2 static const char rcsid
[] = "$Header: /proj/cvs/prod/bind9/lib/bind/dst/dst_api.c,v 1.4.2.6 2002/07/12 00:17:19 marka Exp $";
6 * Portions Copyright (c) 1995-1998 by Trusted Information Systems, Inc.
8 * Permission to use, copy modify, and distribute this software for any
9 * purpose with or without fee is hereby granted, provided that the above
10 * copyright notice and this permission notice appear in all copies.
12 * THE SOFTWARE IS PROVIDED "AS IS" AND TRUSTED INFORMATION SYSTEMS
13 * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
14 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
15 * TRUSTED INFORMATION SYSTEMS BE LIABLE FOR ANY SPECIAL, DIRECT,
16 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
17 * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
18 * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
19 * WITH THE USE OR PERFORMANCE OF THE SOFTWARE.
22 * This file contains the interface between the DST API and the crypto API.
23 * This is the only file that needs to be changed if the crypto system is
24 * changed. Exported functions are:
25 * void dst_init() Initialize the toolkit
26 * int dst_check_algorithm() Function to determines if alg is suppored.
27 * int dst_compare_keys() Function to compare two keys for equality.
28 * int dst_sign_data() Incremental signing routine.
29 * int dst_verify_data() Incremental verify routine.
30 * int dst_generate_key() Function to generate new KEY
31 * DST_KEY *dst_read_key() Function to retrieve private/public KEY.
32 * void dst_write_key() Function to write out a key.
33 * DST_KEY *dst_dnskey_to_key() Function to convert DNS KEY RR to a DST
35 * int dst_key_to_dnskey() Function to return a public key in DNS
37 * DST_KEY *dst_buffer_to_key() Converst a data in buffer to KEY
38 * int *dst_key_to_buffer() Writes out DST_KEY key matterial in buffer
39 * void dst_free_key() Releases all memory referenced by key structure
42 #include "port_before.h"
52 #include <sys/param.h>
54 #include <sys/socket.h>
55 #include <netinet/in.h>
56 #include <arpa/nameser.h>
59 #include "dst_internal.h"
60 #include "port_after.h"
62 /* static variables */
63 static int done_init
= 0;
64 dst_func
*dst_t_func
[DST_MAX_ALGS
];
65 const char *key_file_fmt_str
= "Private-key-format: v%s\nAlgorithm: %d (%s)\n";
66 const char *dst_path
= "";
68 /* internal I/O functions */
69 static DST_KEY
*dst_s_read_public_key(const char *in_name
,
70 const u_int16_t in_id
, int in_alg
);
71 static int dst_s_read_private_key_file(char *name
, DST_KEY
*pk_key
,
72 u_int16_t in_id
, int in_alg
);
73 static int dst_s_write_public_key(const DST_KEY
*key
);
74 static int dst_s_write_private_key(const DST_KEY
*key
);
76 /* internal function to set up data structure */
77 static DST_KEY
*dst_s_get_key_struct(const char *name
, const int alg
,
78 const int flags
, const int protocol
,
83 * This function initializes the Digital Signature Toolkit.
84 * Right now, it just checks the DSTKEYPATH environment variable.
100 s
= getenv("DSTKEYPATH");
106 if (len
> PATH_MAX
) {
107 EREPORT(("%s is longer than %d characters, ignoring\n",
109 } else if (stat(s
, &statbuf
) != 0 || !S_ISDIR(statbuf
.st_mode
)) {
110 EREPORT(("%s is not a valid directory\n", s
));
113 tmp
= (char *) malloc(len
+ 2);
114 memcpy(tmp
, s
, len
+ 1);
115 if (tmp
[strlen(tmp
) - 1] != '/') {
116 tmp
[strlen(tmp
) + 1] = 0;
117 tmp
[strlen(tmp
)] = '/';
122 memset(dst_t_func
, 0, sizeof(dst_t_func
));
123 /* first one is selected */
128 * dst_check_algorithm
129 * This function determines if the crypto system for the specified
130 * algorithm is present.
135 * future algorithms TBD and registered with IANA.
137 * 1 - The algorithm is available.
138 * 0 - The algorithm is not available.
141 dst_check_algorithm(const int alg
)
143 return (dst_t_func
[alg
] != NULL
);
147 * dst_s_get_key_struct
148 * This function allocates key structure and fills in some of the
149 * fields of the structure.
151 * name: the name of the key
152 * alg: the algorithm number
153 * flags: the dns flags of the key
154 * protocol: the dns protocol of the key
155 * bits: the size of the key
158 * valid pointer otherwise
161 dst_s_get_key_struct(const char *name
, const int alg
, const int flags
,
162 const int protocol
, const int bits
)
164 DST_KEY
*new_key
= NULL
;
166 if (dst_check_algorithm(alg
)) /* make sure alg is available */
167 new_key
= (DST_KEY
*) malloc(sizeof(*new_key
));
171 memset(new_key
, 0, sizeof(*new_key
));
172 new_key
->dk_key_name
= strdup(name
);
173 new_key
->dk_alg
= alg
;
174 new_key
->dk_flags
= flags
;
175 new_key
->dk_proto
= protocol
;
176 new_key
->dk_KEY_struct
= NULL
;
177 new_key
->dk_key_size
= bits
;
178 new_key
->dk_func
= dst_t_func
[alg
];
184 * Compares two keys for equality.
186 * key1, key2 Two keys to be compared.
188 * 0 The keys are equal.
189 * non-zero The keys are not equal.
193 dst_compare_keys(const DST_KEY
*key1
, const DST_KEY
*key2
)
197 if (key1
== NULL
|| key2
== NULL
)
199 if (key1
->dk_alg
!= key2
->dk_alg
)
201 if (key1
->dk_key_size
!= key2
->dk_key_size
)
203 if (key1
->dk_id
!= key2
->dk_id
)
205 return (key1
->dk_func
->compare(key1
, key2
));
211 * An incremental signing function. Data is signed in steps.
212 * First the context must be initialized (SIG_MODE_INIT).
213 * Then data is hashed (SIG_MODE_UPDATE). Finally the signature
214 * itself is created (SIG_MODE_FINAL). This function can be called
215 * once with INIT, UPDATE and FINAL modes all set, or it can be
216 * called separately with a different mode set for each step. The
217 * UPDATE step can be repeated.
219 * mode A bit mask used to specify operation(s) to be performed.
220 * SIG_MODE_INIT 1 Initialize digest
221 * SIG_MODE_UPDATE 2 Add data to digest
222 * SIG_MODE_FINAL 4 Generate signature
224 * SIG_MODE_ALL (SIG_MODE_INIT,SIG_MODE_UPDATE,SIG_MODE_FINAL
225 * data Data to be signed.
226 * len The length in bytes of data to be signed.
227 * in_key Contains a private key to sign with.
228 * KEY structures should be handled (created, converted,
229 * compared, stored, freed) by the DST.
231 * The location to which the signature will be written.
232 * sig_len Length of the signature field in bytes.
234 * 0 Successfull INIT or Update operation
235 * >0 success FINAL (sign) operation
240 dst_sign_data(const int mode
, DST_KEY
*in_key
, void **context
,
241 const u_char
*data
, const int len
,
242 u_char
*signature
, const int sig_len
)
244 DUMP(data
, mode
, len
, "dst_sign_data()");
246 if (mode
& SIG_MODE_FINAL
&&
247 (in_key
->dk_KEY_struct
== NULL
|| signature
== NULL
))
248 return (MISSING_KEY_OR_SIGNATURE
);
250 if (in_key
->dk_func
&& in_key
->dk_func
->sign
)
251 return (in_key
->dk_func
->sign(mode
, in_key
, context
, data
, len
,
252 signature
, sig_len
));
253 return (UNKNOWN_KEYALG
);
259 * An incremental verify function. Data is verified in steps.
260 * First the context must be initialized (SIG_MODE_INIT).
261 * Then data is hashed (SIG_MODE_UPDATE). Finally the signature
262 * is verified (SIG_MODE_FINAL). This function can be called
263 * once with INIT, UPDATE and FINAL modes all set, or it can be
264 * called separately with a different mode set for each step. The
265 * UPDATE step can be repeated.
267 * mode Operations to perform this time.
268 * SIG_MODE_INIT 1 Initialize digest
269 * SIG_MODE_UPDATE 2 add data to digest
270 * SIG_MODE_FINAL 4 verify signature
272 * (SIG_MODE_INIT,SIG_MODE_UPDATE,SIG_MODE_FINAL)
273 * data Data to pass through the hash function.
274 * len Length of the data in bytes.
275 * in_key Key for verification.
276 * signature Location of signature.
277 * sig_len Length of the signature in bytes.
280 * Non-Zero Verify Failure
284 dst_verify_data(const int mode
, DST_KEY
*in_key
, void **context
,
285 const u_char
*data
, const int len
,
286 const u_char
*signature
, const int sig_len
)
288 DUMP(data
, mode
, len
, "dst_verify_data()");
289 if (mode
& SIG_MODE_FINAL
&&
290 (in_key
->dk_KEY_struct
== NULL
|| signature
== NULL
))
291 return (MISSING_KEY_OR_SIGNATURE
);
293 if (in_key
->dk_func
== NULL
|| in_key
->dk_func
->verify
== NULL
)
294 return (UNSUPPORTED_KEYALG
);
295 return (in_key
->dk_func
->verify(mode
, in_key
, context
, data
, len
,
296 signature
, sig_len
));
301 * dst_read_private_key
302 * Access a private key. First the list of private keys that have
303 * already been read in is searched, then the key accessed on disk.
304 * If the private key can be found, it is returned. If the key cannot
305 * be found, a null pointer is returned. The options specify required
306 * key characteristics. If the private key requested does not have
307 * these characteristics, it will not be read.
309 * in_keyname The private key name.
310 * in_id The id of the private key.
311 * options DST_FORCE_READ Read from disk - don't use a previously
313 * DST_CAN_SIGN The key must be useable for signing.
314 * DST_NO_AUTHEN The key must be useable for authentication.
315 * DST_STANDARD Return any key
317 * NULL If there is no key found in the current directory or
318 * this key has not been loaded before.
319 * !NULL Success - KEY structure returned.
323 dst_read_key(const char *in_keyname
, const u_int16_t in_id
,
324 const int in_alg
, const int type
)
326 char keyname
[PATH_MAX
];
327 DST_KEY
*dg_key
= NULL
, *pubkey
= NULL
;
329 if (!dst_check_algorithm(in_alg
)) { /* make sure alg is available */
330 EREPORT(("dst_read_private_key(): Algorithm %d not suppored\n",
334 if ((type
& (DST_PUBLIC
| DST_PRIVATE
)) == 0)
336 if (in_keyname
== NULL
) {
337 EREPORT(("dst_read_private_key(): Null key name passed in\n"));
340 strcpy(keyname
, in_keyname
);
342 /* before I read in the public key, check if it is allowed to sign */
343 if ((pubkey
= dst_s_read_public_key(keyname
, in_id
, in_alg
)) == NULL
)
346 if (type
== DST_PUBLIC
)
349 if (!(dg_key
= dst_s_get_key_struct(keyname
, pubkey
->dk_alg
,
350 pubkey
->dk_flags
, pubkey
->dk_proto
,
353 /* Fill in private key and some fields in the general key structure */
354 if (dst_s_read_private_key_file(keyname
, dg_key
, pubkey
->dk_id
,
355 pubkey
->dk_alg
) == 0)
356 dg_key
= dst_free_key(dg_key
);
358 pubkey
= dst_free_key(pubkey
);
363 dst_write_key(const DST_KEY
*key
, const int type
)
365 int pub
= 0, priv
= 0;
369 if (!dst_check_algorithm(key
->dk_alg
)) { /* make sure alg is available */
370 EREPORT(("dst_write_key(): Algorithm %d not suppored\n",
372 return (UNSUPPORTED_KEYALG
);
374 if ((type
& (DST_PRIVATE
|DST_PUBLIC
)) == 0)
377 if (type
& DST_PUBLIC
)
378 if ((pub
= dst_s_write_public_key(key
)) < 0)
380 if (type
& DST_PRIVATE
)
381 if ((priv
= dst_s_write_private_key(key
)) < 0)
387 * dst_write_private_key
388 * Write a private key to disk. The filename will be of the form:
389 * K<key->dk_name>+<key->dk_alg>+<key->dk_id>.<private key suffix>.
390 * If there is already a file with this name, an error is returned.
393 * key A DST managed key structure that contains
394 * all information needed about a key.
396 * >= 0 Correct behavior. Returns length of encoded key value
402 dst_s_write_private_key(const DST_KEY
*key
)
404 u_char encoded_block
[RAW_KEY_SIZE
];
409 /* First encode the key into the portable key format */
412 if (key
->dk_KEY_struct
== NULL
)
413 return (0); /* null key has no private key */
415 if (key
->dk_func
== NULL
|| key
->dk_func
->to_file_fmt
== NULL
) {
416 EREPORT(("dst_write_private_key(): Unsupported operation %d\n",
419 } else if ((len
= key
->dk_func
->to_file_fmt(key
, (char *)encoded_block
,
420 sizeof(encoded_block
))) <= 0) {
421 EREPORT(("dst_write_private_key(): Failed encoding private RSA bsafe key %d\n", len
));
424 /* Now I can create the file I want to use */
425 dst_s_build_filename(file
, key
->dk_key_name
, key
->dk_id
, key
->dk_alg
,
426 PRIVATE_KEY
, PATH_MAX
);
428 /* Do not overwrite an existing file */
429 if ((fp
= dst_s_fopen(file
, "w", 0600)) != NULL
) {
431 if ((nn
= fwrite(encoded_block
, 1, len
, fp
)) != len
) {
432 EREPORT(("dst_write_private_key(): Write failure on %s %d != %d errno=%d\n",
433 file
, len
, nn
, errno
));
438 EREPORT(("dst_write_private_key(): Can not create file %s\n"
442 memset(encoded_block
, 0, len
);
448 * dst_read_public_key
449 * Read a public key from disk and store in a DST key structure.
451 * in_name K<in_name><in_id>.<public key suffix> is the
452 * filename of the key file to be read.
454 * NULL If the key does not exist or no name is supplied.
455 * NON-NULL Initialized key structure if the key exists.
459 dst_s_read_public_key(const char *in_name
, const u_int16_t in_id
, int in_alg
)
461 int flags
, proto
, alg
, len
, dlen
;
463 char name
[PATH_MAX
], enckey
[RAW_KEY_SIZE
], *notspace
;
464 u_char deckey
[RAW_KEY_SIZE
];
467 if (in_name
== NULL
) {
468 EREPORT(("dst_read_public_key(): No key name given\n"));
471 if (dst_s_build_filename(name
, in_name
, in_id
, in_alg
, PUBLIC_KEY
,
473 EREPORT(("dst_read_public_key(): Cannot make filename from %s, %d, and %s\n",
474 in_name
, in_id
, PUBLIC_KEY
));
478 * Open the file and read it's formatted contents up to key
480 * domain.name [ttl] [IN] KEY <flags> <protocol> <algorithm> <key>
481 * flags, proto, alg stored as decimal (or hex numbers FIXME).
482 * (FIXME: handle parentheses for line continuation.)
484 if ((fp
= dst_s_fopen(name
, "r", 0)) == NULL
) {
485 EREPORT(("dst_read_public_key(): Public Key not found %s\n",
489 /* Skip domain name, which ends at first blank */
490 while ((c
= getc(fp
)) != EOF
)
493 /* Skip blank to get to next field */
494 while ((c
= getc(fp
)) != EOF
)
498 /* Skip optional TTL -- if initial digit, skip whole word. */
500 while ((c
= getc(fp
)) != EOF
)
503 while ((c
= getc(fp
)) != EOF
)
507 /* Skip optional "IN" */
508 if (c
== 'I' || c
== 'i') {
509 while ((c
= getc(fp
)) != EOF
)
512 while ((c
= getc(fp
)) != EOF
)
516 /* Locate and skip "KEY" */
517 if (c
!= 'K' && c
!= 'k') {
518 EREPORT(("\"KEY\" doesn't appear in file: %s", name
));
521 while ((c
= getc(fp
)) != EOF
)
524 while ((c
= getc(fp
)) != EOF
)
527 ungetc(c
, fp
); /* return the charcter to the input field */
528 /* Handle hex!! FIXME. */
530 if (fscanf(fp
, "%d %d %d", &flags
, &proto
, &alg
) != 3) {
531 EREPORT(("dst_read_public_key(): Can not read flag/proto/alg field from %s\n"
535 /* read in the key string */
536 fgets(enckey
, sizeof(enckey
), fp
);
538 /* If we aren't at end-of-file, something is wrong. */
539 while ((c
= getc(fp
)) != EOF
)
543 EREPORT(("Key too long in file: %s", name
));
548 if ((len
= strlen(enckey
)) <= 0)
552 enckey
[--len
] = '\0';
554 /* remove leading spaces */
555 for (notspace
= (char *) enckey
; isspace((*notspace
)&0xff); len
--)
558 dlen
= b64_pton(notspace
, deckey
, sizeof(deckey
));
560 EREPORT(("dst_read_public_key: bad return from b64_pton = %d",
564 /* store key and info in a key structure that is returned */
565 /* return dst_store_public_key(in_name, alg, proto, 666, flags, deckey,
567 return dst_buffer_to_key(in_name
, alg
, flags
, proto
, deckey
, dlen
);
572 * dst_write_public_key
573 * Write a key to disk in DNS format.
575 * key Pointer to a DST key structure.
582 dst_s_write_public_key(const DST_KEY
*key
)
585 char filename
[PATH_MAX
];
586 u_char out_key
[RAW_KEY_SIZE
];
587 char enc_key
[RAW_KEY_SIZE
];
591 memset(out_key
, 0, sizeof(out_key
));
593 EREPORT(("dst_write_public_key(): No key specified \n"));
595 } else if ((len
= dst_key_to_dnskey(key
, out_key
, sizeof(out_key
)))< 0)
598 /* Make the filename */
599 if (dst_s_build_filename(filename
, key
->dk_key_name
, key
->dk_id
,
600 key
->dk_alg
, PUBLIC_KEY
, PATH_MAX
) == -1) {
601 EREPORT(("dst_write_public_key(): Cannot make filename from %s, %d, and %s\n",
602 key
->dk_key_name
, key
->dk_id
, PUBLIC_KEY
));
605 /* XXX in general this should be a check for symmetric keys */
606 mode
= (key
->dk_alg
== KEY_HMAC_MD5
) ? 0600 : 0644;
607 /* create public key file */
608 if ((fp
= dst_s_fopen(filename
, "w+", mode
)) == NULL
) {
609 EREPORT(("DST_write_public_key: open of file:%s failed (errno=%d)\n",
613 /*write out key first base64 the key data */
614 if (key
->dk_flags
& DST_EXTEND_FLAG
)
615 b64_ntop(&out_key
[6], len
- 6, enc_key
, sizeof(enc_key
));
617 b64_ntop(&out_key
[4], len
- 4, enc_key
, sizeof(enc_key
));
618 fprintf(fp
, "%s IN KEY %d %d %d %s\n",
620 key
->dk_flags
, key
->dk_proto
, key
->dk_alg
, enc_key
);
627 * dst_dnskey_to_public_key
628 * This function converts the contents of a DNS KEY RR into a DST
631 * len Length of the RDATA of the KEY RR RDATA
632 * rdata A pointer to the the KEY RR RDATA.
633 * in_name Key name to be stored in key structure.
636 * NON-NULL Success. Pointer to key structure.
637 * Caller's responsibility to free() it.
641 dst_dnskey_to_key(const char *in_name
, const u_char
*rdata
, const int len
)
645 int start
= DST_KEY_START
;
647 if (rdata
== NULL
|| len
<= DST_KEY_ALG
) /* no data */
649 alg
= (u_int8_t
) rdata
[DST_KEY_ALG
];
650 if (!dst_check_algorithm(alg
)) { /* make sure alg is available */
651 EREPORT(("dst_dnskey_to_key(): Algorithm %d not suppored\n",
655 if ((key_st
= dst_s_get_key_struct(in_name
, alg
, 0, 0, 0)) == NULL
)
660 key_st
->dk_id
= dst_s_dns_key_id(rdata
, len
);
661 key_st
->dk_flags
= dst_s_get_int16(rdata
);
662 key_st
->dk_proto
= (u_int16_t
) rdata
[DST_KEY_PROT
];
663 if (key_st
->dk_flags
& DST_EXTEND_FLAG
) {
665 ext_flags
= (u_int32_t
) dst_s_get_int16(&rdata
[DST_EXT_FLAG
]);
666 key_st
->dk_flags
= key_st
->dk_flags
| (ext_flags
<< 16);
670 * now point to the begining of the data representing the encoding
673 if (key_st
->dk_func
&& key_st
->dk_func
->from_dns_key
) {
674 if (key_st
->dk_func
->from_dns_key(key_st
, &rdata
[start
],
678 EREPORT(("dst_dnskey_to_public_key(): unsuppored alg %d\n",
687 * dst_public_key_to_dnskey
688 * Function to encode a public key into DNS KEY wire format
690 * key Key structure to encode.
691 * out_storage Location to write the encoded key to.
692 * out_len Size of the output array.
695 * >=0 Number of bytes written to out_storage
699 dst_key_to_dnskey(const DST_KEY
*key
, u_char
*out_storage
,
708 if (!dst_check_algorithm(key
->dk_alg
)) { /* make sure alg is available */
709 EREPORT(("dst_key_to_dnskey(): Algorithm %d not suppored\n",
711 return (UNSUPPORTED_KEYALG
);
713 memset(out_storage
, 0, out_len
);
714 val
= (u_int16_t
)(key
->dk_flags
& 0xffff);
715 dst_s_put_int16(out_storage
, val
);
718 out_storage
[loc
++] = (u_char
) key
->dk_proto
;
719 out_storage
[loc
++] = (u_char
) key
->dk_alg
;
721 if (key
->dk_flags
> 0xffff) { /* Extended flags */
722 val
= (u_int16_t
)((key
->dk_flags
>> 16) & 0xffff);
723 dst_s_put_int16(&out_storage
[loc
], val
);
726 if (key
->dk_KEY_struct
== NULL
)
728 if (key
->dk_func
&& key
->dk_func
->to_dns_key
) {
729 enc_len
= key
->dk_func
->to_dns_key(key
,
730 (u_char
*) &out_storage
[loc
],
733 return (enc_len
+ loc
);
737 EREPORT(("dst_key_to_dnskey(): Unsupported ALG %d\n",
745 * Function to encode a string of raw data into a DST key
747 * alg The algorithm (HMAC only)
748 * key A pointer to the data
749 * keylen The length of the data
751 * NULL an error occurred
752 * NON-NULL the DST key
755 dst_buffer_to_key(const char *key_name
, /* name of the key */
756 const int alg
, /* algorithm */
757 const int flags
, /* dns flags */
758 const int protocol
, /* dns protocol */
759 const u_char
*key_buf
, /* key in dns wire fmt */
760 const int key_len
) /* size of key */
763 DST_KEY
*dkey
= NULL
;
767 if (!dst_check_algorithm(alg
)) { /* make sure alg is available */
768 EREPORT(("dst_buffer_to_key(): Algorithm %d not suppored\n", alg
));
772 dkey
= dst_s_get_key_struct(key_name
, alg
, flags
,
777 if (dkey
->dk_func
== NULL
|| dkey
->dk_func
->from_dns_key
== NULL
)
780 if (dkey
->dk_func
->from_dns_key(dkey
, key_buf
, key_len
) < 0) {
781 EREPORT(("dst_buffer_to_key(): dst_buffer_to_hmac failed\n"));
782 return (dst_free_key(dkey
));
785 dnslen
= dst_key_to_dnskey(dkey
, dns
, sizeof(dns
));
786 dkey
->dk_id
= dst_s_dns_key_id(dns
, dnslen
);
791 dst_key_to_buffer(DST_KEY
*key
, u_char
*out_buff
, int buf_len
)
794 /* this function will extrac the secret of HMAC into a buffer */
797 if (key
->dk_func
!= NULL
&& key
->dk_func
->to_dns_key
!= NULL
) {
798 len
= key
->dk_func
->to_dns_key(key
, out_buff
, buf_len
);
808 * dst_s_read_private_key_file
809 * Function reads in private key from a file.
810 * Fills out the KEY structure.
812 * name Name of the key to be read.
813 * pk_key Structure that the key is returned in.
814 * in_id Key identifier (tag)
816 * 1 if everthing works
817 * 0 if there is any problem
821 dst_s_read_private_key_file(char *name
, DST_KEY
*pk_key
, u_int16_t in_id
,
824 int cnt
, alg
, len
, major
, minor
, file_major
, file_minor
;
826 char filename
[PATH_MAX
];
827 u_char in_buff
[RAW_KEY_SIZE
], *p
;
832 if (name
== NULL
|| pk_key
== NULL
) {
833 EREPORT(("dst_read_private_key_file(): No key name given\n"));
836 /* Make the filename */
837 if (dst_s_build_filename(filename
, name
, in_id
, in_alg
, PRIVATE_KEY
,
839 EREPORT(("dst_read_private_key(): Cannot make filename from %s, %d, and %s\n",
840 name
, in_id
, PRIVATE_KEY
));
843 /* first check if we can find the key file */
844 if ((fp
= dst_s_fopen(filename
, "r", 0)) == NULL
) {
845 EREPORT(("dst_s_read_private_key_file: Could not open file %s in directory %s\n",
846 filename
, dst_path
[0] ? dst_path
:
847 (char *) getcwd(NULL
, PATH_MAX
- 1)));
850 /* now read the header info from the file */
851 if ((cnt
= fread(in_buff
, 1, sizeof(in_buff
), fp
)) < 5) {
853 EREPORT(("dst_s_read_private_key_file: error reading file %s (empty file)\n",
859 if (memcmp(in_buff
, "Private-key-format: v", 20) != 0)
864 if (!dst_s_verify_str((const char **) &p
, "Private-key-format: v")) {
865 EREPORT(("dst_s_read_private_key_file(): Not a Key file/Decrypt failed %s\n", name
));
868 /* read in file format */
869 sscanf((char *)p
, "%d.%d", &file_major
, &file_minor
);
870 sscanf(KEY_FILE_FORMAT
, "%d.%d", &major
, &minor
);
871 if (file_major
< 1) {
872 EREPORT(("dst_s_read_private_key_file(): Unknown keyfile %d.%d version for %s\n",
873 file_major
, file_minor
, name
));
875 } else if (file_major
> major
|| file_minor
> minor
)
877 "dst_s_read_private_key_file(): Keyfile %s version higher than mine %d.%d MAY FAIL\n",
878 name
, file_major
, file_minor
));
880 while (*p
++ != '\n') ; /* skip to end of line */
882 if (!dst_s_verify_str((const char **) &p
, "Algorithm: "))
885 if (sscanf((char *)p
, "%d", &alg
) != 1)
887 while (*p
++ != '\n') ; /* skip to end of line */
889 if (pk_key
->dk_key_name
&& !strcmp(pk_key
->dk_key_name
, name
))
890 SAFE_FREE2(pk_key
->dk_key_name
, strlen(pk_key
->dk_key_name
));
891 pk_key
->dk_key_name
= (char *) strdup(name
);
893 /* allocate and fill in key structure */
894 if (pk_key
->dk_func
== NULL
|| pk_key
->dk_func
->from_file_fmt
== NULL
)
897 ret
= pk_key
->dk_func
->from_file_fmt(pk_key
, (char *)p
, &in_buff
[len
] - p
);
901 dnslen
= dst_key_to_dnskey(pk_key
, dns
, sizeof(dns
));
902 id
= dst_s_dns_key_id(dns
, dnslen
);
904 /* Make sure the actual key tag matches the input tag used in the filename
907 EREPORT(("dst_s_read_private_key_file(): actual tag of key read %d != input tag used to build filename %d.\n", id
, in_id
));
910 pk_key
->dk_id
= (u_int16_t
) id
;
911 pk_key
->dk_alg
= alg
;
912 memset(in_buff
, 0, cnt
);
916 memset(in_buff
, 0, cnt
);
923 * Generate and store a public/private keypair.
924 * Keys will be stored in formatted files.
926 * name Name of the new key. Used to create key files
927 * K<name>+<alg>+<id>.public and K<name>+<alg>+<id>.private.
928 * bits Size of the new key in bits.
929 * exp What exponent to use:
931 * non-zero use Fermant4
932 * flags The default value of the DNS Key flags.
933 * The DNS Key RR Flag field is defined in RFC 2065,
934 * section 3.3. The field has 16 bits.
936 * Default value of the DNS Key protocol field.
937 * The DNS Key protocol field is defined in RFC 2065,
938 * section 3.4. The field has 8 bits.
939 * alg What algorithm to use. Currently defined:
943 * out_id The key tag is returned.
947 * non-NULL the generated key pair
948 * Caller frees the result, and its dk_name pointer.
951 dst_generate_key(const char *name
, const int bits
, const int exp
,
952 const int flags
, const int protocol
, const int alg
)
954 DST_KEY
*new_key
= NULL
;
962 if (!dst_check_algorithm(alg
)) { /* make sure alg is available */
963 EREPORT(("dst_generate_key(): Algorithm %d not suppored\n", alg
));
967 new_key
= dst_s_get_key_struct(name
, alg
, flags
, protocol
, bits
);
970 if (bits
== 0) /* null key we are done */
972 if (new_key
->dk_func
== NULL
|| new_key
->dk_func
->generate
== NULL
) {
973 EREPORT(("dst_generate_key_pair():Unsupported algorithm %d\n",
975 return (dst_free_key(new_key
));
977 if ((res
= new_key
->dk_func
->generate(new_key
, exp
)) <= 0) {
978 EREPORT(("dst_generate_key_pair(): Key generation failure %s %d %d %d\n",
979 new_key
->dk_key_name
, new_key
->dk_alg
,
980 new_key
->dk_key_size
, exp
));
981 return (dst_free_key(new_key
));
984 dnslen
= dst_key_to_dnskey(new_key
, dns
, sizeof(dns
));
985 if (dnslen
!= UNSUPPORTED_KEYALG
)
986 new_key
->dk_id
= dst_s_dns_key_id(dns
, dnslen
);
996 * Release all data structures pointed to by a key structure.
998 * f_key Key structure to be freed.
1002 dst_free_key(DST_KEY
*f_key
)
1007 if (f_key
->dk_func
&& f_key
->dk_func
->destroy
)
1008 f_key
->dk_KEY_struct
=
1009 f_key
->dk_func
->destroy(f_key
->dk_KEY_struct
);
1011 EREPORT(("dst_free_key(): Unknown key alg %d\n",
1013 free(f_key
->dk_KEY_struct
); /* SHOULD NOT happen */
1015 if (f_key
->dk_KEY_struct
) {
1016 free(f_key
->dk_KEY_struct
);
1017 f_key
->dk_KEY_struct
= NULL
;
1019 if (f_key
->dk_key_name
)
1020 SAFE_FREE(f_key
->dk_key_name
);
1027 * Return the maximim size of signature from the key specified in bytes
1034 dst_sig_size(DST_KEY
*key
) {
1035 switch (key
->dk_alg
) {
1041 return (key
->dk_key_size
+ 7) / 8;
1045 EREPORT(("dst_sig_size(): Unknown key alg %d\n", key
->dk_alg
));