From: Matthijs Mekking Date: Wed, 6 Sep 2023 12:09:46 +0000 (+0200) Subject: Create keys with PKCS#11 URI instead of object X-Git-Tag: v9.19.22~70^2~13 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1e88bb018604e3d3c70af27aa1c075f9f653e5e0;p=thirdparty%2Fbind9.git Create keys with PKCS#11 URI instead of object The pkcs11-provider has changed to take a PKCS#11 URI instead of an object identifier. Change the BIND 9 code accordingly to pass through the label instead of just the object identifier. See: https://github.com/latchset/pkcs11-provider/pull/284 --- diff --git a/configure.ac b/configure.ac index 3631772b140..92f40c17ac2 100644 --- a/configure.ac +++ b/configure.ac @@ -644,6 +644,7 @@ AS_IF([test "$enable_doh" = "yes"], AM_CONDITIONAL([HAVE_LIBNGHTTP2], [test -n "$LIBNGHTTP2_LIBS"]) + # # flockfile is usually provided by pthreads # diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index 803214c096f..90d0f8dfe14 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -1031,7 +1031,7 @@ dst_key_fromlabel(const dns_name_t *name, int alg, unsigned int flags, isc_result_t dst_key_generate(const dns_name_t *name, unsigned int alg, unsigned int bits, unsigned int param, unsigned int flags, unsigned int protocol, - dns_rdataclass_t rdclass, const char *object, isc_mem_t *mctx, + dns_rdataclass_t rdclass, const char *label, isc_mem_t *mctx, dst_key_t **keyp, void (*callback)(int)) { dst_key_t *key; isc_result_t ret; @@ -1046,8 +1046,8 @@ dst_key_generate(const dns_name_t *name, unsigned int alg, unsigned int bits, key = get_key_struct(name, alg, flags, protocol, bits, rdclass, 0, mctx); - if (object != NULL) { - key->object = isc_mem_strdup(mctx, object); + if (label != NULL) { + key->label = isc_mem_strdup(mctx, label); } if (bits == 0) { /*%< NULL KEY */ @@ -1408,9 +1408,6 @@ dst_key_free(dst_key_t **keyp) { if (key->label != NULL) { isc_mem_free(mctx, key->label); } - if (key->object != NULL) { - isc_mem_free(mctx, key->object); - } dns_name_free(key->key_name, mctx); isc_mem_put(mctx, key->key_name, sizeof(dns_name_t)); if (key->key_tkeytoken) { diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h index 7026e7ffae8..a78b710738b 100644 --- a/lib/dns/dst_internal.h +++ b/lib/dns/dst_internal.h @@ -94,7 +94,6 @@ struct dst_key { char *directory; /*%< key directory */ char *engine; /*%< engine name (HSM) */ char *label; /*%< engine label (HSM) */ - char *object; /*%< engine object (HSM) */ union { void *generic; dns_gss_ctx_id_t gssctx; diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h index e4895e19327..3da59150add 100644 --- a/lib/dns/include/dst/dst.h +++ b/lib/dns/include/dst/dst.h @@ -629,7 +629,7 @@ dst_key_fromlabel(const dns_name_t *name, int alg, unsigned int flags, isc_result_t dst_key_generate(const dns_name_t *name, unsigned int alg, unsigned int bits, unsigned int param, unsigned int flags, unsigned int protocol, - dns_rdataclass_t rdclass, const char *object, isc_mem_t *mctx, + dns_rdataclass_t rdclass, const char *label, isc_mem_t *mctx, dst_key_t **keyp, void (*callback)(int)); /*%< diff --git a/lib/dns/keystore.c b/lib/dns/keystore.c index c57c712a7aa..d0637354b48 100644 --- a/lib/dns/keystore.c +++ b/lib/dns/keystore.c @@ -167,14 +167,18 @@ dns_keystore_keygen(dns_keystore_t *keystore, const dns_name_t *origin, char namebuf[DNS_NAME_FORMATSIZE]; char object[DNS_NAME_FORMATSIZE + 26]; - /* Generate the key */ + /* Create the PKCS11 URI */ isc_time_formatshorttimestamp(&now, timebuf, sizeof(timebuf)); dns_name_format(origin, namebuf, sizeof(namebuf)); snprintf(object, sizeof(object), "%s-%s-%s", namebuf, ksk ? "ksk" : "zsk", timebuf); + len = strlen(object) + strlen(uri) + 10; + label = isc_mem_get(mctx, len); + sprintf(label, "%s;object=%s;", uri, object); + /* Generate the key */ result = dst_key_generate(origin, alg, size, 0, flags, - DNS_KEYPROTO_DNSSEC, rdclass, object, + DNS_KEYPROTO_DNSSEC, rdclass, label, mctx, &key, NULL); if (result != ISC_R_SUCCESS) { isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC, @@ -187,9 +191,6 @@ dns_keystore_keygen(dns_keystore_t *keystore, const dns_name_t *origin, dst_key_free(&key); /* Retrieve generated key from label */ - len = strlen(object) + strlen(uri) + 10; - label = isc_mem_get(mctx, len); - sprintf(label, "%s;object=%s;", uri, object); result = dst_key_fromlabel( origin, alg, flags, DNS_KEYPROTO_DNSSEC, dns_rdataclass_in, dns_keystore_engine(keystore), label, diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c index 4b8740b8d77..9ca9abad896 100644 --- a/lib/dns/opensslecdsa_link.c +++ b/lib/dns/opensslecdsa_link.c @@ -410,26 +410,17 @@ opensslecdsa_create_pkey(unsigned int key_alg, bool private, #if OPENSSL_VERSION_NUMBER >= 0x30000000L static isc_result_t -opensslecdsa_generate_pkey_with_object(int group_nid, const char *object, - EVP_PKEY **retkey) { +opensslecdsa_generate_pkey_with_uri(int group_nid, const char *label, + EVP_PKEY **retkey) { int status; isc_result_t ret; - unsigned char id[16]; - char *label = UNCONST(object); + char *uri = UNCONST(label); EVP_PKEY_CTX *ctx = NULL; - OSSL_PARAM params[3]; + OSSL_PARAM params[2]; /* Generate the key's parameters. */ - status = RAND_bytes(id, 16); - if (status != 1) { - DST_RET(dst__openssl_toresult2("RAND_bytes", - DST_R_OPENSSLFAILURE)); - } - - params[0] = OSSL_PARAM_construct_utf8_string("pkcs11_key_label", label, - 0); - params[1] = OSSL_PARAM_construct_octet_string("pkcs11_key_id", id, 16); - params[2] = OSSL_PARAM_construct_end(); + params[0] = OSSL_PARAM_construct_utf8_string("pkcs11_uri", uri, 0); + params[1] = OSSL_PARAM_construct_end(); ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", "provider=pkcs11"); if (ctx == NULL) { @@ -476,7 +467,7 @@ err: } static isc_result_t -opensslecdsa_generate_pkey(unsigned int key_alg, const char *object, +opensslecdsa_generate_pkey(unsigned int key_alg, const char *label, EVP_PKEY **retkey) { isc_result_t ret; EVP_PKEY_CTX *ctx = NULL; @@ -484,9 +475,9 @@ opensslecdsa_generate_pkey(unsigned int key_alg, const char *object, int group_nid = opensslecdsa_key_alg_to_group_nid(key_alg); int status; - if (object != NULL) { - return (opensslecdsa_generate_pkey_with_object(group_nid, - object, retkey)); + if (label != NULL) { + return (opensslecdsa_generate_pkey_with_uri(group_nid, label, + retkey)); } /* Generate the key's parameters. */ @@ -570,14 +561,14 @@ opensslecdsa_extract_private_key(const dst_key_t *key, unsigned char *buf, #else static isc_result_t -opensslecdsa_generate_pkey(unsigned int key_alg, const char *object, +opensslecdsa_generate_pkey(unsigned int key_alg, const char *label, EVP_PKEY **retkey) { isc_result_t ret; EC_KEY *eckey = NULL; EVP_PKEY *pkey = NULL; int group_nid; - UNUSED(object); + UNUSED(label); group_nid = opensslecdsa_key_alg_to_group_nid(key_alg); @@ -892,7 +883,7 @@ opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { UNUSED(unused); UNUSED(callback); - ret = opensslecdsa_generate_pkey(key->key_alg, key->object, &pkey); + ret = opensslecdsa_generate_pkey(key->key_alg, key->label, &pkey); if (ret != ISC_R_SUCCESS) { return (ret); } diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c index 6d06c71f273..e1e804bbdc3 100644 --- a/lib/dns/opensslrsa_link.c +++ b/lib/dns/opensslrsa_link.c @@ -366,14 +366,14 @@ progress_cb(int p, int n, BN_GENCB *cb) { } static isc_result_t -opensslrsa_generate_pkey(unsigned int key_size, const char *object, BIGNUM *e, +opensslrsa_generate_pkey(unsigned int key_size, const char *label, BIGNUM *e, void (*callback)(int), EVP_PKEY **retkey) { RSA *rsa = NULL; EVP_PKEY *pkey = NULL; BN_GENCB *cb = NULL; isc_result_t ret; - UNUSED(object); + UNUSED(label); rsa = RSA_new(); pkey = EVP_PKEY_new(); @@ -497,26 +497,17 @@ progress_cb(EVP_PKEY_CTX *ctx) { } static isc_result_t -opensslrsa_generate_pkey_with_object(size_t key_size, const char *object, - EVP_PKEY **retkey) { +opensslrsa_generate_pkey_with_uri(size_t key_size, const char *label, + EVP_PKEY **retkey) { EVP_PKEY_CTX *ctx = NULL; - OSSL_PARAM params[4]; - unsigned char id[16]; - char *label = UNCONST(object); + OSSL_PARAM params[3]; + char *uri = UNCONST(label); isc_result_t ret; int status; - status = RAND_bytes(id, 16); - if (status != 1) { - DST_RET(dst__openssl_toresult2("RAND_bytes", - DST_R_OPENSSLFAILURE)); - } - - params[0] = OSSL_PARAM_construct_utf8_string("pkcs11_key_label", label, - 0); - params[1] = OSSL_PARAM_construct_octet_string("pkcs11_key_id", id, 16); - params[2] = OSSL_PARAM_construct_size_t("rsa_keygen_bits", &key_size); - params[3] = OSSL_PARAM_construct_end(); + params[0] = OSSL_PARAM_construct_utf8_string("pkcs11_uri", uri, 0); + params[1] = OSSL_PARAM_construct_size_t("rsa_keygen_bits", &key_size); + params[2] = OSSL_PARAM_construct_end(); ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", "provider=pkcs11"); if (ctx == NULL) { @@ -549,14 +540,14 @@ err: } static isc_result_t -opensslrsa_generate_pkey(unsigned int key_size, const char *object, BIGNUM *e, +opensslrsa_generate_pkey(unsigned int key_size, const char *label, BIGNUM *e, void (*callback)(int), EVP_PKEY **retkey) { EVP_PKEY_CTX *ctx; isc_result_t ret; - if (object != NULL) { - return (opensslrsa_generate_pkey_with_object(key_size, object, - retkey)); + if (label != NULL) { + return (opensslrsa_generate_pkey_with_uri(key_size, label, + retkey)); } ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL); @@ -731,7 +722,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { BN_set_bit(e, 32); } - ret = opensslrsa_generate_pkey(key->key_size, key->object, e, callback, + ret = opensslrsa_generate_pkey(key->key_size, key->label, e, callback, &pkey); if (ret != ISC_R_SUCCESS) { goto err;