mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-09-01 15:05:23 +00:00
Create keys with PKCS#11 URI instead of object
The pkcs11-provider has changed to take a PKCS#11 URI instead of an object identifier. Change the BIND 9 code accordingly to pass through the label instead of just the object identifier. See: https://github.com/latchset/pkcs11-provider/pull/284
This commit is contained in:
Matthijs Mekking
@@ -644,6 +644,7 @@ AS_IF([test "$enable_doh" = "yes"],
|
|||||||
|
|
||||||
AM_CONDITIONAL([HAVE_LIBNGHTTP2], [test -n "$LIBNGHTTP2_LIBS"])
|
AM_CONDITIONAL([HAVE_LIBNGHTTP2], [test -n "$LIBNGHTTP2_LIBS"])
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# flockfile is usually provided by pthreads
|
# flockfile is usually provided by pthreads
|
||||||
#
|
#
|
||||||
|
|||||||
@@ -1031,7 +1031,7 @@ dst_key_fromlabel(const dns_name_t *name, int alg, unsigned int flags,
|
|||||||
isc_result_t
|
isc_result_t
|
||||||
dst_key_generate(const dns_name_t *name, unsigned int alg, unsigned int bits,
|
dst_key_generate(const dns_name_t *name, unsigned int alg, unsigned int bits,
|
||||||
unsigned int param, unsigned int flags, unsigned int protocol,
|
unsigned int param, unsigned int flags, unsigned int protocol,
|
||||||
dns_rdataclass_t rdclass, const char *object, isc_mem_t *mctx,
|
dns_rdataclass_t rdclass, const char *label, isc_mem_t *mctx,
|
||||||
dst_key_t **keyp, void (*callback)(int)) {
|
dst_key_t **keyp, void (*callback)(int)) {
|
||||||
dst_key_t *key;
|
dst_key_t *key;
|
||||||
isc_result_t ret;
|
isc_result_t ret;
|
||||||
@@ -1046,8 +1046,8 @@ dst_key_generate(const dns_name_t *name, unsigned int alg, unsigned int bits,
|
|||||||
key = get_key_struct(name, alg, flags, protocol, bits, rdclass, 0,
|
key = get_key_struct(name, alg, flags, protocol, bits, rdclass, 0,
|
||||||
mctx);
|
mctx);
|
||||||
|
|
||||||
if (object != NULL) {
|
if (label != NULL) {
|
||||||
key->object = isc_mem_strdup(mctx, object);
|
key->label = isc_mem_strdup(mctx, label);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (bits == 0) { /*%< NULL KEY */
|
if (bits == 0) { /*%< NULL KEY */
|
||||||
@@ -1408,9 +1408,6 @@ dst_key_free(dst_key_t **keyp) {
|
|||||||
if (key->label != NULL) {
|
if (key->label != NULL) {
|
||||||
isc_mem_free(mctx, key->label);
|
isc_mem_free(mctx, key->label);
|
||||||
}
|
}
|
||||||
if (key->object != NULL) {
|
|
||||||
isc_mem_free(mctx, key->object);
|
|
||||||
}
|
|
||||||
dns_name_free(key->key_name, mctx);
|
dns_name_free(key->key_name, mctx);
|
||||||
isc_mem_put(mctx, key->key_name, sizeof(dns_name_t));
|
isc_mem_put(mctx, key->key_name, sizeof(dns_name_t));
|
||||||
if (key->key_tkeytoken) {
|
if (key->key_tkeytoken) {
|
||||||
|
|||||||
@@ -94,7 +94,6 @@ struct dst_key {
|
|||||||
char *directory; /*%< key directory */
|
char *directory; /*%< key directory */
|
||||||
char *engine; /*%< engine name (HSM) */
|
char *engine; /*%< engine name (HSM) */
|
||||||
char *label; /*%< engine label (HSM) */
|
char *label; /*%< engine label (HSM) */
|
||||||
char *object; /*%< engine object (HSM) */
|
|
||||||
union {
|
union {
|
||||||
void *generic;
|
void *generic;
|
||||||
dns_gss_ctx_id_t gssctx;
|
dns_gss_ctx_id_t gssctx;
|
||||||
|
|||||||
@@ -629,7 +629,7 @@ dst_key_fromlabel(const dns_name_t *name, int alg, unsigned int flags,
|
|||||||
isc_result_t
|
isc_result_t
|
||||||
dst_key_generate(const dns_name_t *name, unsigned int alg, unsigned int bits,
|
dst_key_generate(const dns_name_t *name, unsigned int alg, unsigned int bits,
|
||||||
unsigned int param, unsigned int flags, unsigned int protocol,
|
unsigned int param, unsigned int flags, unsigned int protocol,
|
||||||
dns_rdataclass_t rdclass, const char *object, isc_mem_t *mctx,
|
dns_rdataclass_t rdclass, const char *label, isc_mem_t *mctx,
|
||||||
dst_key_t **keyp, void (*callback)(int));
|
dst_key_t **keyp, void (*callback)(int));
|
||||||
|
|
||||||
/*%<
|
/*%<
|
||||||
|
|||||||
@@ -167,14 +167,18 @@ dns_keystore_keygen(dns_keystore_t *keystore, const dns_name_t *origin,
|
|||||||
char namebuf[DNS_NAME_FORMATSIZE];
|
char namebuf[DNS_NAME_FORMATSIZE];
|
||||||
char object[DNS_NAME_FORMATSIZE + 26];
|
char object[DNS_NAME_FORMATSIZE + 26];
|
||||||
|
|
||||||
/* Generate the key */
|
/* Create the PKCS11 URI */
|
||||||
isc_time_formatshorttimestamp(&now, timebuf, sizeof(timebuf));
|
isc_time_formatshorttimestamp(&now, timebuf, sizeof(timebuf));
|
||||||
dns_name_format(origin, namebuf, sizeof(namebuf));
|
dns_name_format(origin, namebuf, sizeof(namebuf));
|
||||||
snprintf(object, sizeof(object), "%s-%s-%s", namebuf,
|
snprintf(object, sizeof(object), "%s-%s-%s", namebuf,
|
||||||
ksk ? "ksk" : "zsk", timebuf);
|
ksk ? "ksk" : "zsk", timebuf);
|
||||||
|
len = strlen(object) + strlen(uri) + 10;
|
||||||
|
label = isc_mem_get(mctx, len);
|
||||||
|
sprintf(label, "%s;object=%s;", uri, object);
|
||||||
|
|
||||||
|
/* Generate the key */
|
||||||
result = dst_key_generate(origin, alg, size, 0, flags,
|
result = dst_key_generate(origin, alg, size, 0, flags,
|
||||||
DNS_KEYPROTO_DNSSEC, rdclass, object,
|
DNS_KEYPROTO_DNSSEC, rdclass, label,
|
||||||
mctx, &key, NULL);
|
mctx, &key, NULL);
|
||||||
if (result != ISC_R_SUCCESS) {
|
if (result != ISC_R_SUCCESS) {
|
||||||
isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
|
isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
|
||||||
@@ -187,9 +191,6 @@ dns_keystore_keygen(dns_keystore_t *keystore, const dns_name_t *origin,
|
|||||||
dst_key_free(&key);
|
dst_key_free(&key);
|
||||||
|
|
||||||
/* Retrieve generated key from label */
|
/* Retrieve generated key from label */
|
||||||
len = strlen(object) + strlen(uri) + 10;
|
|
||||||
label = isc_mem_get(mctx, len);
|
|
||||||
sprintf(label, "%s;object=%s;", uri, object);
|
|
||||||
result = dst_key_fromlabel(
|
result = dst_key_fromlabel(
|
||||||
origin, alg, flags, DNS_KEYPROTO_DNSSEC,
|
origin, alg, flags, DNS_KEYPROTO_DNSSEC,
|
||||||
dns_rdataclass_in, dns_keystore_engine(keystore), label,
|
dns_rdataclass_in, dns_keystore_engine(keystore), label,
|
||||||
|
|||||||
@@ -410,26 +410,17 @@ opensslecdsa_create_pkey(unsigned int key_alg, bool private,
|
|||||||
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||||
|
|
||||||
static isc_result_t
|
static isc_result_t
|
||||||
opensslecdsa_generate_pkey_with_object(int group_nid, const char *object,
|
opensslecdsa_generate_pkey_with_uri(int group_nid, const char *label,
|
||||||
EVP_PKEY **retkey) {
|
EVP_PKEY **retkey) {
|
||||||
int status;
|
int status;
|
||||||
isc_result_t ret;
|
isc_result_t ret;
|
||||||
unsigned char id[16];
|
char *uri = UNCONST(label);
|
||||||
char *label = UNCONST(object);
|
|
||||||
EVP_PKEY_CTX *ctx = NULL;
|
EVP_PKEY_CTX *ctx = NULL;
|
||||||
OSSL_PARAM params[3];
|
OSSL_PARAM params[2];
|
||||||
|
|
||||||
/* Generate the key's parameters. */
|
/* Generate the key's parameters. */
|
||||||
status = RAND_bytes(id, 16);
|
params[0] = OSSL_PARAM_construct_utf8_string("pkcs11_uri", uri, 0);
|
||||||
if (status != 1) {
|
params[1] = OSSL_PARAM_construct_end();
|
||||||
DST_RET(dst__openssl_toresult2("RAND_bytes",
|
|
||||||
DST_R_OPENSSLFAILURE));
|
|
||||||
}
|
|
||||||
|
|
||||||
params[0] = OSSL_PARAM_construct_utf8_string("pkcs11_key_label", label,
|
|
||||||
0);
|
|
||||||
params[1] = OSSL_PARAM_construct_octet_string("pkcs11_key_id", id, 16);
|
|
||||||
params[2] = OSSL_PARAM_construct_end();
|
|
||||||
|
|
||||||
ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", "provider=pkcs11");
|
ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", "provider=pkcs11");
|
||||||
if (ctx == NULL) {
|
if (ctx == NULL) {
|
||||||
@@ -476,7 +467,7 @@ err:
|
|||||||
}
|
}
|
||||||
|
|
||||||
static isc_result_t
|
static isc_result_t
|
||||||
opensslecdsa_generate_pkey(unsigned int key_alg, const char *object,
|
opensslecdsa_generate_pkey(unsigned int key_alg, const char *label,
|
||||||
EVP_PKEY **retkey) {
|
EVP_PKEY **retkey) {
|
||||||
isc_result_t ret;
|
isc_result_t ret;
|
||||||
EVP_PKEY_CTX *ctx = NULL;
|
EVP_PKEY_CTX *ctx = NULL;
|
||||||
@@ -484,9 +475,9 @@ opensslecdsa_generate_pkey(unsigned int key_alg, const char *object,
|
|||||||
int group_nid = opensslecdsa_key_alg_to_group_nid(key_alg);
|
int group_nid = opensslecdsa_key_alg_to_group_nid(key_alg);
|
||||||
int status;
|
int status;
|
||||||
|
|
||||||
if (object != NULL) {
|
if (label != NULL) {
|
||||||
return (opensslecdsa_generate_pkey_with_object(group_nid,
|
return (opensslecdsa_generate_pkey_with_uri(group_nid, label,
|
||||||
object, retkey));
|
retkey));
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Generate the key's parameters. */
|
/* Generate the key's parameters. */
|
||||||
@@ -570,14 +561,14 @@ opensslecdsa_extract_private_key(const dst_key_t *key, unsigned char *buf,
|
|||||||
#else
|
#else
|
||||||
|
|
||||||
static isc_result_t
|
static isc_result_t
|
||||||
opensslecdsa_generate_pkey(unsigned int key_alg, const char *object,
|
opensslecdsa_generate_pkey(unsigned int key_alg, const char *label,
|
||||||
EVP_PKEY **retkey) {
|
EVP_PKEY **retkey) {
|
||||||
isc_result_t ret;
|
isc_result_t ret;
|
||||||
EC_KEY *eckey = NULL;
|
EC_KEY *eckey = NULL;
|
||||||
EVP_PKEY *pkey = NULL;
|
EVP_PKEY *pkey = NULL;
|
||||||
int group_nid;
|
int group_nid;
|
||||||
|
|
||||||
UNUSED(object);
|
UNUSED(label);
|
||||||
|
|
||||||
group_nid = opensslecdsa_key_alg_to_group_nid(key_alg);
|
group_nid = opensslecdsa_key_alg_to_group_nid(key_alg);
|
||||||
|
|
||||||
@@ -892,7 +883,7 @@ opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
|
|||||||
UNUSED(unused);
|
UNUSED(unused);
|
||||||
UNUSED(callback);
|
UNUSED(callback);
|
||||||
|
|
||||||
ret = opensslecdsa_generate_pkey(key->key_alg, key->object, &pkey);
|
ret = opensslecdsa_generate_pkey(key->key_alg, key->label, &pkey);
|
||||||
if (ret != ISC_R_SUCCESS) {
|
if (ret != ISC_R_SUCCESS) {
|
||||||
return (ret);
|
return (ret);
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -366,14 +366,14 @@ progress_cb(int p, int n, BN_GENCB *cb) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
static isc_result_t
|
static isc_result_t
|
||||||
opensslrsa_generate_pkey(unsigned int key_size, const char *object, BIGNUM *e,
|
opensslrsa_generate_pkey(unsigned int key_size, const char *label, BIGNUM *e,
|
||||||
void (*callback)(int), EVP_PKEY **retkey) {
|
void (*callback)(int), EVP_PKEY **retkey) {
|
||||||
RSA *rsa = NULL;
|
RSA *rsa = NULL;
|
||||||
EVP_PKEY *pkey = NULL;
|
EVP_PKEY *pkey = NULL;
|
||||||
BN_GENCB *cb = NULL;
|
BN_GENCB *cb = NULL;
|
||||||
isc_result_t ret;
|
isc_result_t ret;
|
||||||
|
|
||||||
UNUSED(object);
|
UNUSED(label);
|
||||||
|
|
||||||
rsa = RSA_new();
|
rsa = RSA_new();
|
||||||
pkey = EVP_PKEY_new();
|
pkey = EVP_PKEY_new();
|
||||||
@@ -497,26 +497,17 @@ progress_cb(EVP_PKEY_CTX *ctx) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
static isc_result_t
|
static isc_result_t
|
||||||
opensslrsa_generate_pkey_with_object(size_t key_size, const char *object,
|
opensslrsa_generate_pkey_with_uri(size_t key_size, const char *label,
|
||||||
EVP_PKEY **retkey) {
|
EVP_PKEY **retkey) {
|
||||||
EVP_PKEY_CTX *ctx = NULL;
|
EVP_PKEY_CTX *ctx = NULL;
|
||||||
OSSL_PARAM params[4];
|
OSSL_PARAM params[3];
|
||||||
unsigned char id[16];
|
char *uri = UNCONST(label);
|
||||||
char *label = UNCONST(object);
|
|
||||||
isc_result_t ret;
|
isc_result_t ret;
|
||||||
int status;
|
int status;
|
||||||
|
|
||||||
status = RAND_bytes(id, 16);
|
params[0] = OSSL_PARAM_construct_utf8_string("pkcs11_uri", uri, 0);
|
||||||
if (status != 1) {
|
params[1] = OSSL_PARAM_construct_size_t("rsa_keygen_bits", &key_size);
|
||||||
DST_RET(dst__openssl_toresult2("RAND_bytes",
|
params[2] = OSSL_PARAM_construct_end();
|
||||||
DST_R_OPENSSLFAILURE));
|
|
||||||
}
|
|
||||||
|
|
||||||
params[0] = OSSL_PARAM_construct_utf8_string("pkcs11_key_label", label,
|
|
||||||
0);
|
|
||||||
params[1] = OSSL_PARAM_construct_octet_string("pkcs11_key_id", id, 16);
|
|
||||||
params[2] = OSSL_PARAM_construct_size_t("rsa_keygen_bits", &key_size);
|
|
||||||
params[3] = OSSL_PARAM_construct_end();
|
|
||||||
|
|
||||||
ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", "provider=pkcs11");
|
ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", "provider=pkcs11");
|
||||||
if (ctx == NULL) {
|
if (ctx == NULL) {
|
||||||
@@ -549,14 +540,14 @@ err:
|
|||||||
}
|
}
|
||||||
|
|
||||||
static isc_result_t
|
static isc_result_t
|
||||||
opensslrsa_generate_pkey(unsigned int key_size, const char *object, BIGNUM *e,
|
opensslrsa_generate_pkey(unsigned int key_size, const char *label, BIGNUM *e,
|
||||||
void (*callback)(int), EVP_PKEY **retkey) {
|
void (*callback)(int), EVP_PKEY **retkey) {
|
||||||
EVP_PKEY_CTX *ctx;
|
EVP_PKEY_CTX *ctx;
|
||||||
isc_result_t ret;
|
isc_result_t ret;
|
||||||
|
|
||||||
if (object != NULL) {
|
if (label != NULL) {
|
||||||
return (opensslrsa_generate_pkey_with_object(key_size, object,
|
return (opensslrsa_generate_pkey_with_uri(key_size, label,
|
||||||
retkey));
|
retkey));
|
||||||
}
|
}
|
||||||
|
|
||||||
ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
|
ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
|
||||||
@@ -731,7 +722,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
|
|||||||
BN_set_bit(e, 32);
|
BN_set_bit(e, 32);
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = opensslrsa_generate_pkey(key->key_size, key->object, e, callback,
|
ret = opensslrsa_generate_pkey(key->key_size, key->label, e, callback,
|
||||||
&pkey);
|
&pkey);
|
||||||
if (ret != ISC_R_SUCCESS) {
|
if (ret != ISC_R_SUCCESS) {
|
||||||
goto err;
|
goto err;
|
||||||
|
|||||||
Reference in New Issue
Block a user