2 * Copyright (C) 2009, 2012, 2013 Internet Systems Consortium, Inc. ("ISC")
4 * Permission to use, copy, modify, and/or distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
9 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
10 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
11 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
12 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
13 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
14 * PERFORMANCE OF THIS SOFTWARE.
17 /* $Id: keygen.c,v 1.4 2009/11/12 14:02:38 marka Exp $ */
26 #include <isc/base64.h>
27 #include <isc/buffer.h>
28 #include <isc/entropy.h>
30 #include <isc/keyboard.h>
32 #include <isc/result.h>
33 #include <isc/string.h>
35 #include <dns/keyvalues.h>
39 #include <confgen/os.h>
45 * Convert algorithm type to string.
48 alg_totext(dns_secalg_t alg) {
52 case DST_ALG_HMACSHA1:
54 case DST_ALG_HMACSHA224:
56 case DST_ALG_HMACSHA256:
58 case DST_ALG_HMACSHA384:
60 case DST_ALG_HMACSHA512:
68 * Convert string to algorithm type.
71 alg_fromtext(const char *name) {
72 if (strcmp(name, "hmac-md5") == 0)
73 return DST_ALG_HMACMD5;
74 if (strcmp(name, "hmac-sha1") == 0)
75 return DST_ALG_HMACSHA1;
76 if (strcmp(name, "hmac-sha224") == 0)
77 return DST_ALG_HMACSHA224;
78 if (strcmp(name, "hmac-sha256") == 0)
79 return DST_ALG_HMACSHA256;
80 if (strcmp(name, "hmac-sha384") == 0)
81 return DST_ALG_HMACSHA384;
82 if (strcmp(name, "hmac-sha512") == 0)
83 return DST_ALG_HMACSHA512;
84 return DST_ALG_UNKNOWN;
88 * Return default keysize for a given algorithm type.
91 alg_bits(dns_secalg_t alg) {
95 case DST_ALG_HMACSHA1:
97 case DST_ALG_HMACSHA224:
99 case DST_ALG_HMACSHA256:
101 case DST_ALG_HMACSHA384:
103 case DST_ALG_HMACSHA512:
111 * Generate a key of size 'keysize' using entropy source 'randomfile',
112 * and place it in 'key_txtbuffer'
115 generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
116 int keysize, isc_buffer_t *key_txtbuffer) {
117 isc_result_t result = ISC_R_SUCCESS;
118 isc_entropysource_t *entropy_source = NULL;
119 int open_keyboard = ISC_ENTROPY_KEYBOARDMAYBE;
120 int entropy_flags = 0;
121 isc_entropy_t *ectx = NULL;
122 isc_buffer_t key_rawbuffer;
123 isc_region_t key_rawregion;
124 char key_rawsecret[64];
125 dst_key_t *key = NULL;
128 case DST_ALG_HMACMD5:
129 case DST_ALG_HMACSHA1:
130 case DST_ALG_HMACSHA224:
131 case DST_ALG_HMACSHA256:
132 if (keysize < 1 || keysize > 512)
133 fatal("keysize %d out of range (must be 1-512)\n",
136 case DST_ALG_HMACSHA384:
137 case DST_ALG_HMACSHA512:
138 if (keysize < 1 || keysize > 1024)
139 fatal("keysize %d out of range (must be 1-1024)\n",
143 fatal("unsupported algorithm %d\n", alg);
147 DO("create entropy context", isc_entropy_create(mctx, &ectx));
149 if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
151 open_keyboard = ISC_ENTROPY_KEYBOARDYES;
153 DO("start entropy source", isc_entropy_usebestsource(ectx,
158 entropy_flags = ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY;
160 DO("initialize dst library", dst_lib_init(mctx, ectx, entropy_flags));
162 DO("generate key", dst_key_generate(dns_rootname, alg,
165 dns_rdataclass_in, mctx, &key));
167 isc_buffer_init(&key_rawbuffer, &key_rawsecret, sizeof(key_rawsecret));
169 DO("dump key to buffer", dst_key_tobuffer(key, &key_rawbuffer));
171 isc_buffer_usedregion(&key_rawbuffer, &key_rawregion);
173 DO("bsse64 encode secret", isc_base64_totext(&key_rawregion, -1, "",
177 * Shut down the entropy source now so the "stop typing" message
178 * does not muck with the output.
180 if (entropy_source != NULL)
181 isc_entropy_destroysource(&entropy_source);
186 isc_entropy_detach(&ectx);
191 * Write a key file to 'keyfile'. If 'user' is non-NULL,
192 * make that user the owner of the file. The key will have
193 * the name 'keyname' and the secret in the buffer 'secret'.
196 write_key_file(const char *keyfile, const char *user,
197 const char *keyname, isc_buffer_t *secret,
200 const char *algname = alg_totext(alg);
203 DO("create keyfile", isc_file_safecreate(keyfile, &fd));
206 if (set_user(fd, user) == -1)
207 fatal("unable to set file owner\n");
210 fprintf(fd, "key \"%s\" {\n\talgorithm %s;\n"
211 "\tsecret \"%.*s\";\n};\n",
213 (int)isc_buffer_usedlength(secret),
214 (char *)isc_buffer_base(secret));
217 fatal("write to %s failed\n", keyfile);
219 fatal("fclose(%s) failed\n", keyfile);
220 fprintf(stderr, "wrote key file \"%s\"\n", keyfile);