fprintf(stderr, " name: owner of the key\n");
fprintf(stderr, "Other options:\n");
fprintf(stderr, " -a algorithm: \n"
- " RSA | RSAMD5 | DH | DSA | RSASHA1 |\n"
- " NSEC3DSA | NSEC3RSASHA1 |\n"
+ " RSA | RSAMD5 | DH | RSASHA1 |\n"
+ " NSEC3RSASHA1 |\n"
" RSASHA256 | RSASHA512 |\n"
" ECDSAP256SHA256 | ECDSAP384SHA384\n");
fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
if (use_nsec3) {
switch (alg) {
- case DST_ALG_DSA:
- alg = DST_ALG_NSEC3DSA;
- break;
case DST_ALG_RSASHA1:
alg = DST_ALG_NSEC3RSASHA1;
break;
- case DST_ALG_NSEC3DSA:
case DST_ALG_NSEC3RSASHA1:
case DST_ALG_RSASHA256:
case DST_ALG_RSASHA512:
<para>
Selects the cryptographic algorithm. The value of
<option>algorithm</option> must be one of RSAMD5, RSASHA1,
- DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
+ NSEC3RSASHA1, RSASHA256, RSASHA512,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
</para>
<para>
<para>
These values are case insensitive. In some cases, abbreviations
are supported, such as ECDSA256 for ECDSAP256SHA256 and
- ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
+ ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
along with the <option>-3</option> option, then NSEC3RSASHA1
- or NSEC3DSA will be used instead.
+ will be used instead.
</para>
<para>
As of BIND 9.12.0, this option is mandatory except when using
fprintf(stderr, "Options:\n");
fprintf(stderr, " -K <directory>: write keys into directory\n");
fprintf(stderr, " -a <algorithm>:\n");
- fprintf(stderr, " RSA | RSAMD5 | DSA | RSASHA1 | NSEC3RSASHA1"
- " | NSEC3DSA |\n");
+ fprintf(stderr, " RSA | RSAMD5 | RSASHA1 | NSEC3RSASHA1"
+ " |\n");
fprintf(stderr, " RSASHA256 | RSASHA512 |\n");
fprintf(stderr, " ECDSAP256SHA256 | ECDSAP384SHA384 |\n");
fprintf(stderr, " ED25519 | ED448 | DH\n");
fprintf(stderr, " RSASHA256:\t[1024..%d]\n", MAX_RSA);
fprintf(stderr, " RSASHA512:\t[1024..%d]\n", MAX_RSA);
fprintf(stderr, " DH:\t\t[128..4096]\n");
- fprintf(stderr, " DSA:\t\t[512..1024] and divisible by 64\n");
- fprintf(stderr, " NSEC3DSA:\t[512..1024] and divisible "
- "by 64\n");
fprintf(stderr, " ECCGOST:\tignored\n");
fprintf(stderr, " ECDSAP256SHA256:\tignored\n");
fprintf(stderr, " ECDSAP384SHA384:\tignored\n");
exit (-1);
}
-static bool
-dsa_size_ok(int size) {
- return (size >= 512 && size <= 1024 && size % 64 == 0);
-}
-
static void
progress(int p)
{
if (use_nsec3) {
switch (alg) {
- case DST_ALG_DSA:
- alg = DST_ALG_NSEC3DSA;
- break;
case DST_ALG_RSASHA1:
alg = DST_ALG_NSEC3RSASHA1;
break;
- case DST_ALG_NSEC3DSA:
case DST_ALG_NSEC3RSASHA1:
case DST_ALG_RSASHA256:
case DST_ALG_RSASHA512:
if (size != 0 && (size < 128 || size > 4096))
fatal("DH key size %d out of range", size);
break;
- case DNS_KEYALG_DSA:
- case DNS_KEYALG_NSEC3DSA:
- if (size != 0 && !dsa_size_ok(size))
- fatal("invalid DSS key size: %d", size);
- break;
case DST_ALG_ECCGOST:
size = 256;
break;
param = generator;
break;
- case DNS_KEYALG_DSA:
- case DNS_KEYALG_NSEC3DSA:
case DST_ALG_ECCGOST:
case DST_ALG_ECDSA256:
case DST_ALG_ECDSA384:
<para>
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
- DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
+ NSEC3RSASHA1, RSASHA256, RSASHA512,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For
TKEY, the value must be DH (Diffie Hellman); specifying
his value will automatically set the <option>-T KEY</option>
<para>
These values are case insensitive. In some cases, abbreviations
are supported, such as ECDSA256 for ECDSAP256SHA256 and
- ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
+ ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
along with the <option>-3</option> option, then NSEC3RSASHA1
- or NSEC3DSA will be used instead.
+ will be used instead.
</para>
<para>
This parameter <emphasis>must</emphasis> be specified except
static CK_BBOOL truevalue = TRUE;
static CK_BBOOL falsevalue = FALSE;
-/* Key class: RSA, ECC, ECX, DSA, or unknown */
+/* Key class: RSA, ECC, ECX, or unknown */
typedef enum {
key_unknown,
key_rsa,
- key_dsa,
key_ecc,
key_ecx
} key_class_t;
{CKA_ID, NULL_PTR, 0}
};
-/*
- * Public key template for DSA keys
- */
-#define DSA_LABEL 0
-#define DSA_VERIFY 1
-#define DSA_TOKEN 2
-#define DSA_PRIVATE 3
-#define DSA_PRIME 4
-#define DSA_SUBPRIME 5
-#define DSA_BASE 6
-#define DSA_ID 7
-#define DSA_ATTRS 8
-static CK_ATTRIBUTE dsa_template[] = {
- {CKA_LABEL, NULL_PTR, 0},
- {CKA_VERIFY, &truevalue, sizeof(truevalue)},
- {CKA_TOKEN, &truevalue, sizeof(truevalue)},
- {CKA_PRIVATE, &falsevalue, sizeof(falsevalue)},
- {CKA_PRIME, NULL_PTR, 0},
- {CKA_SUBPRIME, NULL_PTR, 0},
- {CKA_BASE, NULL_PTR, 0},
- {CKA_ID, NULL_PTR, 0}
-};
-#define DSA_PARAM_PRIME 0
-#define DSA_PARAM_SUBPRIME 1
-#define DSA_PARAM_BASE 2
-#define DSA_PARAM_ATTRS 3
-static CK_ATTRIBUTE dsa_param_template[] = {
- {CKA_PRIME, NULL_PTR, 0},
- {CKA_SUBPRIME, NULL_PTR, 0},
- {CKA_BASE, NULL_PTR, 0},
-};
-#define DSA_DOMAIN_PRIMEBITS 0
-#define DSA_DOMAIN_PRIVATE 1
-#define DSA_DOMAIN_ATTRS 2
-static CK_ATTRIBUTE dsa_domain_template[] = {
- {CKA_PRIME_BITS, NULL_PTR, 0},
- {CKA_PRIVATE, &falsevalue, sizeof(falsevalue)},
-};
-
/*
* Convert from text to key class. Accepts the names of DNSSEC
* signing algorithms, so e.g., ECDSAP256SHA256 maps to ECC and
if (strncasecmp(name, "rsa", 3) == 0 ||
strncasecmp(name, "nsec3rsa", 8) == 0)
return (key_rsa);
- else if (strncasecmp(name, "dsa", 3) == 0 ||
- strncasecmp(name, "nsec3dsa", 8) == 0)
- return (key_dsa);
else if (strncasecmp(name, "ecc", 3) == 0 ||
strncasecmp(name, "ecdsa", 5) == 0)
return (key_ecc);
pk11_context_t pctx;
int error = 0;
int c, errflg = 0;
- int hide = 1, special = 0, quiet = 0;
+ int hide = 1, quiet = 0;
int idlen = 0, id_offset = 0;
unsigned int i;
unsigned long id = 0;
#endif
break;
- case key_dsa:
- op_type = OP_DSA;
- if (bits == 0)
- usage();
-
- dpmech.mechanism = CKM_DSA_PARAMETER_GEN;
- dpmech.pParameter = NULL;
- dpmech.ulParameterLen = 0;
- mech.mechanism = CKM_DSA_KEY_PAIR_GEN;
- mech.pParameter = NULL;
- mech.ulParameterLen = 0;
-
- public_template = dsa_template;
- public_attrcnt = DSA_ATTRS;
- id_offset = DSA_ID;
-
- domain_template = dsa_domain_template;
- domain_attrcnt = DSA_DOMAIN_ATTRS;
- param_template = dsa_param_template;
- param_attrcnt = DSA_PARAM_ATTRS;
-
- domain_template[DSA_DOMAIN_PRIMEBITS].pValue = &bits;
- domain_template[DSA_DOMAIN_PRIMEBITS].ulValueLen = sizeof(bits);
- break;
case key_unknown:
usage();
}
fprintf(stderr,
"C_GetAttributeValue0: Error = 0x%.8lX\n", rv);
error = 1;
- goto exit_domain;
+ goto exit_search;
}
/* Allocate space for parameter attributes */
if (param_template[i].pValue == NULL) {
fprintf(stderr, "malloc failed\n");
error = 1;
- goto exit_params;
+ goto exit_search;
}
}
- rv = pkcs_C_GetAttributeValue(hSession, domainparams,
- dsa_param_template, DSA_PARAM_ATTRS);
-
- if (rv != CKR_OK) {
- fprintf(stderr,
- "C_GetAttributeValue1: Error = 0x%.8lX\n", rv);
- error = 1;
- goto exit_params;
- }
-
- switch (keyclass) {
- case key_dsa:
- public_template[DSA_PRIME].pValue =
- param_template[DSA_PARAM_PRIME].pValue;
- public_template[DSA_PRIME].ulValueLen =
- param_template[DSA_PARAM_PRIME].ulValueLen;
- public_template[DSA_SUBPRIME].pValue =
- param_template[DSA_PARAM_SUBPRIME].pValue;
- public_template[DSA_SUBPRIME].ulValueLen =
- param_template[DSA_PARAM_SUBPRIME].ulValueLen;
- public_template[DSA_BASE].pValue =
- param_template[DSA_PARAM_BASE].pValue;
- public_template[DSA_BASE].ulValueLen =
- param_template[DSA_PARAM_BASE].ulValueLen;
- break;
- default:
- break;
- }
-
generate_keys:
/* Generate Key pair for signing/verifying */
rv = pkcs_C_GenerateKeyPair(hSession, &mech,
} else if (!quiet)
printf("Key pair generation complete.\n");
- exit_params:
- /* Free parameter attributes */
- if (keyclass == key_dsa) {
- for (i = 0; i < param_attrcnt; i++) {
- if (param_template[i].pValue != NULL) {
- free(param_template[i].pValue);
- }
- }
- }
-
- exit_domain:
- /* Destroy domain parameters */
- if (keyclass == key_dsa) {
- rv = pkcs_C_DestroyObject(hSession, domainparams);
- if (rv != CKR_OK) {
- fprintf(stderr,
- "C_DestroyObject: Error = 0x%.8lX\n", rv);
- error = 1;
- }
- }
-
exit_search:
rv = pkcs_C_FindObjectsFinal(hSession);
if (rv != CKR_OK) {
result = dns_name_fromtext(name, &b, NULL, 0, NULL);
if (result != ISC_R_SUCCESS)
return (1);
- io(name, 23616, DST_ALG_DSA, DST_TYPE_PRIVATE|DST_TYPE_PUBLIC, mctx);
io(name, 54622, DST_ALG_RSAMD5, DST_TYPE_PRIVATE|DST_TYPE_PUBLIC,
mctx);
- io(name, 49667, DST_ALG_DSA, DST_TYPE_PRIVATE|DST_TYPE_PUBLIC, mctx);
io(name, 2, DST_ALG_RSAMD5, DST_TYPE_PRIVATE|DST_TYPE_PUBLIC, mctx);
isc_buffer_constinit(&b, "dh.", 3);
generate(DST_ALG_RSAMD5, mctx);
generate(DST_ALG_DH, mctx);
- generate(DST_ALG_DSA, mctx);
generate(DST_ALG_HMACMD5, mctx);
dst_lib_destroy();
/* Define to 1 to enable dnstap support */
#undef HAVE_DNSTAP
-/* Define to 1 if you have the `DSA_get0_pqg' function. */
-#undef HAVE_DSA_GET0_PQG
-
/* Define to 1 if you have the `ECDSA_sign' function. */
#undef HAVE_ECDSA_SIGN
/* Define if you have h_errno */
#define HAVE_H_ERRNO
-/* Define if you have RSA_generate_key(). */
-#define HAVE_RSA_GENERATE_KEY
-
-/* Define if you have DSA_generate_parameters(). */
-#define HAVE_DSA_GENERATE_PARAMETERS
-
-/* Define if you have DH_generate_parameters(). */
-#define HAVE_DH_GENERATE_PARAMETERS
-
/* Define if you have getpassphrase in the C library. */
#define HAVE_GETPASSPHRASE
/* Define if your OpenSSL version supports DH functions. */
@HAVE_DH_GET0_KEY@
-/* Define if your OpenSSL version supports DSA functions. */
-@HAVE_DSA_GET0_PQG@
-
/* Define if your OpenSSL version supports ECDSA functions. */
@HAVE_ECDSA_SIG_GET0@
#
# Check for OpenSSL 1.1.x/LibreSSL functions
#
-for ac_func in DH_get0_key ECDSA_SIG_get0 RSA_set0_key DSA_get0_pqg
+for ac_func in DH_get0_key ECDSA_SIG_get0 RSA_set0_key
do :
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
#
# Check for OpenSSL 1.1.x/LibreSSL functions
#
-AC_CHECK_FUNCS([DH_get0_key ECDSA_SIG_get0 RSA_set0_key DSA_get0_pqg])
+AC_CHECK_FUNCS([DH_get0_key ECDSA_SIG_get0 RSA_set0_key])
#
# Check whether FIPS mode is available and whether we should enable it
#define TAG_DH_PRIVATE ((DST_ALG_DH << TAG_SHIFT) + 2)
#define TAG_DH_PUBLIC ((DST_ALG_DH << TAG_SHIFT) + 3)
-#define DSA_NTAGS 5
-#define TAG_DSA_PRIME ((DST_ALG_DSA << TAG_SHIFT) + 0)
-#define TAG_DSA_SUBPRIME ((DST_ALG_DSA << TAG_SHIFT) + 1)
-#define TAG_DSA_BASE ((DST_ALG_DSA << TAG_SHIFT) + 2)
-#define TAG_DSA_PRIVATE ((DST_ALG_DSA << TAG_SHIFT) + 3)
-#define TAG_DSA_PUBLIC ((DST_ALG_DSA << TAG_SHIFT) + 4)
-
#define ECDSA_NTAGS 4
#define TAG_ECDSA_PRIVATEKEY ((DST_ALG_ECDSA256 << TAG_SHIFT) + 0)
#define TAG_ECDSA_ENGINE ((DST_ALG_ECDSA256 << TAG_SHIFT) + 1)
#define DNS_SIG_RSAMINSIZE ((DNS_SIG_RSAMINBITS+7)/8)
#define DNS_SIG_RSAMAXSIZE ((DNS_SIG_RSAMAXBITS+7)/8)
-#define DNS_SIG_DSASIGSIZE 41
-#define DNS_SIG_DSAMINBITS 512
-#define DNS_SIG_DSAMAXBITS 1024
-#define DNS_SIG_DSAMINBYTES 213
-#define DNS_SIG_DSAMAXBYTES 405
-
#define DNS_SIG_ECDSA256SIZE 64
#define DNS_SIG_ECDSA384SIZE 96
RUNTIME_CHECK(result == ISC_R_SUCCESS);
if (dnskey.algorithm == DST_ALG_RSAMD5 ||
- dnskey.algorithm == DST_ALG_RSASHA1 ||
- dnskey.algorithm == DST_ALG_DSA)
+ dnskey.algorithm == DST_ALG_RSASHA1)
break;
}
dns_rdataset_disassociate(&rdataset);
{ DNS_KEYALG_RSAMD5, "RSAMD5", 0 }, \
{ DNS_KEYALG_RSAMD5, "RSA", 0 }, \
{ DNS_KEYALG_DH, "DH", 0 }, \
+ { DNS_KEYALG_DSA, "DSA", 0 }, \
{ DNS_KEYALG_RSASHA1, "RSASHA1", 0 }, \
+ { DNS_KEYALG_NSEC3DSA, "NSEC3DSA", 0 }, \
{ DNS_KEYALG_NSEC3RSASHA1, "NSEC3RSASHA1", 0 }, \
{ DNS_KEYALG_RSASHA256, "RSASHA256", 0 }, \
{ DNS_KEYALG_RSASHA512, "RSASHA512", 0 }, \
continue;
alg = tuple->rdata.data[3];
- if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1 ||
- alg == DST_ALG_DSA) {
+ if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1) {
nseconly = true;
break;
}
typedef enum {
OP_ANY = 0,
OP_RSA = 1,
- OP_DSA = 2,
OP_DH = 3,
OP_ECDSA = 4,
OP_EDDSA = 5,
if (tuple->rdata.type == dns_rdatatype_dnskey) {
uint8_t alg;
alg = tuple->rdata.data[3];
- if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1 ||
- alg == DST_ALG_DSA) {
+ if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1) {
nseconly = true;
break;
}
"HAVE_OPENSSL_ED25519",
"HAVE_OPENSSL_ED448",
"HAVE_DH_GET0_KEY",
- "HAVE_DSA_GET0_PQG",
"HAVE_ECDSA_SIG_GET0",
"HAVE_RSA_SET0_KEY",
"USE_BACKTRACE",
}
printf("\n\nFound OPENSSL_VERSION_NUMBER %#010x\n",
OPENSSL_VERSION_NUMBER);
- printf("This version has no built-in support for DH/DSA/ECDSA/RSA functions.\n\n");
+ printf("This version has no built-in support for DH/ECDSA/RSA functions.\n\n");
return (1);
}
EOF
`.\\testosslfunc.exe`;
if ($? == 0) {
$configdefh{"HAVE_DH_GET0_KEY"} = 1;
- $configdefh{"HAVE_DSA_GET0_PQG"} = 1;
$configdefh{"HAVE_ECDSA_SIG_GET0"} = 1;
$configdefh{"HAVE_RSA_SET0_KEY"} = 1;
}
projects / thirdparty / bind9.git / commitdiff
