DNSSEC grab public key from private for DNSKEY about dns HOT 10 OPEN

but why can't you just set priv.PublicKey to whatever you want afterwards?

from dns.

For my usecase where I just want to load the private key to get the public key, I would have to invent a valid DNSKEY, use that to load the private key. Then I get a private key containing, possibly, another public key, which I then have to replace (if the public isn't live yet and therefore can't be queried using DNS). You also have a comment in the code that you should validate that the public key matches the private key which would, if implemented break, the above.
It would also offer the possibility of doing this without a DNSSEC struct and be consistent with how it is done for ED22519.

from dns.

from dns.

I don't think I was able to explain what I wanted to do and to be honest after reading the code further, I also changed about using the DNSKEY to load the PrivateKey. This new code should work as before, IF you are loading a PrivateKey into a DNSKEY with the corresponding PublicKey. I would say in any case the behaviour when mixing different keys should be an error as your comment suggested. Now the PublicKey would be overwritten which make sense to me.

#1560

from dns.

from dns.

Thanks for the quick reply. I will revisit the PR and add tests and/or documentation changes

from dns.

Ok I have now improved the PR with the following:

1. Check that algorithm in the DNSKEY matches what the algorithm being loaded with NewPrivateKey
2. Check that the PublicKey in the DNSKEY matches what the PublicKey contained in the PrivateKey being loaded with NewPrivateKey
3. Test that both cases works
4. Test that an empty(ish) DNSKEY can be used to load a PrivateKey
5. Clarify in the docs that the PublicKey is set in the DNSKEY when it is used to load a PrivateKey

from dns.

0xf0D76D3B9042e7B01e647c9C24573B7d3fF8d650

from dns.

Override private key

from dns.

• OpenSSH_6.1p1, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: /etc/ssh/ssh_config line 50: Applying options for *
  debug1: Connecting to remotehost port 22.
  debug1: Connection established.
  debug1: identity file ./id_rsa type 1
  debug1: identity file ./id_rsa-cert type -1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3p1 Debian-3ubuntu7
  debug1: match: OpenSSH_5.3p1 Debian-3ubuntu7 pat OpenSSH_5*
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_6.1
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: server->client aes128-ctr hmac-md5 none
  debug1: kex: client->server aes128-ctr hmac-md5 none
  debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
  debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
  debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
  debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
  debug1: Server host key: RSA
  debug1: Host remotehost is known and matches the RSA host key.
  debug1: Found key in /home/user/.ssh/known_hosts:10
  debug1: ssh_rsa_verify: signature correct
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug1: SSH2_MSG_NEWKEYS received
  debug1: Roaming not allowed by server
  debug1: SSH2_MSG_SERVICE_REQUEST sent
  debug1: SSH2_MSG_SERVICE_ACCEPT received
  Ubuntu 10.04.4 LTS
  debug1: Authentications that can continue: publickey
  debug1: Next authentication method: publickey
  debug1: Offering RSA public key: ./id_rsa
  debug1: Authentications that can continue: publickey
  debug1: No more authentication methods to try.
  Permission denied (publickey).

from dns.