Context Navigation

← Previous Changeset
Next Changeset →

Changeset 1905

Timestamp:

01/25/11 08:51:55 (2 years ago)

Author:

ahu

Message:

'multi-algorithm support' - for now we still only do RSA, but the whole signer stuff has been abstracted out, and we could in theory add KnapsackCRC32 code!
Or of course ECDSA or GOST ;-)

Location:

trunk/pdns/pdns

Files:

: 6 modified

dbdnsseckeeper.cc (modified) (4 diffs)
dnssecinfra.cc (modified) (12 diffs)
dnssecinfra.hh (modified) (7 diffs)
dnssecsigner.cc (modified) (2 diffs)
nsecrecords.cc (modified) (1 diff)
pdnssec.cc (modified) (4 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/pdns/pdns/dbdnsseckeeper.cc

r1901	r1905
81	81	if(!bits)
82	82	bits = keyOrZone ? 2048 : 1024;
83		DNSSECPrivateKey dpk;
84		dpk.d_key.create(bits);
85		dpk.d_algorithm = algorithm;
86		dpk.d_flags = keyOrZone ? 257 : 256;
87		addKey(name, dpk, active);
	83	DNSSECPrivateKey dspk;
	84	shared_ptr<DNSPrivateKey> dpk(new RSADNSPrivateKey); // defaults to RSA for now, could be smart w/algorithm! XXX FIXME
	85	dpk->create(bits);
	86	dspk.setKey(dpk);
	87	dspk.d_algorithm = algorithm;
	88	dspk.d_flags = keyOrZone ? 257 : 256;
	89	addKey(name, dspk, active);
88	90	}
89	91
…	…
107	109	kd.flags = dpk.d_flags; // the dpk doesn't get stored, only they key part
108	110	kd.active = active;
109		kd.content = dpk.~~d_key.~~convertToISC(dpk.d_algorithm);
	111	kd.content = dpk.getKey()->convertToISC(dpk.d_algorithm);
110	112	// now store it
111	113	d_db.addDomainKey(name, kd);
…	…
128	130
129	131	DNSSECPrivateKey dpk;
130		DNSKEYRecordContent dkrc = getRSAKeyFromISCString(&dpk.d_key.getContext(), kd.content);
	132	DNSKEYRecordContent dkrc;
	133	dpk.setKey(shared_ptr<DNSPrivateKey>(DNSPrivateKey::fromISCString(dkrc, kd.content)));
131	134	dpk.d_flags = kd.flags;
132	135	dpk.d_algorithm = dkrc.d_algorithm;
…	…
273	276	DNSSECPrivateKey dpk;
274	277
275		DNSKEYRecordContent dkrc=getRSAKeyFromISCString(&dpk.d_key.getContext(), kd.content);
	278	DNSKEYRecordContent dkrc;
	279	dpk.setKey(shared_ptr<DNSPrivateKey>(DNSPrivateKey::fromISCString(dkrc, kd.content)));
276	280	dpk.d_flags = kd.flags;
277	281	dpk.d_algorithm = dkrc.d_algorithm;

trunk/pdns/pdns/dnssecinfra.cc

r1884	r1905
23	23	using namespace boost::assign;
24	24
25		void RSA~~Context~~::create(unsigned int bits)
	25	void RSADNSPrivateKey::create(unsigned int bits)
26	26	{
27	27	havege_state hs;
…	…
34	34	}
35	35
36		std::string RSA~~Context::getPubKeyHash()~~
	36	std::string RSADNSPrivateKey::getPubKeyHash() const
37	37	{
38	38	unsigned char hash[20];
…	…
50	50	}
51	51
52		std::string RSAContext::convertToISC(unsigned int algorithm) const
	52	std::string RSADNSPrivateKey::sign(const std::string& hash) const
	53	{
	54	unsigned char signature[mpi_size(&d_context.N)];
	55	int ret=rsa_pkcs1_sign(const_cast<rsa_context*>(&d_context), RSA_PRIVATE,
	56	hash.size()==20 ? SIG_RSA_SHA1 : SIG_RSA_SHA256,
	57	hash.size(),
	58	(const unsigned char*) hash.c_str(), signature);
	59
	60	if(ret!=0) {
	61	cerr<<"signing returned: "<<ret<<endl;
	62	exit(1);
	63	}
	64	return string((char*) signature, sizeof(signature));
	65	}
	66
	67	std::string RSADNSPrivateKey::convertToISC(unsigned int algorithm) const
53	68	{
54	69	string ret;
…	…
90	105
91	106
92		DNSKEYRecordContent getRSAKeyFromISC(rsa_context* rsa, const char* fname)
93		{
	107	DNSPrivateKey* DNSPrivateKey::fromISCFile(DNSKEYRecordContent& drc, const char* fname)
	108	{
	109	string sline, isc, key, value;
	110	FILE *fp=fopen(fname, "r");
	111	if(!fp) {
	112	throw runtime_error("Unable to read file '"+string(fname)+"' for generating DNS Private Key");
	113	}
	114	int algorithm=0;
	115	while(stringfgets(fp, sline)) {
	116	tie(key,value)=splitField(sline, ':');
	117	if(pdns_iequals(key,"algorithm"))
	118	algorithm = atoi(value.c_str());
	119	isc.append(sline);
	120	}
	121	fclose(fp);
	122
	123	switch(algorithm) {
	124	case 5:
	125	case 7:
	126	case 8:
	127	case 10:
	128	return RSADNSPrivateKey::fromISCString(drc, isc);
	129	break;
	130	default:
	131	throw runtime_error("Unknown DNSSEC signature algorithm number "+lexical_cast<string>(algorithm));
	132	break;
	133	}
	134	return 0;
	135	}
	136
	137	DNSPrivateKey* DNSPrivateKey::fromISCString(DNSKEYRecordContent& drc, const std::string& content)
	138	{
	139	int algorithm = 0;
	140	string sline, key, value;
	141	istringstream str(content);
	142	while(getline(str, sline)) {
	143	tie(key,value)=splitField(sline, ':');
	144	if(pdns_iequals(key,"algorithm")) {
	145	algorithm = atoi(value.c_str());
	146	break;
	147	}
	148	}
	149	switch(algorithm) {
	150	case 5:
	151	case 7:
	152	case 8:
	153	case 10:
	154	return RSADNSPrivateKey::fromISCString(drc, content);
	155	break;
	156	default:
	157	throw runtime_error("Unknown DNSSEC signature algorithm number "+lexical_cast<string>(algorithm));
	158	break;
	159	}
	160	return 0;
	161	}
	162
	163	DNSPrivateKey* RSADNSPrivateKey::fromISCString(DNSKEYRecordContent& drc, const std::string& content)
	164	{
	165	RSADNSPrivateKey* ret = new RSADNSPrivateKey();
	166
94	167	string sline;
95	168	string key,value;
96	169	map<string, mpi*> places;
97
98		FILE *fp=fopen(fname, "r");
99		if(!fp)
100		unixDie("opening file '"+string(fname)+"'");
101
102		rsa_init(rsa, RSA_PKCS_V15, 0, NULL, NULL );
103
104		places["Modulus"]=&rsa->N;
105		places["PublicExponent"]=&rsa->E;
106		places["PrivateExponent"]=&rsa->D;
107		places["Prime1"]=&rsa->P;
108		places["Prime2"]=&rsa->Q;
109		places["Exponent1"]=&rsa->DP;
110		places["Exponent2"]=&rsa->DQ;
111		places["Coefficient"]=&rsa->QP;
112
	170
	171	rsa_init(&ret->d_context, RSA_PKCS_V15, 0, NULL, NULL );
	172
	173	places["Modulus"]=&ret->d_context.N;
	174	places["PublicExponent"]=&ret->d_context.E;
	175	places["PrivateExponent"]=&ret->d_context.D;
	176	places["Prime1"]=&ret->d_context.P;
	177	places["Prime2"]=&ret->d_context.Q;
	178	places["Exponent1"]=&ret->d_context.DP;
	179	places["Exponent2"]=&ret->d_context.DQ;
	180	places["Coefficient"]=&ret->d_context.QP;
	181
	182	string modulus, exponent;
	183	istringstream str(content);
113	184	unsigned char decoded[1024];
114		DNSKEYRecordContent drc;
115		string modulus, exponent;
116		while(stringfgets(fp, sline)) {
	185	while(getline(str, sline)) {
117	186	tie(key,value)=splitField(sline, ':');
118	187	trim(value);
119		trim(key);
120		if(key.empty())
121		continue;
	188
122	189	if(places.count(key)) {
123	190	if(places[key]) {
…	…
137	204	}
138	205	else {
139		if(key~~=="Algorithm") {~~
	206	if(key == "Algorithm")
140	207	drc.d_algorithm = atoi(value.c_str());
141		}
142	208	else if(key != "Private-key-format")
143	209	cerr<<"Unknown field '"<<key<<"'\n";
144	210	}
145	211	}
146		r~~sa->len = ( mpi_msb( &rsa->~~N ) + 7 ) >> 3; // no clue what this does
	212	ret->d_context.len = ( mpi_msb( &ret->d_context.N ) + 7 ) >> 3; // no clue what this does
147	213
148	214	if(exponent.length() < 255)
…	…
156	222	drc.d_key.append(modulus);
157	223	drc.d_protocol=3;
158		fclose(fp);
159		return drc;
160		}
161
162		DNSKEYRecordContent getRSAKeyFromISCString(rsa_context* rsa, const std::string& content)
163		{
164		string sline;
165		string key,value;
166		map<string, mpi*> places;
167
168
169		rsa_init(rsa, RSA_PKCS_V15, 0, NULL, NULL );
170
171		places["Modulus"]=&rsa->N;
172		places["PublicExponent"]=&rsa->E;
173		places["PrivateExponent"]=&rsa->D;
174		places["Prime1"]=&rsa->P;
175		places["Prime2"]=&rsa->Q;
176		places["Exponent1"]=&rsa->DP;
177		places["Exponent2"]=&rsa->DQ;
178		places["Coefficient"]=&rsa->QP;
179
180		DNSKEYRecordContent drc;
181		string modulus, exponent;
182		istringstream str(content);
183		unsigned char decoded[1024];
184		while(getline(str, sline)) {
185		tie(key,value)=splitField(sline, ':');
186		trim(value);
187
188		if(places.count(key)) {
189		if(places[key]) {
190		int len=sizeof(decoded);
191		if(base64_decode(decoded, &len, (unsigned char*)value.c_str(), value.length()) < 0) {
192		cerr<<"Error base64 decoding '"<<value<<"'\n";
193		exit(1);
194		}
195		// B64Decode(value, decoded);
196		// cerr<<key<<" decoded.length(): "<<8*len<<endl;
197		mpi_read_binary(places[key], decoded, len);
198		if(key=="Modulus")
199		modulus.assign((const char*)decoded,len);
200		if(key=="PublicExponent")
201		exponent.assign((const char*)decoded,len);
202		}
203		}
204		else {
205		if(key == "Algorithm")
206		drc.d_algorithm = atoi(value.c_str());
207		else if(key != "Private-key-format")
208		cerr<<"Unknown field '"<<key<<"'\n";
209		}
210		}
211		rsa->len = ( mpi_msb( &rsa->N ) + 7 ) >> 3; // no clue what this does
212
213		if(exponent.length() < 255)
214		drc.d_key.assign(1, (char) (unsigned int) exponent.length());
215		else {
216		drc.d_key.assign(1, 0);
217		uint16_t len=htons(exponent.length());
218		drc.d_key.append((char*)&len, 2);
219		}
220		drc.d_key.append(exponent);
221		drc.d_key.append(modulus);
222		drc.d_protocol=3;
223
224		return drc;
225		}
226
227		DNSKEYRecordContent getRSAKeyFromPEMString(rsa_context* rsa, const std::string& raw)
	224
	225	return ret;
	226	}
	227
	228	DNSPrivateKey* DNSPrivateKey::fromPEMString(DNSKEYRecordContent& drc, const std::string& raw)
	229	{
	230	return RSADNSPrivateKey::fromPEMString(drc, raw);
	231	}
	232
	233	DNSPrivateKey* RSADNSPrivateKey::fromPEMString(DNSKEYRecordContent& drc, const std::string& raw)
228	234	{
229	235	vector<string> integers;
…	…
232	238	map<int, mpi*> places;
233	239
234		rsa_init(rsa, RSA_PKCS_V15, 0, NULL, NULL );
235
236		places[1]=&rsa->N;
237		places[2]=&rsa->E;
238		places[3]=&rsa->D;
239		places[4]=&rsa->P;
240		places[5]=&rsa->Q;
241		places[6]=&rsa->DP;
242		places[7]=&rsa->DQ;
243		places[8]=&rsa->QP;
244
245		DNSKEYRecordContent drc;
	240	RSADNSPrivateKey* ret = new RSADNSPrivateKey;
	241
	242	rsa_init(&ret->d_context, RSA_PKCS_V15, 0, NULL, NULL );
	243
	244	places[1]=&ret->d_context.N;
	245	places[2]=&ret->d_context.E;
	246	places[3]=&ret->d_context.D;
	247	places[4]=&ret->d_context.P;
	248	places[5]=&ret->d_context.Q;
	249	places[6]=&ret->d_context.DP;
	250	places[7]=&ret->d_context.DQ;
	251	places[8]=&ret->d_context.QP;
	252
246	253	string modulus, exponent;
247	254
…	…
257	264	}
258	265	}
259		r~~sa->len = ( mpi_msb( &rsa->~~N ) + 7 ) >> 3; // no clue what this does
	266	ret->d_context.len = ( mpi_msb( &ret->d_context.N ) + 7 ) >> 3; // no clue what this does
260	267
261	268	if(exponent.length() < 255)
…	…
270	277	drc.d_protocol=3;
271	278
272		return drc;
273		}
274
	279	return ret;
	280	}
275	281
276	282	void makeRSAPublicKeyFromDNS(rsa_context* rc, const DNSKEYRecordContent& dkrc)
…	…
341	347	}
342	348
343		DNSKEYRecordContent makeDNSKEYFromRSAKey(const rsa_context* rc, uint8_t algorithm, uint16_t flags)
	349	string RSADNSPrivateKey::getPublicKeyString() const
	350	{
	351	string keystring;
	352	char tmp[max(mpi_size(&d_context.E), mpi_size(&d_context.N))];
	353
	354	mpi_write_binary(&d_context.E, (unsigned char*)tmp, mpi_size(&d_context.E) );
	355	string exponent((char*)tmp, mpi_size(&d_context.E));
	356
	357	mpi_write_binary(&d_context.N, (unsigned char*)tmp, mpi_size(&d_context.N) );
	358	string modulus((char*)tmp, mpi_size(&d_context.N));
	359
	360	if(exponent.length() < 255)
	361	keystring.assign(1, (char) (unsigned int) exponent.length());
	362	else {
	363	keystring.assign(1, 0);
	364	uint16_t len=htons(exponent.length());
	365	keystring.append((char*)&len, 2);
	366	}
	367	keystring.append(exponent);
	368	keystring.append(modulus);
	369	return keystring;
	370	}
	371
	372	DNSKEYRecordContent makeDNSKEYFromRSAKey(const DNSPrivateKey* pk, uint8_t algorithm, uint16_t flags)
344	373	{
345	374	DNSKEYRecordContent drc;
346		char tmp[max(mpi_size(&rc->E), mpi_size(&rc->N))];
347
348		// cerr<<"in makeDNSKEY rsa_check_pubkey: "<<rsa_check_pubkey(rc)<<", bits="<<mpi_size(&rc->N)*8<<endl;
349
350		mpi_write_binary(&rc->E, (unsigned char*)tmp, mpi_size(&rc->E) );
351		string exponent((char*)tmp, mpi_size(&rc->E));
352
353		mpi_write_binary(&rc->N, (unsigned char*)tmp, mpi_size(&rc->N) );
354		string modulus((char*)tmp, mpi_size(&rc->N));
355
356		if(exponent.length() < 255)
357		drc.d_key.assign(1, (char) (unsigned int) exponent.length());
358		else {
359		drc.d_key.assign(1, 0);
360		uint16_t len=htons(exponent.length());
361		drc.d_key.append((char*)&len, 2);
362		}
363		drc.d_key.append(exponent);
364		drc.d_key.append(modulus);
	375
365	376
366	377	drc.d_protocol=3;
…	…
368	379
369	380	drc.d_flags=flags;
370
	381	drc.d_key = pk->getPublicKeyString();
371	382	return drc;
372	383	}
…	…
415	426	DNSKEYRecordContent DNSSECPrivateKey::getDNSKEY() const
416	427	{
417		return makeDNSKEYFromRSAKey(~~&d_key.getConstContext~~(), d_algorithm, d_flags);
	428	return makeDNSKEYFromRSAKey(getKey(), d_algorithm, d_flags);
418	429	}
419	430

trunk/pdns/pdns/dnssecinfra.hh

r1903	r1905
18	18	}
19	19
20		class RSAContext
	20	class DNSPrivateKey
	21	{
	22	public:
	23	virtual void create(unsigned int bits)=0;
	24	virtual std::string convertToISC(unsigned int algorithm) const =0;
	25	virtual std::string getPubKeyHash()const =0;
	26	virtual std::string sign(const std::string& hash) const =0;
	27	virtual std::string getPublicKeyString()const =0;
	28	virtual int getBits() const =0;
	29
	30	static DNSPrivateKey* fromISCFile(DNSKEYRecordContent& drc, const char* fname);
	31	static DNSPrivateKey* fromISCString(DNSKEYRecordContent& drc, const std::string& content);
	32	static DNSPrivateKey* fromPEMString(DNSKEYRecordContent& drc, const std::string& raw);
	33	};
	34
	35	class RSADNSPrivateKey : public DNSPrivateKey
21	36	{
22	37	public:
23		RSA~~Context~~()
	38	RSADNSPrivateKey()
24	39	{
25	40	memset(&d_context, 0, sizeof(d_context));
…	…
28	43	}
29	44
30		~RSA~~Context~~()
	45	~RSADNSPrivateKey()
31	46	{
32	47	PDNSSEC_MF(N);
…	…
34	49	}
35	50
36		bool operator<(const RSA~~Context~~& rhs) const
	51	bool operator<(const RSADNSPrivateKey& rhs) const
37	52	{
38	53	return tie(d_context.N, d_context.E, d_context.D, d_context.P, d_context.Q, d_context.DP, d_context.DQ, d_context.QP)
…	…
40	55	}
41	56
42		RSA~~Context(const RSAContext~~& orig)
	57	RSADNSPrivateKey(const RSADNSPrivateKey& orig)
43	58	{
44	59	d_context.ver = orig.d_context.ver;
…	…
54	69	}
55	70
56		RSA~~Context& operator=(const RSAContext~~& orig)
	71	RSADNSPrivateKey& operator=(const RSADNSPrivateKey& orig)
57	72	{
58	73	d_context.ver = orig.d_context.ver;
…	…
84	99	void create(unsigned int bits);
85	100	std::string convertToISC(unsigned int algorithm) const;
86		std::string getPubKeyHash();
	101	std::string getPubKeyHash() const;
	102	std::string sign(const std::string& hash) const;
	103	std::string getPublicKeyString() const;
	104	int getBits() const
	105	{
	106	return mpi_size(&d_context.N)*8;
	107	}
	108	static DNSPrivateKey* fromISCString(DNSKEYRecordContent& drc, const std::string& content);
	109	static DNSPrivateKey* fromPEMString(DNSKEYRecordContent& drc, const std::string& raw);
	110
87	111	private:
88	112	rsa_context d_context;
…	…
98	122	uint16_t getTag();
99	123
100		RSAContext d_key;
	124	const DNSPrivateKey* getKey() const
	125	{
	126	return d_key.get();
	127	}
	128
	129	void setKey(const shared_ptr<DNSPrivateKey> key)
	130	{
	131	d_key = key;
	132	}
101	133	DNSKEYRecordContent getDNSKEY() const;
102	134	uint8_t d_algorithm;
103	135	uint16_t d_flags;
	136
	137	private:
	138	shared_ptr<DNSPrivateKey> d_key;
104	139	};
105	140

trunk/pdns/pdns/dnssecsigner.cc

r1899	r1905
110	110	void fillOutRRSIG(DNSSECPrivateKey& dpk, const std::string& signQName, RRSIGRecordContent& rrc, vector<shared_ptr<DNSRecordContent> >& toSign)
111	111	{
112		DNSKEYRecordContent drc= dpk.getDNSKEY();
113		~~RSAContext& rc = dpk.d_key~~;
	112	DNSKEYRecordContent drc = dpk.getDNSKEY();
	113	const DNSPrivateKey* rc = dpk.getKey();
114	114	rrc.d_tag = drc.getTag();
115	115	rrc.d_algorithm = drc.d_algorithm;
116	116	string realhash=getHashForRRSET(signQName, rrc, toSign); // this is what we sign
117	117
118		unsigned char signature[mpi_size(&rc.getContext().N)];
119		pair<string, string> lookup(rc.getPubKeyHash(), realhash);
	118	pair<string, string> lookup(rc->getPubKeyHash(), realhash);
120	119
121	120	{
…	…
130	129	}
131	130
132		int ret=rsa_pkcs1_sign(&rc.getContext(), RSA_PRIVATE,
133		rrc.d_algorithm < 8 ? SIG_RSA_SHA1 : SIG_RSA_SHA256,
134		rrc.d_algorithm < 8 ? 20 : 32,
135		(unsigned char*) realhash.c_str(), signature);
136
137		if(ret!=0) {
138		cerr<<"signing returned: "<<ret<<endl;
139		exit(1);
140		}
141
142		rrc.d_signature.assign((char*)signature, sizeof(signature));
	131	rrc.d_signature = rc->sign(realhash);
143	132
144	133	Lock l(&g_signatures_lock);

trunk/pdns/pdns/nsecrecords.cc

r1643	r1905
66	66	for(unsigned int n=0 ; n < len ; ++n) {
67	67	uint8_t val=bitmap[2+n];
68		for(int bit = 0; bit < 8 ; ++bit , val>>=1)
	68	for(int bit = 0; bit < 8 ; ++bit , val>>=1)
69	69	if(val & 1) {
70		ret->d_set.insert((7-bit) + 8*(n));
	70	ret->d_set.insert((7-bit) + 8*(n));
71	71	}
72	72	}

trunk/pdns/pdns/pdnssec.cc

r1894	r1905
201	201	BOOST_FOREACH(DNSSECKeeper::keyset_t::value_type value, keyset) {
202	202	cout<<"ID = "<<value.second.id<<" ("<<(value.second.keyOrZone ? "KSK" : "ZSK")<<"), tag = "<<value.first.getDNSKEY().getTag();
203		cout<<", algo = "<<(int)value.first.d_algorithm<<", bits = "<<value.first.~~d_key.getConstContext().len*8~~<<"\tActive: "<<value.second.active<< endl; // humanTime(value.second.beginValidity)<<" - "<<humanTime(value.second.endValidity)<<endl;
	203	cout<<", algo = "<<(int)value.first.d_algorithm<<", bits = "<<value.first.getKey()->getBits()<<"\tActive: "<<value.second.active<< endl; // humanTime(value.second.beginValidity)<<" - "<<humanTime(value.second.endValidity)<<endl;
204	204	if(value.second.keyOrZone) {
205	205	cout<<"KSK DNSKEY = "<<zone<<" IN DNSKEY "<< value.first.getDNSKEY().getZoneRepresentation() << endl;
…	…
414	414	unsigned int id=atoi(cmds[2].c_str());
415	415	DNSSECPrivateKey dpk=dk.getKeyById(zone, id);
416		cout << dpk.~~d_key.~~convertToISC(dpk.d_algorithm) <<endl;
	416	cout << dpk.getKey()->convertToISC(dpk.d_algorithm) <<endl;
417	417	}
418	418	else if(cmds[0]=="import-zone-key-pem") {
…	…
434	434	B64Decode(interim, raw);
435	435	DNSSECPrivateKey dpk;
436		getRSAKeyFromPEMString(&dpk.d_key.getContext(), raw);
	436	DNSKEYRecordContent drc;
	437	shared_ptr<DNSPrivateKey> key(DNSPrivateKey::fromPEMString(drc, raw));
	438	dpk.setKey(key);
437	439
438	440	dpk.d_algorithm = atoi(cmds[3].c_str());
…	…
467	469	string fname=cmds[2];
468	470	DNSSECPrivateKey dpk;
469		DNSKEYRecordContent drc = getRSAKeyFromISC(&dpk.d_key.getContext(), fname.c_str());
	471	DNSKEYRecordContent drc;
	472	shared_ptr<DNSPrivateKey> key(DNSPrivateKey::fromISCFile(drc, fname.c_str()));
	473	dpk.setKey(key);
470	474	dpk.d_algorithm = drc.d_algorithm;
471	475

Download in other formats: