/
void
createZone(const Name& zoneName,
diff --git a/tests/unit/mgmt/management-tool.cpp b/tests/unit/mgmt/management-tool.cpp
index b2b9806..54ad7d2 100644
--- a/tests/unit/mgmt/management-tool.cpp
+++ b/tests/unit/mgmt/management-tool.cpp
@@ -353,14 +353,15 @@
BOOST_CHECK_EQUAL(getCerts("/net/ndnsim").size(), 2);
m_tool.deleteZone("/net/ndnsim");
+ // no ksk and dsk will be generated
BOOST_CHECK_NO_THROW(m_tool.createZone("/net/ndnsim", "/",
time::seconds(1), time::days(1), Name(), dsk));
- BOOST_CHECK_EQUAL(getCerts("/net/ndnsim").size(), 3);
+ BOOST_CHECK_EQUAL(getCerts("/net/ndnsim").size(), 2);
m_tool.deleteZone("/net/ndnsim");
BOOST_CHECK_NO_THROW(m_tool.createZone("/net/ndnsim", "/",
time::seconds(1), time::days(1), ksk, Name()));
- BOOST_CHECK_EQUAL(getCerts("/net/ndnsim").size(), 4);
+ BOOST_CHECK_EQUAL(getCerts("/net/ndnsim").size(), 3);
m_tool.deleteZone("/net/ndnsim");
BOOST_CHECK_THROW(m_tool.createZone("/net/ndnsim", "/net",