2 * Portions Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
3 * Portions Copyright (C) 1999-2002 Internet Software Consortium.
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
10 * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
11 * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
12 * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
15 * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
19 * Permission to use, copy, modify, and/or distribute this software for any
20 * purpose with or without fee is hereby granted, provided that the above
21 * copyright notice and this permission notice appear in all copies.
23 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
24 * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
25 * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
26 * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
27 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
28 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
29 * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
33 * Principal Author: Brian Wellington
34 * $Id: dst_parse.c,v 1.29 2011/08/18 23:46:35 tbox Exp $
39 #include <isc/base64.h>
41 #include <isc/fsaccess.h>
44 #include <isc/stdtime.h>
45 #include <isc/string.h>
52 #include "dst_internal.h"
53 #include "dst_parse.h"
54 #include "dst/result.h"
56 #define DST_AS_STR(t) ((t).value.as_textregion.base)
58 #define PRIVATE_KEY_STR "Private-key-format:"
59 #define ALGORITHM_STR "Algorithm:"
61 #define TIMING_NTAGS (DST_MAX_TIMES + 1)
62 static const char *timetags[TIMING_NTAGS] = {
72 #define NUMERIC_NTAGS (DST_MAX_NUMERIC + 1)
73 static const char *numerictags[NUMERIC_NTAGS] = {
85 static struct parse_map map[] = {
86 {TAG_RSA_MODULUS, "Modulus:"},
87 {TAG_RSA_PUBLICEXPONENT, "PublicExponent:"},
88 {TAG_RSA_PRIVATEEXPONENT, "PrivateExponent:"},
89 {TAG_RSA_PRIME1, "Prime1:"},
90 {TAG_RSA_PRIME2, "Prime2:"},
91 {TAG_RSA_EXPONENT1, "Exponent1:"},
92 {TAG_RSA_EXPONENT2, "Exponent2:"},
93 {TAG_RSA_COEFFICIENT, "Coefficient:"},
94 {TAG_RSA_ENGINE, "Engine:" },
95 {TAG_RSA_LABEL, "Label:" },
96 {TAG_RSA_PIN, "PIN:" },
98 {TAG_DH_PRIME, "Prime(p):"},
99 {TAG_DH_GENERATOR, "Generator(g):"},
100 {TAG_DH_PRIVATE, "Private_value(x):"},
101 {TAG_DH_PUBLIC, "Public_value(y):"},
103 {TAG_DSA_PRIME, "Prime(p):"},
104 {TAG_DSA_SUBPRIME, "Subprime(q):"},
105 {TAG_DSA_BASE, "Base(g):"},
106 {TAG_DSA_PRIVATE, "Private_value(x):"},
107 {TAG_DSA_PUBLIC, "Public_value(y):"},
109 {TAG_GOST_PRIVASN1, "GostAsn1:"},
111 {TAG_ECDSA_PRIVATEKEY, "PrivateKey:"},
113 {TAG_HMACMD5_KEY, "Key:"},
114 {TAG_HMACMD5_BITS, "Bits:"},
116 {TAG_HMACSHA1_KEY, "Key:"},
117 {TAG_HMACSHA1_BITS, "Bits:"},
119 {TAG_HMACSHA224_KEY, "Key:"},
120 {TAG_HMACSHA224_BITS, "Bits:"},
122 {TAG_HMACSHA256_KEY, "Key:"},
123 {TAG_HMACSHA256_BITS, "Bits:"},
125 {TAG_HMACSHA384_KEY, "Key:"},
126 {TAG_HMACSHA384_BITS, "Bits:"},
128 {TAG_HMACSHA512_KEY, "Key:"},
129 {TAG_HMACSHA512_BITS, "Bits:"},
135 find_value(const char *s, const unsigned int alg) {
138 for (i = 0; map[i].tag != NULL; i++) {
139 if (strcasecmp(s, map[i].tag) == 0 &&
140 (TAG_ALG(map[i].value) == alg))
141 return (map[i].value);
147 find_tag(const int value) {
151 if (map[i].tag == NULL)
153 else if (value == map[i].value)
159 find_metadata(const char *s, const char *tags[], int ntags) {
162 for (i = 0; i < ntags; i++) {
163 if (strcasecmp(s, tags[i]) == 0)
171 find_timedata(const char *s) {
172 return (find_metadata(s, timetags, TIMING_NTAGS));
176 find_numericdata(const char *s) {
177 return (find_metadata(s, numerictags, NUMERIC_NTAGS));
181 check_rsa(const dst_private_t *priv, isc_boolean_t external) {
183 isc_boolean_t have[RSA_NTAGS];
188 return ((priv->nelements == 0) ? 0 : -1);
190 for (i = 0; i < RSA_NTAGS; i++)
193 for (j = 0; j < priv->nelements; j++) {
194 for (i = 0; i < RSA_NTAGS; i++)
195 if (priv->elements[j].tag == TAG(DST_ALG_RSAMD5, i))
203 mask <<= sizeof(mask) * 8 - TAG_SHIFT;
204 mask >>= sizeof(mask) * 8 - TAG_SHIFT;
206 if (have[TAG_RSA_ENGINE & mask])
207 ok = have[TAG_RSA_MODULUS & mask] &&
208 have[TAG_RSA_PUBLICEXPONENT & mask] &&
209 have[TAG_RSA_LABEL & mask];
211 ok = have[TAG_RSA_MODULUS & mask] &&
212 have[TAG_RSA_PUBLICEXPONENT & mask] &&
213 have[TAG_RSA_PRIVATEEXPONENT & mask] &&
214 have[TAG_RSA_PRIME1 & mask] &&
215 have[TAG_RSA_PRIME2 & mask] &&
216 have[TAG_RSA_EXPONENT1 & mask] &&
217 have[TAG_RSA_EXPONENT2 & mask] &&
218 have[TAG_RSA_COEFFICIENT & mask];
219 return (ok ? 0 : -1 );
223 check_dh(const dst_private_t *priv) {
225 if (priv->nelements != DH_NTAGS)
227 for (i = 0; i < DH_NTAGS; i++) {
228 for (j = 0; j < priv->nelements; j++)
229 if (priv->elements[j].tag == TAG(DST_ALG_DH, i))
231 if (j == priv->nelements)
238 check_dsa(const dst_private_t *priv, isc_boolean_t external) {
242 return ((priv->nelements == 0)? 0 : -1);
244 if (priv->nelements != DSA_NTAGS)
247 for (i = 0; i < DSA_NTAGS; i++) {
248 for (j = 0; j < priv->nelements; j++)
249 if (priv->elements[j].tag == TAG(DST_ALG_DSA, i))
251 if (j == priv->nelements)
258 check_gost(const dst_private_t *priv, isc_boolean_t external) {
261 return ((priv->nelements == 0)? 0 : -1);
263 if (priv->nelements != GOST_NTAGS)
265 if (priv->elements[0].tag != TAG(DST_ALG_ECCGOST, 0))
271 check_ecdsa(const dst_private_t *priv, isc_boolean_t external) {
274 return ((priv->nelements == 0) ? 0 : -1);
276 if (priv->nelements != ECDSA_NTAGS)
278 if (priv->elements[0].tag != TAG(DST_ALG_ECDSA256, 0))
284 check_hmac_md5(const dst_private_t *priv, isc_boolean_t old) {
287 if (priv->nelements != HMACMD5_NTAGS) {
289 * If this is a good old format and we are accepting
290 * the old format return success.
292 if (old && priv->nelements == OLD_HMACMD5_NTAGS &&
293 priv->elements[0].tag == TAG_HMACMD5_KEY)
298 * We must be new format at this point.
300 for (i = 0; i < HMACMD5_NTAGS; i++) {
301 for (j = 0; j < priv->nelements; j++)
302 if (priv->elements[j].tag == TAG(DST_ALG_HMACMD5, i))
304 if (j == priv->nelements)
311 check_hmac_sha(const dst_private_t *priv, unsigned int ntags,
315 if (priv->nelements != ntags)
317 for (i = 0; i < ntags; i++) {
318 for (j = 0; j < priv->nelements; j++)
319 if (priv->elements[j].tag == TAG(alg, i))
321 if (j == priv->nelements)
328 check_data(const dst_private_t *priv, const unsigned int alg,
329 isc_boolean_t old, isc_boolean_t external)
331 /* XXXVIX this switch statement is too sparse to gen a jump table. */
334 case DST_ALG_RSASHA1:
335 case DST_ALG_NSEC3RSASHA1:
336 case DST_ALG_RSASHA256:
337 case DST_ALG_RSASHA512:
338 return (check_rsa(priv, external));
340 return (check_dh(priv));
342 case DST_ALG_NSEC3DSA:
343 return (check_dsa(priv, external));
344 case DST_ALG_ECCGOST:
345 return (check_gost(priv, external));
346 case DST_ALG_ECDSA256:
347 case DST_ALG_ECDSA384:
348 return (check_ecdsa(priv, external));
349 case DST_ALG_HMACMD5:
350 return (check_hmac_md5(priv, old));
351 case DST_ALG_HMACSHA1:
352 return (check_hmac_sha(priv, HMACSHA1_NTAGS, alg));
353 case DST_ALG_HMACSHA224:
354 return (check_hmac_sha(priv, HMACSHA224_NTAGS, alg));
355 case DST_ALG_HMACSHA256:
356 return (check_hmac_sha(priv, HMACSHA256_NTAGS, alg));
357 case DST_ALG_HMACSHA384:
358 return (check_hmac_sha(priv, HMACSHA384_NTAGS, alg));
359 case DST_ALG_HMACSHA512:
360 return (check_hmac_sha(priv, HMACSHA512_NTAGS, alg));
362 return (DST_R_UNSUPPORTEDALG);
367 dst__privstruct_free(dst_private_t *priv, isc_mem_t *mctx) {
372 for (i = 0; i < priv->nelements; i++) {
373 if (priv->elements[i].data == NULL)
375 memset(priv->elements[i].data, 0, MAXFIELDSIZE);
376 isc_mem_put(mctx, priv->elements[i].data, MAXFIELDSIZE);
382 dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
383 isc_mem_t *mctx, dst_private_t *priv)
385 int n = 0, major, minor, check;
388 unsigned char *data = NULL;
389 unsigned int opt = ISC_LEXOPT_EOL;
392 isc_boolean_t external = ISC_FALSE;
394 REQUIRE(priv != NULL);
397 memset(priv->elements, 0, sizeof(priv->elements));
399 #define NEXTTOKEN(lex, opt, token) \
401 ret = isc_lex_gettoken(lex, opt, token); \
402 if (ret != ISC_R_SUCCESS) \
406 #define READLINE(lex, opt, token) \
408 ret = isc_lex_gettoken(lex, opt, token); \
409 if (ret == ISC_R_EOF) \
411 else if (ret != ISC_R_SUCCESS) \
413 } while ((*token).type != isc_tokentype_eol)
416 * Read the description line.
418 NEXTTOKEN(lex, opt, &token);
419 if (token.type != isc_tokentype_string ||
420 strcmp(DST_AS_STR(token), PRIVATE_KEY_STR) != 0)
422 ret = DST_R_INVALIDPRIVATEKEY;
426 NEXTTOKEN(lex, opt, &token);
427 if (token.type != isc_tokentype_string ||
428 (DST_AS_STR(token))[0] != 'v')
430 ret = DST_R_INVALIDPRIVATEKEY;
433 if (sscanf(DST_AS_STR(token), "v%d.%d", &major, &minor) != 2)
435 ret = DST_R_INVALIDPRIVATEKEY;
439 if (major > DST_MAJOR_VERSION) {
440 ret = DST_R_INVALIDPRIVATEKEY;
445 * Store the private key format version number
447 dst_key_setprivateformat(key, major, minor);
449 READLINE(lex, opt, &token);
452 * Read the algorithm line.
454 NEXTTOKEN(lex, opt, &token);
455 if (token.type != isc_tokentype_string ||
456 strcmp(DST_AS_STR(token), ALGORITHM_STR) != 0)
458 ret = DST_R_INVALIDPRIVATEKEY;
462 NEXTTOKEN(lex, opt | ISC_LEXOPT_NUMBER, &token);
463 if (token.type != isc_tokentype_number ||
464 token.value.as_ulong != (unsigned long) dst_key_alg(key))
466 ret = DST_R_INVALIDPRIVATEKEY;
470 READLINE(lex, opt, &token);
475 for (n = 0; n < MAXFIELDS; n++) {
479 ret = isc_lex_gettoken(lex, opt, &token);
480 if (ret == ISC_R_EOF)
482 if (ret != ISC_R_SUCCESS)
484 } while (token.type == isc_tokentype_eol);
486 if (token.type != isc_tokentype_string) {
487 ret = DST_R_INVALIDPRIVATEKEY;
491 if (strcmp(DST_AS_STR(token), "External:") == 0) {
496 /* Numeric metadata */
497 tag = find_numericdata(DST_AS_STR(token));
499 INSIST(tag < NUMERIC_NTAGS);
501 NEXTTOKEN(lex, opt | ISC_LEXOPT_NUMBER, &token);
502 if (token.type != isc_tokentype_number) {
503 ret = DST_R_INVALIDPRIVATEKEY;
507 dst_key_setnum(key, tag, token.value.as_ulong);
511 /* Timing metadata */
512 tag = find_timedata(DST_AS_STR(token));
514 INSIST(tag < TIMING_NTAGS);
516 NEXTTOKEN(lex, opt, &token);
517 if (token.type != isc_tokentype_string) {
518 ret = DST_R_INVALIDPRIVATEKEY;
522 ret = dns_time32_fromtext(DST_AS_STR(token), &when);
523 if (ret != ISC_R_SUCCESS)
526 dst_key_settime(key, tag, when);
532 tag = find_value(DST_AS_STR(token), alg);
533 if (tag < 0 && minor > DST_MINOR_VERSION)
536 ret = DST_R_INVALIDPRIVATEKEY;
540 priv->elements[n].tag = tag;
542 data = (unsigned char *) isc_mem_get(mctx, MAXFIELDSIZE);
546 isc_buffer_init(&b, data, MAXFIELDSIZE);
547 ret = isc_base64_tobuffer(lex, &b, -1);
548 if (ret != ISC_R_SUCCESS)
551 isc_buffer_usedregion(&b, &r);
552 priv->elements[n].length = r.length;
553 priv->elements[n].data = r.base;
557 READLINE(lex, opt, &token);
562 if (external && priv->nelements != 0) {
563 ret = DST_R_INVALIDPRIVATEKEY;
567 check = check_data(priv, alg, ISC_TRUE, external);
569 ret = DST_R_INVALIDPRIVATEKEY;
571 } else if (check != ISC_R_SUCCESS) {
576 key->external = external;
578 return (ISC_R_SUCCESS);
581 dst__privstruct_free(priv, mctx);
583 isc_mem_put(mctx, data, MAXFIELDSIZE);
589 dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
590 const char *directory)
594 char filename[ISC_DIR_NAMEMAX];
595 char buffer[MAXFIELDSIZE * 2];
596 isc_fsaccess_t access;
605 REQUIRE(priv != NULL);
607 ret = check_data(priv, dst_key_alg(key), ISC_FALSE, key->external);
609 return (DST_R_INVALIDPRIVATEKEY);
610 else if (ret != ISC_R_SUCCESS)
613 isc_buffer_init(&b, filename, sizeof(filename));
614 result = dst_key_buildfilename(key, DST_TYPE_PRIVATE, directory, &b);
615 if (result != ISC_R_SUCCESS)
618 result = isc_file_mode(filename, &mode);
619 if (result == ISC_R_SUCCESS && mode != 0600) {
620 /* File exists; warn that we are changing its permissions */
621 isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
622 DNS_LOGMODULE_DNSSEC, ISC_LOG_WARNING,
623 "Permissions on the file %s "
624 "have changed from 0%o to 0600 as "
625 "a result of this operation.",
626 filename, (unsigned int)mode);
629 if ((fp = fopen(filename, "w")) == NULL)
630 return (DST_R_WRITEERROR);
633 isc_fsaccess_add(ISC_FSACCESS_OWNER,
634 ISC_FSACCESS_READ | ISC_FSACCESS_WRITE,
636 (void)isc_fsaccess_set(filename, access);
638 dst_key_getprivateformat(key, &major, &minor);
639 if (major == 0 && minor == 0) {
640 major = DST_MAJOR_VERSION;
641 minor = DST_MINOR_VERSION;
644 /* XXXDCL return value should be checked for full filesystem */
645 fprintf(fp, "%s v%d.%d\n", PRIVATE_KEY_STR, major, minor);
647 fprintf(fp, "%s %d ", ALGORITHM_STR, dst_key_alg(key));
649 /* XXXVIX this switch statement is too sparse to gen a jump table. */
650 switch (dst_key_alg(key)) {
652 fprintf(fp, "(RSA)\n");
655 fprintf(fp, "(DH)\n");
658 fprintf(fp, "(DSA)\n");
660 case DST_ALG_RSASHA1:
661 fprintf(fp, "(RSASHA1)\n");
663 case DST_ALG_NSEC3RSASHA1:
664 fprintf(fp, "(NSEC3RSASHA1)\n");
666 case DST_ALG_NSEC3DSA:
667 fprintf(fp, "(NSEC3DSA)\n");
669 case DST_ALG_RSASHA256:
670 fprintf(fp, "(RSASHA256)\n");
672 case DST_ALG_RSASHA512:
673 fprintf(fp, "(RSASHA512)\n");
675 case DST_ALG_ECCGOST:
676 fprintf(fp, "(ECC-GOST)\n");
678 case DST_ALG_ECDSA256:
679 fprintf(fp, "(ECDSAP256SHA256)\n");
681 case DST_ALG_ECDSA384:
682 fprintf(fp, "(ECDSAP384SHA384)\n");
684 case DST_ALG_HMACMD5:
685 fprintf(fp, "(HMAC_MD5)\n");
687 case DST_ALG_HMACSHA1:
688 fprintf(fp, "(HMAC_SHA1)\n");
690 case DST_ALG_HMACSHA224:
691 fprintf(fp, "(HMAC_SHA224)\n");
693 case DST_ALG_HMACSHA256:
694 fprintf(fp, "(HMAC_SHA256)\n");
696 case DST_ALG_HMACSHA384:
697 fprintf(fp, "(HMAC_SHA384)\n");
699 case DST_ALG_HMACSHA512:
700 fprintf(fp, "(HMAC_SHA512)\n");
703 fprintf(fp, "(?)\n");
707 for (i = 0; i < priv->nelements; i++) {
710 s = find_tag(priv->elements[i].tag);
712 r.base = priv->elements[i].data;
713 r.length = priv->elements[i].length;
714 isc_buffer_init(&b, buffer, sizeof(buffer));
715 result = isc_base64_totext(&r, sizeof(buffer), "", &b);
716 if (result != ISC_R_SUCCESS) {
718 return (DST_R_INVALIDPRIVATEKEY);
720 isc_buffer_usedregion(&b, &r);
722 fprintf(fp, "%s %.*s\n", s, (int)r.length, r.base);
726 fprintf(fp, "External:\n");
728 /* Add the metadata tags */
729 if (major > 1 || (major == 1 && minor >= 3)) {
730 for (i = 0; i < NUMERIC_NTAGS; i++) {
731 result = dst_key_getnum(key, i, &value);
732 if (result != ISC_R_SUCCESS)
734 fprintf(fp, "%s %u\n", numerictags[i], value);
736 for (i = 0; i < TIMING_NTAGS; i++) {
737 result = dst_key_gettime(key, i, &when);
738 if (result != ISC_R_SUCCESS)
741 isc_buffer_init(&b, buffer, sizeof(buffer));
742 result = dns_time32_totext(when, &b);
743 if (result != ISC_R_SUCCESS) {
745 return (DST_R_INVALIDPRIVATEKEY);
748 isc_buffer_usedregion(&b, &r);
750 fprintf(fp, "%s %.*s\n", timetags[i], (int)r.length,
756 result = ferror(fp) ? DST_R_WRITEERROR : ISC_R_SUCCESS;
projects / FreeBSD / releng / 9.3.git / blob