Commit 62f4d7df authored by Daniel Salzman's avatar Daniel Salzman

libdnssec: export pem API

parent ff0cdb7f
......@@ -276,6 +276,8 @@ src/libdnssec/nsec/hash.c
src/libdnssec/nsec/nsec.c
src/libdnssec/p11/p11.c
src/libdnssec/p11/p11.h
src/libdnssec/pem.c
src/libdnssec/pem.h
src/libdnssec/random.c
src/libdnssec/random.h
src/libdnssec/shared/bignum.c
......@@ -285,8 +287,6 @@ src/libdnssec/shared/dname.c
src/libdnssec/shared/dname.h
src/libdnssec/shared/keyid_gnutls.c
src/libdnssec/shared/keyid_gnutls.h
src/libdnssec/shared/pem.c
src/libdnssec/shared/pem.h
src/libdnssec/shared/shared.h
src/libdnssec/sign.h
src/libdnssec/sign/der.c
......
......@@ -63,6 +63,9 @@ libdnssec.so.6 libdnssec6 #MINVER#
dnssec_nsec_bitmap_new@Base 2.3.0
dnssec_nsec_bitmap_size@Base 2.3.0
dnssec_nsec_bitmap_write@Base 2.3.0
dnssec_pem_from_x509@Base 2.8.0
dnssec_pem_to_privkey@Base 2.8.0
dnssec_pem_to_x509@Base 2.8.0
dnssec_random_binary@Base 2.3.0
dnssec_random_buffer@Base 2.3.0
dnssec_sign_add@Base 2.3.0
......
......@@ -54,6 +54,7 @@
- \ref keystore — DNSSEC private key store
- \ref keytag — DNSSEC key tag computation
- \ref nsec — NSEC and NSEC3 operations
- \ref pem — PEM key format operations
- \ref random — Pseudo-random number generation
- \ref sign — DNSSEC signing and verification
- \ref tsig — TSIG signing
......@@ -66,6 +67,7 @@
\defgroup keystore keystore
\defgroup keytag keytag
\defgroup nsec nsec
\defgroup pem pem
\defgroup random random
\defgroup sign sign
\defgroup tsig tsig
......
......@@ -19,6 +19,7 @@ include_libdnssec_HEADERS = \
libdnssec/keystore.h \
libdnssec/keytag.h \
libdnssec/nsec.h \
libdnssec/pem.h \
libdnssec/random.h \
libdnssec/sign.h \
libdnssec/tsig.h \
......@@ -51,6 +52,7 @@ libdnssec_la_SOURCES = \
libdnssec/nsec/nsec.c \
libdnssec/p11/p11.c \
libdnssec/p11/p11.h \
libdnssec/pem.c \
libdnssec/random.c \
libdnssec/shared/bignum.c \
libdnssec/shared/bignum.h \
......@@ -59,8 +61,6 @@ libdnssec_la_SOURCES = \
libdnssec/shared/dname.h \
libdnssec/shared/keyid_gnutls.c \
libdnssec/shared/keyid_gnutls.h \
libdnssec/shared/pem.c \
libdnssec/shared/pem.h \
libdnssec/shared/shared.h \
libdnssec/sign/der.c \
libdnssec/sign/der.h \
......
......@@ -29,6 +29,7 @@
#include <libdnssec/keystore.h>
#include <libdnssec/keytag.h>
#include <libdnssec/nsec.h>
#include <libdnssec/pem.h>
#include <libdnssec/random.h>
#include <libdnssec/sign.h>
#include <libdnssec/tsig.h>
/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
/* Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -30,7 +30,6 @@
#include "libdnssec/shared/keyid_gnutls.h"
#include "libdnssec/keystore.h"
#include "libdnssec/keytag.h"
#include "libdnssec/shared/pem.h"
#include "libdnssec/shared/shared.h"
#include "libdnssec/shared/binary_wire.h"
#include "contrib/wire_ctx.h"
......
/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
/* Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -23,7 +23,7 @@
#include "libdnssec/key/dnskey.h"
#include "libdnssec/key/internal.h"
#include "libdnssec/key/privkey.h"
#include "libdnssec/shared/pem.h"
#include "libdnssec/pem.h"
#include "libdnssec/shared/shared.h"
/* -- public API ----------------------------------------------------------- */
......@@ -40,7 +40,7 @@ int dnssec_key_load_pkcs8(dnssec_key_t *key, const dnssec_binary_t *pem)
}
gnutls_privkey_t privkey = NULL;
int r = pem_privkey(pem, &privkey);
int r = dnssec_pem_to_privkey(pem, &privkey);
if (r != DNSSEC_EOK) {
return r;
}
......
......@@ -24,7 +24,7 @@
#include "libdnssec/keystore.h"
#include "libdnssec/keystore/internal.h"
#include "libdnssec/p11/p11.h"
#include "libdnssec/shared/pem.h"
#include "libdnssec/pem.h"
#include "libdnssec/shared/shared.h"
#ifdef ENABLE_PKCS11
......@@ -231,7 +231,7 @@ static int import_pem(const dnssec_binary_t *pem,
gnutls_privkey_t key = NULL;
gnutls_pubkey_t pubkey = NULL;
int r = pem_x509(pem, &x509_key);
int r = dnssec_pem_to_x509(pem, &x509_key);
if (r != DNSSEC_EOK) {
goto fail;
}
......
......@@ -27,8 +27,9 @@
#include "libdnssec/error.h"
#include "libdnssec/keystore.h"
#include "libdnssec/keystore/internal.h"
#include "libdnssec/shared/pem.h"
#include "libdnssec/pem.h"
#include "libdnssec/shared/shared.h"
#include "libdnssec/shared/keyid_gnutls.h"
#define DIR_INIT_MODE 0750
......@@ -175,6 +176,48 @@ static bool key_is_duplicate(int open_error, pkcs8_dir_handle_t *handle,
return dnssec_binary_cmp(&old, pem) == 0;
}
static int pem_generate(gnutls_pk_algorithm_t algorithm, unsigned bits,
dnssec_binary_t *pem, char **id)
{
assert(pem);
assert(id);
// generate key
_cleanup_x509_privkey_ gnutls_x509_privkey_t key = NULL;
int r = gnutls_x509_privkey_init(&key);
if (r != GNUTLS_E_SUCCESS) {
return DNSSEC_ENOMEM;
}
r = gnutls_x509_privkey_generate(key, algorithm, bits, 0);
if (r != GNUTLS_E_SUCCESS) {
return DNSSEC_KEY_GENERATE_ERROR;
}
// convert to PEM and export the ID
dnssec_binary_t _pem = { 0 };
r = dnssec_pem_from_x509(key, &_pem);
if (r != DNSSEC_EOK) {
return r;
}
// export key ID
char *_id = NULL;
r = keyid_x509_hex(key, &_id);
if (r != DNSSEC_EOK) {
dnssec_binary_free(&_pem);
return r;
}
*id = _id;
*pem = _pem;
return DNSSEC_EOK;
}
/* -- internal API --------------------------------------------------------- */
static int pkcs8_ctx_new(void **ctx_ptr)
......@@ -295,7 +338,13 @@ static int pkcs8_import_key(void *ctx, const dnssec_binary_t *pem, char **id_ptr
// retrieve key ID
char *id = NULL;
int r = pem_keyid(pem, &id);
_cleanup_x509_privkey_ gnutls_x509_privkey_t key = NULL;
int r = dnssec_pem_to_x509(pem, &key);
if (r != DNSSEC_EOK) {
return r;
}
r = keyid_x509_hex(key, &id);
if (r != DNSSEC_EOK) {
return r;
}
......@@ -392,7 +441,7 @@ static int pkcs8_get_private(void *ctx, const char *id, gnutls_privkey_t *key_pt
// construct the key
gnutls_privkey_t key = NULL;
r = pem_privkey(&pem, &key);
r = dnssec_pem_to_privkey(&pem, &key);
if (r != DNSSEC_EOK) {
return r;
}
......
/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
/* Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -22,20 +22,15 @@
#include "libdnssec/binary.h"
#include "libdnssec/error.h"
#include "libdnssec/key.h"
#include "libdnssec/keyid.h"
#include "libdnssec/shared/keyid_gnutls.h"
#include "libdnssec/shared/pem.h"
#include "libdnssec/pem.h"
#include "libdnssec/shared/shared.h"
/* -- internal API --------------------------------------------------------- */
/*!
* Create GnuTLS X.509 private key from unencrypted PEM data.
*/
int pem_x509(const dnssec_binary_t *pem, gnutls_x509_privkey_t *key)
_public_
int dnssec_pem_to_x509(const dnssec_binary_t *pem, gnutls_x509_privkey_t *key)
{
assert(pem);
assert(key);
if (!pem || !key) {
return DNSSEC_EINVAL;
}
gnutls_datum_t data = binary_to_datum(pem);
......@@ -59,16 +54,15 @@ int pem_x509(const dnssec_binary_t *pem, gnutls_x509_privkey_t *key)
return DNSSEC_EOK;
}
/*!
* Create GnuTLS private key from unencrypted PEM data.
*/
int pem_privkey(const dnssec_binary_t *pem, gnutls_privkey_t *key)
_public_
int dnssec_pem_to_privkey(const dnssec_binary_t *pem, gnutls_privkey_t *key)
{
assert(pem);
assert(key);
if (!pem || !key) {
return DNSSEC_EINVAL;
}
gnutls_x509_privkey_t key_x509 = NULL;
int r = pem_x509(pem, &key_x509);
int r = dnssec_pem_to_x509(pem, &key_x509);
if (r != DNSSEC_EOK) {
return r;
}
......@@ -93,51 +87,6 @@ int pem_privkey(const dnssec_binary_t *pem, gnutls_privkey_t *key)
return DNSSEC_EOK;
}
/*!
* Generate new key and export it in the PEM format.
*/
int pem_generate(gnutls_pk_algorithm_t algorithm, unsigned bits,
dnssec_binary_t *pem, char **id)
{
assert(pem);
assert(id);
// generate key
_cleanup_x509_privkey_ gnutls_x509_privkey_t key = NULL;
int r = gnutls_x509_privkey_init(&key);
if (r != GNUTLS_E_SUCCESS) {
return DNSSEC_ENOMEM;
}
r = gnutls_x509_privkey_generate(key, algorithm, bits, 0);
if (r != GNUTLS_E_SUCCESS) {
return DNSSEC_KEY_GENERATE_ERROR;
}
// convert to PEM and export the ID
dnssec_binary_t _pem = { 0 };
r = pem_from_x509(key, &_pem);
if (r != DNSSEC_EOK) {
return r;
}
// export key ID
char *_id = NULL;
r = keyid_x509_hex(key, &_id);
if (r != DNSSEC_EOK) {
dnssec_binary_free(&_pem);
return r;
}
*id = _id;
*pem = _pem;
return DNSSEC_EOK;
}
static int try_export_pem(gnutls_x509_privkey_t key, dnssec_binary_t *pem)
{
assert(key);
......@@ -150,13 +99,12 @@ static int try_export_pem(gnutls_x509_privkey_t key, dnssec_binary_t *pem)
pem->data, &pem->size);
}
/*!
* Export GnuTLS X.509 private key to PEM binary.
*/
int pem_from_x509(gnutls_x509_privkey_t key, dnssec_binary_t *pem)
_public_
int dnssec_pem_from_x509(gnutls_x509_privkey_t key, dnssec_binary_t *pem)
{
assert(key);
assert(pem);
if (!key || !pem) {
return DNSSEC_EINVAL;
}
dnssec_binary_t _pem = { 0 };
int r = try_export_pem(key, &_pem);
......@@ -179,20 +127,3 @@ int pem_from_x509(gnutls_x509_privkey_t key, dnssec_binary_t *pem)
return DNSSEC_EOK;
}
/*!
* Get key ID of a private key in PEM format.
*/
int pem_keyid(const dnssec_binary_t *pem, char **id)
{
assert(pem && pem->size > 0 && pem->data);
assert(id);
_cleanup_x509_privkey_ gnutls_x509_privkey_t key = NULL;
int r = pem_x509(pem, &key);
if (r != DNSSEC_EOK) {
return r;
}
return keyid_x509_hex(key, id);
}
/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
/* Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -13,12 +13,21 @@
You should have received a copy of the GNU General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
/*!
* \file
*
* \addtogroup pem
*
* \brief PEM key format operations.
*
* @{
*/
#pragma once
#include <gnutls/gnutls.h>
#include "libdnssec/binary.h"
#include <libdnssec/binary.h>
/*!
* Create GnuTLS X.509 private key from unencrypted PEM data.
......@@ -28,7 +37,7 @@
*
* \return Error code, DNSSEC_EOK if successful.
*/
int pem_x509(const dnssec_binary_t *pem, gnutls_x509_privkey_t *key);
int dnssec_pem_to_x509(const dnssec_binary_t *pem, gnutls_x509_privkey_t *key);
/*!
* Create GnuTLS private key from unencrypted PEM data.
......@@ -38,20 +47,7 @@ int pem_x509(const dnssec_binary_t *pem, gnutls_x509_privkey_t *key);
*
* \return Error code, DNSSEC_EOK if successful.
*/
int pem_privkey(const dnssec_binary_t *pem, gnutls_privkey_t *key);
/*!
* Generate a private key and export it in the PEM format.
*
* \param[in] algorithm Algorithm to be used.
* \param[in] bits Size of the key to be generated.
* \param[out] pem Generated key in unencrypted PEM format.
* \param[out] id Key ID of the generated key.
*
* \return Error code, DNSSEC_EOK if successful.
*/
int pem_generate(gnutls_pk_algorithm_t algorithm, unsigned bits,
dnssec_binary_t *pem, char **id);
int dnssec_pem_to_privkey(const dnssec_binary_t *pem, gnutls_privkey_t *key);
/*!
* Export GnuTLS X.509 private key to PEM binary.
......@@ -61,14 +57,6 @@ int pem_generate(gnutls_pk_algorithm_t algorithm, unsigned bits,
*
* \return Error code, DNSSEC_EOK if successful.
*/
int pem_from_x509(gnutls_x509_privkey_t key, dnssec_binary_t *pem);
int dnssec_pem_from_x509(gnutls_x509_privkey_t key, dnssec_binary_t *pem);
/*!
* Get key ID of a private key in PEM format.
*
* \param[in] pem Key in unencrypted PEM format.
* \param[out] id ID of the key.
*
* \return Error code, DNSSEC_EOK if successful.
*/
int pem_keyid(const dnssec_binary_t *pem, char **id);
/*! @} */
/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
/* Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -20,7 +20,7 @@
#include "contrib/strtonum.h"
#include "libdnssec/binary.h"
#include "libdnssec/error.h"
#include "libdnssec/shared/pem.h"
#include "libdnssec/pem.h"
#include "libdnssec/shared/shared.h"
#include "utils/keymgr/bind_privkey.h"
......@@ -267,7 +267,7 @@ static int rsa_params_to_pem(const bind_privkey_t *params, dnssec_binary_t *pem)
return DNSSEC_KEY_IMPORT_ERROR;
}
return pem_from_x509(key, pem);
return dnssec_pem_from_x509(key, pem);
}
/*!
......@@ -320,7 +320,7 @@ static int ecdsa_params_to_pem(dnssec_key_t *dnskey, const bind_privkey_t *param
gnutls_x509_privkey_fix(key);
return pem_from_x509(key, pem);
return dnssec_pem_from_x509(key, pem);
}
int bind_privkey_to_pem(dnssec_key_t *key, bind_privkey_t *params, dnssec_binary_t *pem)
......
/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
/* Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -17,7 +17,7 @@
#include <tap/basic.h>
#include <string.h>
#include "bignum.h"
#include "bignum.c"
#include "binary.h"
#define bin_init(array) { .data = array, .size = sizeof(array) }
......
/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
/* Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -18,7 +18,7 @@
#include <string.h>
#include <tap/basic.h>
#include "dname.h"
#include "dname.c"
static void ok_length(const char *dname, size_t length, const char *info)
{
......
/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
/* Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -19,6 +19,7 @@
#include <string.h>
#include <stdbool.h>
#include "bignum.c"
#include "binary.h"
#include "error.h"
#include "sign/der.c"
......
/* Copyright (C) 2018 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
/* Copyright (C) 2019 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
......@@ -18,7 +18,7 @@
#include <string.h>
#include "binary.h"
#include "dname.h"
#include "dname.c"
#include "tsig.h"
static const dnssec_binary_t payload = {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment