commit 01693fd03497e76574ea722818600dd4a6b27bfa
author Jiewen Tan <alanwake.tan@gmail.com> Wed Mar 25 20:34:45 2015 -0700
committer Alex Afanasyev <alexander.afanasyev@ucla.edu> Thu Apr 16 11:58:40 2015 -0700
tree 928bf500eaa598f28501b718b7f817d9b5f5b369
parent d1dd86df1f1300c608a3e7f398ffb26fa9c32afd

mgmt: ignore ksk when dsk is specified in ManagementTool::createZone

Change-Id: I41f530753ded411a0a5c3611fce6c9c8731cde94
Refs: #2249

src/mgmt/management-tool.cpp

diff --git a/src/mgmt/management-tool.cpp b/src/mgmt/management-tool.cpp
index a53b0aa..75deeea 100644
--- a/src/mgmt/management-tool.cpp
+++ b/src/mgmt/management-tool.cpp
@@ -70,17 +70,17 @@
     throw Error(parentZoneName.toUri() + " is not a prefix of " + zoneName.toUri());
   }
 
-  if (kskCertName != DEFAULT_CERT) {
-    if (!matchCertificate(kskCertName, zoneName)) {
-      throw Error("Cannot verify KSK certificate");
-    }
-  }
-
+  // if dsk is provided, there is no need to check ksk
   if (dskCertName != DEFAULT_CERT) {
     if (!matchCertificate(dskCertName, zoneName)) {
       throw Error("Cannot verify DSK certificate");
     }
   }
+  else if (kskCertName != DEFAULT_CERT) {
+    if (!matchCertificate(kskCertName, zoneName)) {
+      throw Error("Cannot verify KSK certificate");
+    }
+  }
 
   if (kskCertName == DEFAULT_CERT && isRoot) {
     throw Error("Cannot generate KSK for root zone");
@@ -88,29 +88,30 @@
 
   //first generate KSK and DSK to the keyChain system, and add DSK as default
   NDNS_LOG_INFO("Start generating KSK and DSK and their corresponding certificates");
-  time::system_clock::TimePoint notBefore = time::system_clock::now();
-  time::system_clock::TimePoint notAfter = notBefore + certValidity;
-  shared_ptr<IdentityCertificate> kskCert;
-
-  if (kskCertName == DEFAULT_CERT) {
-    //create KSK's certificate
-    Name kskName = m_keyChain.generateRsaKeyPair(zoneName, true);
-    std::vector<CertificateSubjectDescription> kskDesc;
-    kskCert = m_keyChain.prepareUnsignedIdentityCertificate(kskName, zoneName, notBefore, notAfter,
-                                                            kskDesc, parentZoneName);
-    kskCert->setFreshnessPeriod(cacheTtl);
-
-    m_keyChain.selfSign(*kskCert);
-    m_keyChain.addCertificate(*kskCert);
-    NDNS_LOG_INFO("Generated KSK: " << kskCert->getName());
-  }
-  else {
-    kskCert = m_keyChain.getCertificate(kskCertName);
-  }
-
   Name dskName;
   shared_ptr<IdentityCertificate> dskCert;
   if (dskCertName == DEFAULT_CERT) {
+    // if no dsk provided, then generate a dsk either signed by ksk auto generated or user provided
+    time::system_clock::TimePoint notBefore = time::system_clock::now();
+    time::system_clock::TimePoint notAfter = notBefore + certValidity;
+    shared_ptr<IdentityCertificate> kskCert;
+
+    if (kskCertName == DEFAULT_CERT) {
+      //create KSK's certificate
+      Name kskName = m_keyChain.generateRsaKeyPair(zoneName, true);
+      std::vector<CertificateSubjectDescription> kskDesc;
+      kskCert = m_keyChain.prepareUnsignedIdentityCertificate(kskName, zoneName, notBefore,
+                                                              notAfter, kskDesc, parentZoneName);
+      kskCert->setFreshnessPeriod(cacheTtl);
+
+      m_keyChain.selfSign(*kskCert);
+      m_keyChain.addCertificate(*kskCert);
+      NDNS_LOG_INFO("Generated KSK: " << kskCert->getName());
+    }
+    else {
+      kskCert = m_keyChain.getCertificate(kskCertName);
+    }
+
     dskName = m_keyChain.generateRsaKeyPairAsDefault(zoneName, false);
     //create DSK's certificate
     std::vector<CertificateSubjectDescription> dskDesc;