* Create a key in the keystore of an HSM
*
* The calculation of key tag is left to the script
- * that converts the key into a DNSKEY RR and inserts
+ * that converts the key into a DNSKEY RR and inserts
* it into a zone file.
*
* usage:
#include <pk11/pk11.h>
#include <pk11/result.h>
-#define WANT_DH_PRIMES
#include <pk11/constants.h>
#include <pkcs11/eddsa.h>
static CK_BBOOL truevalue = TRUE;
static CK_BBOOL falsevalue = FALSE;
-/* Key class: RSA, ECC, ECX, DSA, DH, or unknown */
+/* Key class: RSA, ECC, ECX, DSA, or unknown */
typedef enum {
key_unknown,
key_rsa,
key_dsa,
- key_dh,
key_ecc,
key_ecx
} key_class_t;
{CKA_PRIVATE, &falsevalue, sizeof(falsevalue)},
};
-/*
- * Public key template for DH keys
- */
-#define DH_LABEL 0
-#define DH_VERIFY 1
-#define DH_TOKEN 2
-#define DH_PRIVATE 3
-#define DH_PRIME 4
-#define DH_BASE 5
-#define DH_ID 6
-#define DH_ATTRS 7
-static CK_ATTRIBUTE dh_template[] = {
- {CKA_LABEL, NULL_PTR, 0},
- {CKA_VERIFY, &truevalue, sizeof(truevalue)},
- {CKA_TOKEN, &truevalue, sizeof(truevalue)},
- {CKA_PRIVATE, &falsevalue, sizeof(falsevalue)},
- {CKA_PRIME, NULL_PTR, 0},
- {CKA_BASE, NULL_PTR, 0},
- {CKA_ID, NULL_PTR, 0}
-};
-#define DH_PARAM_PRIME 0
-#define DH_PARAM_BASE 1
-#define DH_PARAM_ATTRS 2
-static CK_ATTRIBUTE dh_param_template[] = {
- {CKA_PRIME, NULL_PTR, 0},
- {CKA_BASE, NULL_PTR, 0},
-};
-#define DH_DOMAIN_PRIMEBITS 0
-#define DH_DOMAIN_ATTRS 1
-static CK_ATTRIBUTE dh_domain_template[] = {
- {CKA_PRIME_BITS, NULL_PTR, 0},
-};
-
/*
* Convert from text to key class. Accepts the names of DNSSEC
* signing algorithms, so e.g., ECDSAP256SHA256 maps to ECC and
else if (strncasecmp(name, "dsa", 3) == 0 ||
strncasecmp(name, "nsec3dsa", 8) == 0)
return (key_dsa);
- else if (strcasecmp(name, "dh") == 0)
- return (key_dh);
else if (strncasecmp(name, "ecc", 3) == 0 ||
strncasecmp(name, "ecdsa", 5) == 0)
return (key_ecc);
case 'q':
quiet = 1;
break;
- case 'S':
- special = 1;
- break;
case ':':
fprintf(stderr,
"Option -%c requires an operand\n",
exit(2);
}
- if (special != 0 && keyclass != key_dh) {
- fprintf(stderr, "The -S option is only compatible "
- "with Diffie-Hellman key generation\n");
- exit(2);
- }
-
switch (keyclass) {
case key_rsa:
op_type = OP_RSA;
domain_template[DSA_DOMAIN_PRIMEBITS].pValue = &bits;
domain_template[DSA_DOMAIN_PRIMEBITS].ulValueLen = sizeof(bits);
break;
- case key_dh:
- op_type = OP_DH;
- if (special && bits == 0)
- bits = 1024;
- else if (special &&
- bits != 768 && bits != 1024 && bits != 1536)
- {
- fprintf(stderr, "When using the special prime (-S) "
- "option, only key sizes of\n"
- "768, 1024 or 1536 are supported.\n");
- exit(2);
- } else if (bits == 0)
- usage();
-
- dpmech.mechanism = CKM_DH_PKCS_PARAMETER_GEN;
- dpmech.pParameter = NULL;
- dpmech.ulParameterLen = 0;
- mech.mechanism = CKM_DH_PKCS_KEY_PAIR_GEN;
- mech.pParameter = NULL;
- mech.ulParameterLen = 0;
-
- /* Override CKA_SIGN attribute */
- private_template[PRIVATE_DERIVE].type = CKA_DERIVE;
-
- public_template = dh_template;
- public_attrcnt = DH_ATTRS;
- id_offset = DH_ID;
-
- domain_template = dh_domain_template;
- domain_attrcnt = DH_DOMAIN_ATTRS;
- param_template = dh_param_template;
- param_attrcnt = DH_PARAM_ATTRS;
-
- domain_template[DH_DOMAIN_PRIMEBITS].pValue = &bits;
- domain_template[DH_DOMAIN_PRIMEBITS].ulValueLen = sizeof(bits);
- break;
case key_unknown:
usage();
}
-
+
search_template[0].pValue = label;
search_template[0].ulValueLen = strlen((char *)label);
public_template[0].pValue = label;
hSession = pctx.session;
/* check if a key with the same id already exists */
- rv = pkcs_C_FindObjectsInit(hSession, search_template, 1);
+ rv = pkcs_C_FindObjectsInit(hSession, search_template, 1);
if (rv != CKR_OK) {
fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv);
error = 1;
if (keyclass == key_rsa || keyclass == key_ecc || keyclass == key_ecx)
goto generate_keys;
- /*
- * Special setup for Diffie-Hellman keys
- */
- if (special != 0) {
- public_template[DH_BASE].pValue = pk11_dh_bn2;
- public_template[DH_BASE].ulValueLen = sizeof(pk11_dh_bn2);
- if (bits == 768) {
- public_template[DH_PRIME].pValue = pk11_dh_bn768;
- public_template[DH_PRIME].ulValueLen =
- sizeof(pk11_dh_bn768);
- } else if (bits == 1024) {
- public_template[DH_PRIME].pValue = pk11_dh_bn1024;
- public_template[DH_PRIME].ulValueLen =
- sizeof(pk11_dh_bn1024);
- } else {
- public_template[DH_PRIME].pValue = pk11_dh_bn1536;
- public_template[DH_PRIME].ulValueLen =
- sizeof(pk11_dh_bn1536);
- }
- param_attrcnt = 0;
- goto generate_keys;
- }
-
/* Generate Domain parameters */
rv = pkcs_C_GenerateKey(hSession, &dpmech, domain_template,
domain_attrcnt, &domainparams);
public_template[DSA_BASE].ulValueLen =
param_template[DSA_PARAM_BASE].ulValueLen;
break;
- case key_dh:
- public_template[DH_PRIME].pValue =
- param_template[DH_PARAM_PRIME].pValue;
- public_template[DH_PRIME].ulValueLen =
- param_template[DH_PARAM_PRIME].ulValueLen;
- public_template[DH_BASE].pValue =
- param_template[DH_PARAM_BASE].pValue;
- public_template[DH_BASE].ulValueLen =
- param_template[DH_PARAM_BASE].ulValueLen;
default:
break;
}
public_template, public_attrcnt,
private_template, private_attrcnt,
&publickey, &privatekey);
-
+
if (rv != CKR_OK) {
fprintf(stderr, "C_GenerateKeyPair: Error = 0x%.8lX\n", rv);
error = 1;
} else if (!quiet)
printf("Key pair generation complete.\n");
-
+
exit_params:
/* Free parameter attributes */
- if (keyclass == key_dsa || keyclass == key_dh) {
+ if (keyclass == key_dsa) {
for (i = 0; i < param_attrcnt; i++) {
if (param_template[i].pValue != NULL) {
free(param_template[i].pValue);
exit_domain:
/* Destroy domain parameters */
- if (keyclass == key_dsa || (keyclass == key_dh && !special)) {
+ if (keyclass == key_dsa) {
rv = pkcs_C_DestroyObject(hSession, domainparams);
if (rv != CKR_OK) {
fprintf(stderr,
projects / thirdparty / bind9.git / commitdiff
