Changeset 1951

Timestamp:

01/31/11 22:59:45 (2 years ago)

Author:

ahu

Message:

- scary commit -
add a generic botan1.8/botan1.9 signer/verifier for RSA
refactor the signer/verifier API so the more code moves out of the per-engine interface
add the ability to have multiple enginers for a single algorithm, plus add the notion of a 'fallback' engine, in our case polarssl
update some copyright statements

Location:

trunk/pdns/pdns

Files:

• Makefile.am (modified) (2 diffs)
• botan18signers.cc (modified) (7 diffs)
• botan19signers.cc (modified) (9 diffs)
• botansigners.cc (added)
• communicator.cc (modified) (1 diff)
• dnssecinfra.cc (modified) (5 diffs)
• dnssecinfra.hh (modified) (3 diffs)
• dnssecsigner.cc (modified) (2 diffs)
• mastercommunicator.cc (modified) (1 diff)
• pdnssec.cc (modified) (1 diff)
• polarrsakeyinfra.cc (modified) (8 diffs)

trunk/pdns/pdns/Makefile.am

@@ -48 +48 @@
 
 if BOTAN19
-pdns_server_SOURCES += botan19signers.cc
+pdns_server_SOURCES += botan19signers.cc botansigners.cc
 pdns_server_LDADD += -lbotan -lgmp
 endif
 
 if BOTAN18
-pdns_server_SOURCES += botan18signers.cc
+pdns_server_SOURCES += botan18signers.cc botansigners.cc
 pdns_server_LDADD += -lbotan -lgmp
 endif
@@ -72 +72 @@
 
 if BOTAN19
-pdnssec_SOURCES += botan19signers.cc
+pdnssec_SOURCES += botan19signers.cc botansigners.cc
 pdnssec_LDADD += -lbotan -lgmp
 endif
 
 if BOTAN18
-pdnssec_SOURCES += botan18signers.cc
+pdnssec_SOURCES += botan18signers.cc botansigners.cc
 pdnssec_LDADD += -lbotan -lgmp
 endif

trunk/pdns/pdns/botan18signers.cc

@@ -11 +11 @@
 using namespace Botan;
 
-//////////////////////////////
-
 class ECDSADNSPrivateKey : public DNSPrivateKey
 {
@@ -23 +21 @@
   std::string sign(const std::string& hash) const; 
   std::string hash(const std::string& hash) const; 
-  bool verify(const std::string& hash, const std::string& signature) const;
+  bool verify(const std::string& msg, const std::string& signature) const;
   std::string getPublicKeyString() const;
   int getBits() const;
-  void fromISCString(DNSKEYRecordContent& drc, const std::string& content);
+  void fromISCMap(DNSKEYRecordContent& drc, std::map<std::string, std::string>& stormap);
   void fromPublicKeyString(unsigned int algorithm, const std::string& content);
   void fromPEMString(DNSKEYRecordContent& drc, const std::string& raw)
@@ -60 +58 @@
   }
   d_key = shared_ptr<ECDSA_PrivateKey>(new ECDSA_PrivateKey(rng, getECParams((bits == 256) ? 13 : 14)));
-  
   
   PKCS8_Encoder* pk8e= d_key->pkcs8_encoder();
@@ -106 +103 @@
 }
 
-void ECDSADNSPrivateKey::fromISCString(DNSKEYRecordContent& drc, const std::string& content )
+void ECDSADNSPrivateKey::fromISCMap(DNSKEYRecordContent& drc, std::map<std::string, std::string>& stormap )
 {
   /*Private-key-format: v1.2
    Algorithm: 13 (ECDSAP256SHA256)
    PrivateKey: GU6SnQ/Ou+xC5RumuIUIuJZteXT2z0O/ok1s38Et6mQ= */
-  
-  istringstream input(content);
-  string sline, key, value, privateKey;
-  while(getline(input, sline)) {
-    tie(key,value)=splitField(sline, ':');
-    trim(value);
-    if(pdns_iequals(key,"Private-key-format")) {}
-    else if(key=="Algorithm")
-      drc.d_algorithm = atoi(value.c_str());
-    else if(key=="PrivateKey") {
-      Pipe pipe(new Base64_Decoder);
-      pipe.process_msg(value);
-      privateKey=pipe.read_all_as_string();
-    }
-    else
-      throw runtime_error("Unknown field '"+key+"' in Private Key Representation of ECDSA");
-  }
-  d_algorithm = drc.d_algorithm;
+     
+  d_algorithm = drc.d_algorithm = atoi(stormap["algorithm"].c_str());
+  string privateKey = stormap["privatekey"];
+  
   BigInt bigint((byte*)privateKey.c_str(), privateKey.length());
   
@@ -150 +133 @@
   
   MemoryVector<byte> tmp((byte*)noIdea.c_str(), noIdea.length());
-  cerr<<"key_bits"<<endl;
   p8e->key_bits(tmp);
-  cerr<<"Done reading"<<endl;
   delete p8e;
 }
@@ -193 +174 @@
 }
 
-
-std::string ECDSADNSPrivateKey::sign(const std::string& hash) const
+std::string ECDSADNSPrivateKey::sign(const std::string& msg) const
 {
   AutoSeeded_RNG rng;
+  string hash = this->hash(msg);
   SecureVector<byte> signature=d_key->sign((byte*)hash.c_str(), hash.length(), rng);
   
@@ -217 +198 @@
 }
 
-
-bool ECDSADNSPrivateKey::verify(const std::string& hash, const std::string& signature) const
-{
-  ECDSA_PublicKey* key;
-  if(d_key)
-    key = d_key.get();
-  else
-    key = d_pubkey.get();
-    
+bool ECDSADNSPrivateKey::verify(const std::string& msg, const std::string& signature) const
+{
+  string hash = this->hash(msg);
+  ECDSA_PublicKey* key = d_key ? d_key.get() : d_pubkey.get();
   return key->verify((byte*)hash.c_str(), hash.length(), (byte*)signature.c_str(), signature.length());
 }
-
 namespace {
 struct LoaderStruct

trunk/pdns/pdns/botan19signers.cc

@@ -33 +33 @@
   std::string getPublicKeyString() const;
   int getBits() const;
-  void fromISCString(DNSKEYRecordContent& drc, const std::string& content);
+  void fromISCMap(DNSKEYRecordContent& drc, std::map<std::string, std::string>& content);
   void fromPublicKeyString(unsigned int algorithm, const std::string& content);
   void fromPEMString(DNSKEYRecordContent& drc, const std::string& raw)
@@ -106 +106 @@
 
 
-void GOSTDNSPrivateKey::fromISCString(DNSKEYRecordContent& drc, const std::string& content )
+void GOSTDNSPrivateKey::fromISCMap(DNSKEYRecordContent& drc, std::map<std::string, std::string>& stormap )
 { 
-  istringstream input(content);
-  string sline, key, value, privateKey;
-  while(getline(input, sline)) {
-    tie(key,value)=splitField(sline, ':');
-    trim(value);
-    if(pdns_iequals(key,"Private-key-format")) {}
-    else if(key=="Algorithm")
-      drc.d_algorithm = atoi(value.c_str());
-    else if(key=="GostAsn1") {
-      Pipe pipe(new Base64_Decoder);
-      pipe.process_msg(value);
-      privateKey=pipe.read_all_as_string();
-    }
-    else
-      throw runtime_error("Unknown field '"+key+"' in Private Key Representation of GOST");
-  }
+  drc.d_algorithm = atoi(stormap["algorithm"].c_str());
+  string privateKey=stormap["gostasn1"];
   //cerr<<"PrivateKey.size() = "<<privateKey.size()<<endl;
   //cerr<<makeHexDump(string(privateKey.c_str(), 39))<<endl;
@@ -207 +193 @@
  */
 
-std::string GOSTDNSPrivateKey::sign(const std::string& hash) const
+std::string GOSTDNSPrivateKey::sign(const std::string& msg) const
 {
   GOST_3410_Signature_Operation ops(*d_key);
   AutoSeeded_RNG rng;
+  
+  string hash= this->hash(msg);
+  
   SecureVector<byte> signature=ops.sign((byte*)hash.c_str(), hash.length(), rng);
 
@@ -232 +221 @@
 
 
-bool GOSTDNSPrivateKey::verify(const std::string& hash, const std::string& signature) const
-{
+bool GOSTDNSPrivateKey::verify(const std::string& message, const std::string& signature) const
+{
+  string hash = this->hash(message);
   GOST_3410_PublicKey* pk;
   if(d_pubkey) {
@@ -274 +264 @@
   std::string getPublicKeyString() const;
   int getBits() const;
-  void fromISCString(DNSKEYRecordContent& drc, const std::string& content);
+  void fromISCMap(DNSKEYRecordContent& drc, std::map<std::string, std::string>& stormap);
   void fromPublicKeyString(unsigned int algorithm, const std::string& content);
   void fromPEMString(DNSKEYRecordContent& drc, const std::string& raw)
@@ -352 +342 @@
 }
 
-void ECDSADNSPrivateKey::fromISCString(DNSKEYRecordContent& drc, const std::string& content )
+void ECDSADNSPrivateKey::fromISCMap(DNSKEYRecordContent& drc, std::map<std::string, std::string>& stormap)
 {
   /*Private-key-format: v1.2
@@ -358 +348 @@
    PrivateKey: GU6SnQ/Ou+xC5RumuIUIuJZteXT2z0O/ok1s38Et6mQ= */
   
-  istringstream input(content);
-  string sline, key, value, privateKey;
-  while(getline(input, sline)) {
-    tie(key,value)=splitField(sline, ':');
-    trim(value);
-    if(pdns_iequals(key,"Private-key-format")) {}
-    else if(key=="Algorithm")
-      drc.d_algorithm = atoi(value.c_str());
-    else if(key=="PrivateKey") {
-      Pipe pipe(new Base64_Decoder);
-      pipe.process_msg(value);
-      privateKey=pipe.read_all_as_string();
-    }
-    else
-      throw runtime_error("Unknown field '"+key+"' in Private Key Representation of ECDSA");
-  }
+  drc.d_algorithm = atoi(stormap["algorithm"].c_str());
+  string privateKey=stormap["privatekey"];
+  
   d_algorithm = drc.d_algorithm;
   BigInt bigint((byte*)privateKey.c_str(), privateKey.length());
@@ -379 +356 @@
   EC_Domain_Params params=getECParams(drc.d_algorithm);
   d_key=shared_ptr<ECDSA_PrivateKey>(new ECDSA_PrivateKey(params, bigint));
-  
 }
 
@@ -418 +394 @@
 
 
-std::string ECDSADNSPrivateKey::sign(const std::string& hash) const
-{
+std::string ECDSADNSPrivateKey::sign(const std::string& msg) const
+{
+  string hash = this->hash(msg);
   ECDSA_Signature_Operation ops(*d_key);
   AutoSeeded_RNG rng;

trunk/pdns/pdns/communicator.cc

@@ -1 +1 @@
 /*
     PowerDNS Versatile Database Driven Nameserver
-    Copyright (C) 2002-2009  PowerDNS.COM BV
+    Copyright (C) 2002-2011  PowerDNS.COM BV
 
     This program is free software; you can redistribute it and/or modify

trunk/pdns/pdns/dnssecinfra.cc

@@ -13 +13 @@
 #include <boost/assign/std/vector.hpp> // for 'operator+=()'
 #include <boost/assign/list_inserter.hpp>
+#include "base64.hh"
 
 using namespace boost;
@@ -20 +21 @@
 DNSPrivateKey* DNSPrivateKey::makeFromISCFile(DNSKEYRecordContent& drc, const char* fname)
 {
-  string sline, isc, key, value;
+  string sline, isc;
   FILE *fp=fopen(fname, "r");
   if(!fp) {
     throw runtime_error("Unable to read file '"+string(fname)+"' for generating DNS Private Key");
   }
-  int algorithm=0;
+  
   while(stringfgets(fp, sline)) {
+    isc += sline;
+  }
+  fclose(fp);
+  return makeFromISCString(drc, isc);
+}
+
+DNSPrivateKey* DNSPrivateKey::makeFromISCString(DNSKEYRecordContent& drc, const std::string& content)
+{
+  int algorithm = 0;
+  string sline, key, value, raw;
+  istringstream str(content);
+  map<string, string> stormap;
+  while(getline(str, sline)) {
     tie(key,value)=splitField(sline, ':');
-    if(pdns_iequals(key,"algorithm"))
+    trim(value);
+    if(pdns_iequals(key,"algorithm")) {
       algorithm = atoi(value.c_str());
-    isc.append(sline);
-  }
-  fclose(fp);
-
+      stormap["algorithm"]=lexical_cast<string>(algorithm);
+      continue;
+    }
+    else if(pdns_iequals(key, "Private-key-format"))
+      continue;
+    raw.clear();
+    B64Decode(value, raw);
+    stormap[toLower(key)]=raw;
+  }
   DNSPrivateKey* dpk=make(algorithm);
-  dpk->fromISCString(drc, isc);
+  dpk->fromISCMap(drc, stormap);
   return dpk;
 }
+
 
 DNSPrivateKey* DNSPrivateKey::make(unsigned int algo)
@@ -50 +71 @@
 }
 
-void DNSPrivateKey::report(unsigned int algo, maker_t* maker)
-{
+void DNSPrivateKey::report(unsigned int algo, maker_t* maker, bool fallback)
+{
+  if(getMakers().count(algo) && fallback) {
+    return;
+  }
   getMakers()[algo]=maker;
-}
-DNSPrivateKey* DNSPrivateKey::makeFromISCString(DNSKEYRecordContent& drc, const std::string& content)
-{
-  int algorithm = 0;
-  string sline, key, value;
-  istringstream str(content);
-  while(getline(str, sline)) {
-    tie(key,value)=splitField(sline, ':');
-    if(pdns_iequals(key,"algorithm")) {
-      algorithm = atoi(value.c_str());
-      break;
-    }
-  }
-  DNSPrivateKey* dpk=make(algorithm);
-  dpk->fromISCString(drc, content);
-  return dpk;
 }
 
@@ -104 +112 @@
 }
 
-string getHashForRRSET(const std::string& qname, const RRSIGRecordContent& rrc, vector<shared_ptr<DNSRecordContent> >& signRecords) 
+string getMessageForRRSET(const std::string& qname, const RRSIGRecordContent& rrc, vector<shared_ptr<DNSRecordContent> >& signRecords) 
 {
   sort(signRecords.begin(), signRecords.end(), sharedDNSSECCompare);
@@ -126 +134 @@
   }
   
-  shared_ptr<DNSPrivateKey> dpk(DNSPrivateKey::make(rrc.d_algorithm));
-  return dpk->hash(toHash);
+  return toHash;
 }
 

trunk/pdns/pdns/dnssecinfra.hh

@@ -20 +20 @@
     virtual int getBits() const =0;
     
-    virtual void fromISCString(DNSKEYRecordContent& drc, const std::string& content)=0;
+    virtual void fromISCMap(DNSKEYRecordContent& drc, std::map<std::string, std::string>& stormap)=0;
     virtual void fromPEMString(DNSKEYRecordContent& drc, const std::string& raw)=0;
     virtual void fromPublicKeyString(unsigned algorithm, const std::string& content)
@@ -35 +35 @@
     typedef DNSPrivateKey* maker_t(unsigned int algorithm);
     
-    static void report(unsigned int algorithm, maker_t* maker);
+    static void report(unsigned int algorithm, maker_t* maker, bool fallback=false);
   private:
     
@@ -87 +87 @@
 
 bool sharedDNSSECCompare(const boost::shared_ptr<DNSRecordContent>& a, const shared_ptr<DNSRecordContent>& b);
-string getHashForRRSET(const std::string& qname, const RRSIGRecordContent& rrc, std::vector<boost::shared_ptr<DNSRecordContent> >& signRecords);
+string getMessageForRRSET(const std::string& qname, const RRSIGRecordContent& rrc, std::vector<boost::shared_ptr<DNSRecordContent> >& signRecords);
 
 DSRecordContent makeDSFromDNSKey(const std::string& qname, const DNSKEYRecordContent& drc, int digest=1);

trunk/pdns/pdns/dnssecsigner.cc

@@ -115 +115 @@
   rrc.d_tag = drc.getTag();
   rrc.d_algorithm = drc.d_algorithm;
-  string realhash=getHashForRRSET(signQName, rrc, toSign); // this is what we sign
 
-  pair<string, string> lookup(rc->getPubKeyHash(), realhash);
+  string msg=getMessageForRRSET(signQName, rrc, toSign); // this is what we will hash & sign
+
+  pair<string, string> lookup(rc->getPubKeyHash(), msg); // we key on the whole message now!
   
   {
@@ -130 +131 @@
   }
   
-  rrc.d_signature = rc->sign(realhash);
+  //DTime dt;
+  //dt.set();
+  rrc.d_signature = rc->sign(msg);
+  //cerr<<dt.udiff()<<endl;
 
   Lock l(&g_signatures_lock);

trunk/pdns/pdns/mastercommunicator.cc

@@ -1 +1 @@
 /*
     PowerDNS Versatile Database Driven Nameserver
-    Copyright (C) 2002-2009  PowerDNS.COM BV
+    Copyright (C) 2002-2011  PowerDNS.COM BV
 
     This program is free software; you can redistribute it and/or modify

trunk/pdns/pdns/pdnssec.cc

@@ -209 +209 @@
   }
   
-  string hash = getHashForRRSET(qname, rrc, toSign);        
+  string msg = getMessageForRRSET(qname, rrc, toSign);        
+  DNSPrivateKey* dpk = DNSPrivateKey::make(rrc.d_algorithm);
+  string hash = dpk->sign(msg);
   cerr<<"Verify: "<<DNSPrivateKey::makeFromPublicKeyString(drc.d_algorithm, drc.d_key)->verify(hash, rrc.d_signature)<<endl;
   if(dsrc.d_digesttype) {

trunk/pdns/pdns/polarrsakeyinfra.cc

@@ -93 +93 @@
     return mpi_size(&d_context.N)*8;
   }
-  void fromISCString(DNSKEYRecordContent& drc, const std::string& content);
+  void fromISCMap(DNSKEYRecordContent& drc, std::map<std::string, std::string>& stormap);
   void fromPEMString(DNSKEYRecordContent& drc, const std::string& raw);
   void fromPublicKeyString(unsigned int algorithm, const std::string& raw);
@@ -145 +145 @@
 }
 
-std::string RSADNSPrivateKey::sign(const std::string& hash) const
-{
+std::string RSADNSPrivateKey::sign(const std::string& msg) const
+{
+  string hash = this->hash(msg);
   unsigned char signature[mpi_size(&d_context.N)];
   int hashKind;
@@ -168 +169 @@
 }
 
-bool RSADNSPrivateKey::verify(const std::string& hash, const std::string& signature) const
+bool RSADNSPrivateKey::verify(const std::string& msg, const std::string& signature) const
 {
   int hashKind;
+  string hash=this->hash(msg);
   if(hash.size()==20)
     hashKind= SIG_RSA_SHA1;
@@ -177 +179 @@
   else
     hashKind = SIG_RSA_SHA512;
+  
+  
   
   int ret=rsa_pkcs1_verify(const_cast<rsa_context*>(&d_context), RSA_PUBLIC, 
@@ -248 +252 @@
 
 
-void RSADNSPrivateKey::fromISCString(DNSKEYRecordContent& drc, const std::string& content)
+void RSADNSPrivateKey::fromISCMap(DNSKEYRecordContent& drc,  std::map<std::string, std::string>& stormap)
 {
   string sline;
   string key,value;
-  map<string, mpi*> places;
+  typedef map<string, mpi*> places_t;
+  places_t places;
   
   rsa_init(&d_context, RSA_PKCS_V15, 0, NULL, NULL );
@@ -264 +269 @@
   places["Exponent2"]=&d_context.DQ;
   places["Coefficient"]=&d_context.QP;
-
-  string modulus, exponent;
-  istringstream str(content);
-  unsigned char decoded[1024];
-  while(getline(str, sline)) {
-    tie(key,value)=splitField(sline, ':');
-    trim(value);
-
-    if(places.count(key)) {
-      if(places[key]) {
-        int len=sizeof(decoded);
-        if(base64_decode(decoded, &len, (unsigned char*)value.c_str(), value.length()) < 0) {
-          cerr<<"Error base64 decoding '"<<value<<"'\n";
-          exit(1);
-        }
-        //      B64Decode(value, decoded);
-        //      cerr<<key<<" decoded.length(): "<<8*len<<endl;
-        mpi_read_binary(places[key], decoded, len);
-        if(key=="Modulus")
-          modulus.assign((const char*)decoded,len);
-        if(key=="PublicExponent")
-          exponent.assign((const char*)decoded,len);
-      }
-    }
-    else {
-      if(key == "Algorithm") 
-        drc.d_algorithm = atoi(value.c_str());
-      else if(key != "Private-key-format")
-        cerr<<"Unknown field '"<<key<<"'\n";
-    }
-  }
+  
+  drc.d_algorithm = atoi(stormap["algorithm"].c_str());
+  
+  string raw;
+  BOOST_FOREACH(const places_t::value_type& val, places) {
+    raw=stormap[toLower(val.first)];
+    mpi_read_binary(val.second, (unsigned char*) raw.c_str(), raw.length());
+  }
+
   d_context.len = ( mpi_msb( &d_context.N ) + 7 ) >> 3; // no clue what this does
-
-  if(exponent.length() < 255) 
-    drc.d_key.assign(1, (char) (unsigned int) exponent.length());
-  else {
-    drc.d_key.assign(1, 0);
-    uint16_t len=htons(exponent.length());
-    drc.d_key.append((char*)&len, 2);
-  }
-  drc.d_key.append(exponent);
-  drc.d_key.append(modulus);
+  drc.d_key = this->getPublicKeyString();
   drc.d_protocol=3;
 }
@@ -394 +368 @@
   return keystring;
 }
+
 namespace {
 struct LoaderStruct
@@ -399 +374 @@
   LoaderStruct()
   {
-    DNSPrivateKey::report(5, &RSADNSPrivateKey::maker);
-    DNSPrivateKey::report(7, &RSADNSPrivateKey::maker);
-    DNSPrivateKey::report(8, &RSADNSPrivateKey::maker);
-    DNSPrivateKey::report(10, &RSADNSPrivateKey::maker);
+    DNSPrivateKey::report(5, &RSADNSPrivateKey::maker, true);
+    DNSPrivateKey::report(7, &RSADNSPrivateKey::maker, true);
+    DNSPrivateKey::report(8, &RSADNSPrivateKey::maker, true);
+    DNSPrivateKey::report(10, &RSADNSPrivateKey::maker, true);
   }
 } loader;
 }
+