997. [func] Add support for RSA-SHA1 keys.

2025-09-03 16:15:27 +00:00 · 2001-09-15 00:01:58 +00:00
parent 967ecc6264
commit 36e37042c6
11 changed files with 59 additions and 25 deletions
--- a/2
+++ b/2
@@ -1,3 +1,5 @@
+ 997.	[func]		Add support for RSA-SHA1 keys.
+
 996.	[func]		Issue warning if the configuration filename contains
 			the chroot path.

--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -17,7 +17,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: dnssec-keygen.c,v 1.49 2001/09/05 23:15:35 bwelling Exp $ */
+/* $Id: dnssec-keygen.c,v 1.50 2001/09/15 00:01:44 bwelling Exp $ */

 #include <config.h>

@@ -49,6 +49,8 @@
 const char *program = "dnssec-keygen";
 int verbose;

+static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 | HMAC-MD5";
+
 static isc_boolean_t
 dsa_size_ok(int size) {
 	return (ISC_TF(size >= 512 && size <= 1024 && size % 64 == 0));
@@ -60,8 +62,7 @@ usage(void) {
 	fprintf(stderr, "    %s -a alg -b bits -n type [options] name\n\n",
 		program);
 	fprintf(stderr, "Required options:\n");
-	fprintf(stderr, "    -a algorithm: RSA | RSAMD5 | DH | DSA | HMAC-MD5"
-		"\n");
+	fprintf(stderr, "    -a algorithm: %s\n", algs);
 	fprintf(stderr, "    -b key size, in bits:\n");
 	fprintf(stderr, "        RSA:\t\t[512..%d]\n", MAX_RSA);
 	fprintf(stderr, "        DH:\t\t[128..4096]\n");
--- a/lib/dns/rdata.c
+++ b/lib/dns/rdata.c
@@ -15,7 +15,7 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: rdata.c,v 1.147 2001/08/08 22:54:41 gson Exp $ */
+/* $Id: rdata.c,v 1.148 2001/09/15 00:01:46 bwelling Exp $ */

 #include <config.h>
 #include <ctype.h>
@@ -269,13 +269,14 @@ static const char decdigits[] = "0123456789";
 	{ 254, "OID", 0}, \
 	{ 0, NULL, 0}

-/* RFC2535 section 7 */
+/* RFC2535 section 7, RFC3110 */

 #define SECALGNAMES \
 	{ 1, "RSAMD5", 0 }, \
 	{ 2, "DH", 0 }, \
 	{ 3, "DSA", 0 }, \
 	{ 4, "ECC", 0 }, \
+	{ 5, "RSASHA1", 0 }, \
 	{ 252, "INDIRECT", 0 }, \
 	{ 253, "PRIVATEDNS", 0 }, \
 	{ 254, "PRIVATEOID", 0 }, \
--- a/lib/dns/sec/dst/dst_api.c
+++ b/lib/dns/sec/dst/dst_api.c
@@ -19,7 +19,7 @@

 /*
 * Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.88 2001/07/10 21:27:59 bwelling Exp $
+ * $Id: dst_api.c,v 1.89 2001/09/15 00:01:48 bwelling Exp $
 */

 #include <config.h>
@@ -138,6 +138,7 @@ dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
 #ifdef OPENSSL
 	RETERR(dst__openssl_init());
 	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5]));
+	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1]));
 	RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_DSA]));
 	RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH]));
 #endif
@@ -697,6 +698,7 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) {

 	switch (key->key_alg) {
 		case DST_ALG_RSAMD5:
+		case DST_ALG_RSASHA1:
 			*n = (key->key_size + 7) / 8;
 			break;
 		case DST_ALG_DSA:
@@ -726,6 +728,7 @@ dst_key_secretsize(const dst_key_t *key, unsigned int *n) {
 			*n = (key->key_size + 7) / 8;
 			break;
 		case DST_ALG_RSAMD5:
+		case DST_ALG_RSASHA1:
 		case DST_ALG_DSA:
 		case DST_ALG_HMACMD5:
 		default:
--- a/lib/dns/sec/dst/dst_parse.c
+++ b/lib/dns/sec/dst/dst_parse.c
@@ -19,7 +19,7 @@

 /*
 * Principal Author: Brian Wellington
- * $Id: dst_parse.c,v 1.31 2001/05/31 00:38:07 bwelling Exp $
+ * $Id: dst_parse.c,v 1.32 2001/09/15 00:01:49 bwelling Exp $
 */

 #include <config.h>
@@ -39,9 +39,10 @@

 #define PRIVATE_KEY_STR "Private-key-format:"
 #define ALGORITHM_STR "Algorithm:"
-#define RSA_STR "RSA"
+#define RSAMD5_STR "RSAMD5"
 #define DH_STR "DH"
 #define DSA_STR "DSA"
+#define RSASHA1_STR "RSASHA1"
 #define HMACMD5_STR "HMAC_MD5"

 struct parse_map {
@@ -157,6 +158,7 @@ static int
 check_data(const dst_private_t *priv, const unsigned int alg) {
 	switch (alg) {
 		case DST_ALG_RSAMD5:
+		case DST_ALG_RSASHA1:
 			return (check_rsa(priv));
 		case DST_ALG_DH:
 			return (check_dh(priv));
@@ -185,8 +187,9 @@ dst__privstruct_free(dst_private_t *priv, isc_mem_t *mctx) {
 }

 int
-dst__privstruct_parsefile(dst_key_t *key, const char *filename,
-			  isc_mem_t *mctx, dst_private_t *priv)
+dst__privstruct_parsefile(dst_key_t *key, unsigned int alg,
+			  const char *filename, isc_mem_t *mctx,
+			  dst_private_t *priv)
 {
 	int n = 0, major, minor;
 	isc_buffer_t b;
@@ -305,9 +308,11 @@ dst__privstruct_parsefile(dst_key_t *key, const char *filename,
 		}

 		memset(&priv->elements[n], 0, sizeof(dst_private_element_t));
-		tag = find_value(token.value.as_pointer, dst_key_alg(key));
-		if (tag < 0 || TAG_ALG(tag) != dst_key_alg(key))
+		tag = find_value(token.value.as_pointer, alg);
+		if (tag < 0 || TAG_ALG(tag) != alg) {
+			ret = DST_R_INVALIDPRIVATEKEY;
 			goto fail;
+		}
 		priv->elements[n].tag = tag;

 		data = (unsigned char *) isc_mem_get(mctx, MAXFIELDSIZE);
@@ -327,7 +332,7 @@ dst__privstruct_parsefile(dst_key_t *key, const char *filename,
 done:
 	priv->nelements = n;

-	if (check_data(priv, dst_key_alg(key)) < 0)
+	if (check_data(priv, alg) < 0)
 		goto fail;

 	isc_lex_close(lex);
@@ -388,6 +393,7 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
 		case DST_ALG_RSAMD5: fprintf(fp, "(RSA)\n"); break;
 		case DST_ALG_DH: fprintf(fp, "(DH)\n"); break;
 		case DST_ALG_DSA: fprintf(fp, "(DSA)\n"); break;
+		case DST_ALG_RSASHA1: fprintf(fp, "(RSASHA1)\n"); break;
 		case DST_ALG_HMACMD5: fprintf(fp, "(HMAC_MD5)\n"); break;
 		default : fprintf(fp, "(?)\n"); break;
 	}
--- a/lib/dns/sec/dst/dst_parse.h
+++ b/lib/dns/sec/dst/dst_parse.h
@@ -17,7 +17,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: dst_parse.h,v 1.19 2001/05/10 19:07:13 bwelling Exp $ */
+/* $Id: dst_parse.h,v 1.20 2001/09/15 00:01:50 bwelling Exp $ */

 #ifndef DST_DST_PARSE_H
 #define DST_DST_PARSE_H 1
@@ -84,8 +84,9 @@ void
 dst__privstruct_free(dst_private_t *priv, isc_mem_t *mctx);

 int
-dst__privstruct_parsefile(dst_key_t *key, const char *filename,
-			  isc_mem_t *mctx, dst_private_t *priv);
+dst__privstruct_parsefile(dst_key_t *key, unsigned int alg,
+			  const char *filename, isc_mem_t *mctx,
+			  dst_private_t *priv);

 int
 dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
--- a/lib/dns/sec/dst/hmac_link.c
+++ b/lib/dns/sec/dst/hmac_link.c
@@ -19,7 +19,7 @@

 /*
 * Principal Author: Brian Wellington
- * $Id: hmac_link.c,v 1.53 2001/05/31 18:34:50 tale Exp $
+ * $Id: hmac_link.c,v 1.54 2001/09/15 00:01:52 bwelling Exp $
 */

 #include <config.h>
@@ -248,7 +248,8 @@ hmacmd5_fromfile(dst_key_t *key, const char *filename) {
 	isc_mem_t *mctx = key->mctx;

 	/* read private key file */
-	ret = dst__privstruct_parsefile(key, filename, mctx, &priv);
+	ret = dst__privstruct_parsefile(key, DST_ALG_HMACMD5, filename, mctx,
+					&priv);
 	if (ret != ISC_R_SUCCESS)
 		return (ret);

--- a/lib/dns/sec/dst/include/dst/dst.h
+++ b/lib/dns/sec/dst/include/dst/dst.h
@@ -15,7 +15,7 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: dst.h,v 1.42 2001/05/31 18:34:51 tale Exp $ */
+/* $Id: dst.h,v 1.43 2001/09/15 00:01:58 bwelling Exp $ */

 #ifndef DST_DST_H
 #define DST_DST_H 1
@@ -45,6 +45,8 @@ typedef struct dst_context 	dst_context_t;
 #define DST_ALG_RSA		DST_ALG_RSAMD5	/* backwards compatibility */
 #define DST_ALG_DH		2
 #define DST_ALG_DSA		3
+#define DST_ALG_ECC		4
+#define DST_ALG_RSASHA1		5
 #define DST_ALG_HMACMD5		157
 #define DST_ALG_GSSAPI		160
 #define DST_ALG_PRIVATE		254
--- a/lib/dns/sec/dst/openssldh_link.c
+++ b/lib/dns/sec/dst/openssldh_link.c
@@ -19,7 +19,7 @@

 /*
 * Principal Author: Brian Wellington
- * $Id: openssldh_link.c,v 1.38 2001/07/10 04:01:16 bwelling Exp $
+ * $Id: openssldh_link.c,v 1.39 2001/09/15 00:01:53 bwelling Exp $
 */

 #ifdef OPENSSL
@@ -424,7 +424,8 @@ openssldh_fromfile(dst_key_t *key, const char *filename) {
 	mctx = key->mctx;

 	/* read private key file */
-	ret = dst__privstruct_parsefile(key, filename, mctx, &priv);
+	ret = dst__privstruct_parsefile(key, DST_ALG_DH, filename, mctx,
+					&priv);
 	if (ret != ISC_R_SUCCESS)
 		return (ret);

--- a/lib/dns/sec/dst/openssldsa_link.c
+++ b/lib/dns/sec/dst/openssldsa_link.c
@@ -17,7 +17,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: openssldsa_link.c,v 1.4 2001/07/10 04:01:17 bwelling Exp $ */
+/* $Id: openssldsa_link.c,v 1.5 2001/09/15 00:01:54 bwelling Exp $ */

 #ifdef OPENSSL

@@ -364,7 +364,8 @@ openssldsa_fromfile(dst_key_t *key, const char *filename) {
 #define DST_RET(a) {ret = a; goto err;}

 	/* read private key file */
-	ret = dst__privstruct_parsefile(key, filename, mctx, &priv);
+	ret = dst__privstruct_parsefile(key, DST_ALG_DSA, filename, mctx,
+					&priv);
 	if (ret != ISC_R_SUCCESS)
 		return (ret);

--- a/lib/dns/sec/dst/opensslrsa_link.c
+++ b/lib/dns/sec/dst/opensslrsa_link.c
@@ -17,7 +17,7 @@

 /*
 * Principal Author: Brian Wellington
- * $Id: opensslrsa_link.c,v 1.12 2001/07/10 04:01:19 bwelling Exp $
+ * $Id: opensslrsa_link.c,v 1.13 2001/09/15 00:01:56 bwelling Exp $
 */
 #ifdef OPENSSL

@@ -44,6 +44,8 @@ static isc_result_t opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data);
 static isc_result_t
 opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
 	UNUSED(key);
+	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
+		dctx->key->key_alg == DST_ALG_RSASHA1);

 	if (dctx->key->key_alg == DST_ALG_RSAMD5) {
 		isc_md5_t *md5ctx;
@@ -64,6 +66,9 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {

 static void
 opensslrsa_destroyctx(dst_context_t *dctx) {
+	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
+		dctx->key->key_alg == DST_ALG_RSASHA1);
+
 	if (dctx->key->key_alg == DST_ALG_RSAMD5) {
 		isc_md5_t *md5ctx = dctx->opaque;

@@ -84,6 +89,9 @@ opensslrsa_destroyctx(dst_context_t *dctx) {

 static isc_result_t
 opensslrsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
+		dctx->key->key_alg == DST_ALG_RSASHA1);
+
 	if (dctx->key->key_alg == DST_ALG_RSAMD5) {
 		isc_md5_t *md5ctx = dctx->opaque;
 		isc_md5_update(md5ctx, data->base, data->length);
@@ -106,6 +114,9 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 	int type;
 	unsigned int digestlen;

+	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
+		dctx->key->key_alg == DST_ALG_RSASHA1);
+
 	isc_buffer_availableregion(sig, &r);

 	if (r.length < (unsigned int) RSA_size(rsa))
@@ -144,6 +155,9 @@ opensslrsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
 	int type;
 	unsigned int digestlen;

+	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
+		dctx->key->key_alg == DST_ALG_RSASHA1);
+
 	if (dctx->key->key_alg == DST_ALG_RSAMD5) {
 		isc_md5_t *md5ctx = dctx->opaque;
 		isc_md5_final(md5ctx, digest);
@@ -418,7 +432,8 @@ opensslrsa_fromfile(dst_key_t *key, const char *filename) {
 #define DST_RET(a) {ret = a; goto err;}

 	/* read private key file */
-	ret = dst__privstruct_parsefile(key, filename, mctx, &priv);
+	ret = dst__privstruct_parsefile(key, DST_ALG_RSA, filename, mctx,
+					&priv);
 	if (ret != ISC_R_SUCCESS)
 		return (ret);