mirror of
https://github.com/isc-projects/bind9.git
synced 2026-06-09 11:32:05 -04:00
Remove last bits of PKCS#11 DH support that has been already removed
This commit is contained in:
Ondřej Surý
parent
cc8c79bb69
commit
8efd394c80
2 changed files with 8 additions and 162 deletions
|
|
@ -43,7 +43,7 @@
|
|||
* Create a key in the keystore of an HSM
|
||||
*
|
||||
* The calculation of key tag is left to the script
|
||||
* that converts the key into a DNSKEY RR and inserts
|
||||
* that converts the key into a DNSKEY RR and inserts
|
||||
* it into a zone file.
|
||||
*
|
||||
* usage:
|
||||
|
|
@ -71,7 +71,6 @@
|
|||
|
||||
#include <pk11/pk11.h>
|
||||
#include <pk11/result.h>
|
||||
#define WANT_DH_PRIMES
|
||||
#include <pk11/constants.h>
|
||||
#include <pkcs11/eddsa.h>
|
||||
|
||||
|
|
@ -79,12 +78,11 @@
|
|||
static CK_BBOOL truevalue = TRUE;
|
||||
static CK_BBOOL falsevalue = FALSE;
|
||||
|
||||
/* Key class: RSA, ECC, ECX, DSA, DH, or unknown */
|
||||
/* Key class: RSA, ECC, ECX, DSA, or unknown */
|
||||
typedef enum {
|
||||
key_unknown,
|
||||
key_rsa,
|
||||
key_dsa,
|
||||
key_dh,
|
||||
key_ecc,
|
||||
key_ecx
|
||||
} key_class_t;
|
||||
|
|
@ -191,39 +189,6 @@ static CK_ATTRIBUTE dsa_domain_template[] = {
|
|||
{CKA_PRIVATE, &falsevalue, sizeof(falsevalue)},
|
||||
};
|
||||
|
||||
/*
|
||||
* Public key template for DH keys
|
||||
*/
|
||||
#define DH_LABEL 0
|
||||
#define DH_VERIFY 1
|
||||
#define DH_TOKEN 2
|
||||
#define DH_PRIVATE 3
|
||||
#define DH_PRIME 4
|
||||
#define DH_BASE 5
|
||||
#define DH_ID 6
|
||||
#define DH_ATTRS 7
|
||||
static CK_ATTRIBUTE dh_template[] = {
|
||||
{CKA_LABEL, NULL_PTR, 0},
|
||||
{CKA_VERIFY, &truevalue, sizeof(truevalue)},
|
||||
{CKA_TOKEN, &truevalue, sizeof(truevalue)},
|
||||
{CKA_PRIVATE, &falsevalue, sizeof(falsevalue)},
|
||||
{CKA_PRIME, NULL_PTR, 0},
|
||||
{CKA_BASE, NULL_PTR, 0},
|
||||
{CKA_ID, NULL_PTR, 0}
|
||||
};
|
||||
#define DH_PARAM_PRIME 0
|
||||
#define DH_PARAM_BASE 1
|
||||
#define DH_PARAM_ATTRS 2
|
||||
static CK_ATTRIBUTE dh_param_template[] = {
|
||||
{CKA_PRIME, NULL_PTR, 0},
|
||||
{CKA_BASE, NULL_PTR, 0},
|
||||
};
|
||||
#define DH_DOMAIN_PRIMEBITS 0
|
||||
#define DH_DOMAIN_ATTRS 1
|
||||
static CK_ATTRIBUTE dh_domain_template[] = {
|
||||
{CKA_PRIME_BITS, NULL_PTR, 0},
|
||||
};
|
||||
|
||||
/*
|
||||
* Convert from text to key class. Accepts the names of DNSSEC
|
||||
* signing algorithms, so e.g., ECDSAP256SHA256 maps to ECC and
|
||||
|
|
@ -240,8 +205,6 @@ keyclass_fromtext(const char *name) {
|
|||
else if (strncasecmp(name, "dsa", 3) == 0 ||
|
||||
strncasecmp(name, "nsec3dsa", 8) == 0)
|
||||
return (key_dsa);
|
||||
else if (strcasecmp(name, "dh") == 0)
|
||||
return (key_dh);
|
||||
else if (strncasecmp(name, "ecc", 3) == 0 ||
|
||||
strncasecmp(name, "ecdsa", 5) == 0)
|
||||
return (key_ecc);
|
||||
|
|
@ -331,9 +294,6 @@ main(int argc, char *argv[]) {
|
|||
case 'q':
|
||||
quiet = 1;
|
||||
break;
|
||||
case 'S':
|
||||
special = 1;
|
||||
break;
|
||||
case ':':
|
||||
fprintf(stderr,
|
||||
"Option -%c requires an operand\n",
|
||||
|
|
@ -360,12 +320,6 @@ main(int argc, char *argv[]) {
|
|||
exit(2);
|
||||
}
|
||||
|
||||
if (special != 0 && keyclass != key_dh) {
|
||||
fprintf(stderr, "The -S option is only compatible "
|
||||
"with Diffie-Hellman key generation\n");
|
||||
exit(2);
|
||||
}
|
||||
|
||||
switch (keyclass) {
|
||||
case key_rsa:
|
||||
op_type = OP_RSA;
|
||||
|
|
@ -485,46 +439,10 @@ main(int argc, char *argv[]) {
|
|||
domain_template[DSA_DOMAIN_PRIMEBITS].pValue = &bits;
|
||||
domain_template[DSA_DOMAIN_PRIMEBITS].ulValueLen = sizeof(bits);
|
||||
break;
|
||||
case key_dh:
|
||||
op_type = OP_DH;
|
||||
if (special && bits == 0)
|
||||
bits = 1024;
|
||||
else if (special &&
|
||||
bits != 768 && bits != 1024 && bits != 1536)
|
||||
{
|
||||
fprintf(stderr, "When using the special prime (-S) "
|
||||
"option, only key sizes of\n"
|
||||
"768, 1024 or 1536 are supported.\n");
|
||||
exit(2);
|
||||
} else if (bits == 0)
|
||||
usage();
|
||||
|
||||
dpmech.mechanism = CKM_DH_PKCS_PARAMETER_GEN;
|
||||
dpmech.pParameter = NULL;
|
||||
dpmech.ulParameterLen = 0;
|
||||
mech.mechanism = CKM_DH_PKCS_KEY_PAIR_GEN;
|
||||
mech.pParameter = NULL;
|
||||
mech.ulParameterLen = 0;
|
||||
|
||||
/* Override CKA_SIGN attribute */
|
||||
private_template[PRIVATE_DERIVE].type = CKA_DERIVE;
|
||||
|
||||
public_template = dh_template;
|
||||
public_attrcnt = DH_ATTRS;
|
||||
id_offset = DH_ID;
|
||||
|
||||
domain_template = dh_domain_template;
|
||||
domain_attrcnt = DH_DOMAIN_ATTRS;
|
||||
param_template = dh_param_template;
|
||||
param_attrcnt = DH_PARAM_ATTRS;
|
||||
|
||||
domain_template[DH_DOMAIN_PRIMEBITS].pValue = &bits;
|
||||
domain_template[DH_DOMAIN_PRIMEBITS].ulValueLen = sizeof(bits);
|
||||
break;
|
||||
case key_unknown:
|
||||
usage();
|
||||
}
|
||||
|
||||
|
||||
search_template[0].pValue = label;
|
||||
search_template[0].ulValueLen = strlen((char *)label);
|
||||
public_template[0].pValue = label;
|
||||
|
|
@ -582,7 +500,7 @@ main(int argc, char *argv[]) {
|
|||
hSession = pctx.session;
|
||||
|
||||
/* check if a key with the same id already exists */
|
||||
rv = pkcs_C_FindObjectsInit(hSession, search_template, 1);
|
||||
rv = pkcs_C_FindObjectsInit(hSession, search_template, 1);
|
||||
if (rv != CKR_OK) {
|
||||
fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv);
|
||||
error = 1;
|
||||
|
|
@ -609,29 +527,6 @@ main(int argc, char *argv[]) {
|
|||
if (keyclass == key_rsa || keyclass == key_ecc || keyclass == key_ecx)
|
||||
goto generate_keys;
|
||||
|
||||
/*
|
||||
* Special setup for Diffie-Hellman keys
|
||||
*/
|
||||
if (special != 0) {
|
||||
public_template[DH_BASE].pValue = pk11_dh_bn2;
|
||||
public_template[DH_BASE].ulValueLen = sizeof(pk11_dh_bn2);
|
||||
if (bits == 768) {
|
||||
public_template[DH_PRIME].pValue = pk11_dh_bn768;
|
||||
public_template[DH_PRIME].ulValueLen =
|
||||
sizeof(pk11_dh_bn768);
|
||||
} else if (bits == 1024) {
|
||||
public_template[DH_PRIME].pValue = pk11_dh_bn1024;
|
||||
public_template[DH_PRIME].ulValueLen =
|
||||
sizeof(pk11_dh_bn1024);
|
||||
} else {
|
||||
public_template[DH_PRIME].pValue = pk11_dh_bn1536;
|
||||
public_template[DH_PRIME].ulValueLen =
|
||||
sizeof(pk11_dh_bn1536);
|
||||
}
|
||||
param_attrcnt = 0;
|
||||
goto generate_keys;
|
||||
}
|
||||
|
||||
/* Generate Domain parameters */
|
||||
rv = pkcs_C_GenerateKey(hSession, &dpmech, domain_template,
|
||||
domain_attrcnt, &domainparams);
|
||||
|
|
@ -693,15 +588,6 @@ main(int argc, char *argv[]) {
|
|||
public_template[DSA_BASE].ulValueLen =
|
||||
param_template[DSA_PARAM_BASE].ulValueLen;
|
||||
break;
|
||||
case key_dh:
|
||||
public_template[DH_PRIME].pValue =
|
||||
param_template[DH_PARAM_PRIME].pValue;
|
||||
public_template[DH_PRIME].ulValueLen =
|
||||
param_template[DH_PARAM_PRIME].ulValueLen;
|
||||
public_template[DH_BASE].pValue =
|
||||
param_template[DH_PARAM_BASE].pValue;
|
||||
public_template[DH_BASE].ulValueLen =
|
||||
param_template[DH_PARAM_BASE].ulValueLen;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
|
@ -712,16 +598,16 @@ main(int argc, char *argv[]) {
|
|||
public_template, public_attrcnt,
|
||||
private_template, private_attrcnt,
|
||||
&publickey, &privatekey);
|
||||
|
||||
|
||||
if (rv != CKR_OK) {
|
||||
fprintf(stderr, "C_GenerateKeyPair: Error = 0x%.8lX\n", rv);
|
||||
error = 1;
|
||||
} else if (!quiet)
|
||||
printf("Key pair generation complete.\n");
|
||||
|
||||
|
||||
exit_params:
|
||||
/* Free parameter attributes */
|
||||
if (keyclass == key_dsa || keyclass == key_dh) {
|
||||
if (keyclass == key_dsa) {
|
||||
for (i = 0; i < param_attrcnt; i++) {
|
||||
if (param_template[i].pValue != NULL) {
|
||||
free(param_template[i].pValue);
|
||||
|
|
@ -731,7 +617,7 @@ main(int argc, char *argv[]) {
|
|||
|
||||
exit_domain:
|
||||
/* Destroy domain parameters */
|
||||
if (keyclass == key_dsa || (keyclass == key_dh && !special)) {
|
||||
if (keyclass == key_dsa) {
|
||||
rv = pkcs_C_DestroyObject(hSession, domainparams);
|
||||
if (rv != CKR_OK) {
|
||||
fprintf(stderr,
|
||||
|
|
|
|||
|
|
@ -559,35 +559,6 @@ scan_slots(void) {
|
|||
}
|
||||
}
|
||||
|
||||
/* Check for DH support */
|
||||
bad = false;
|
||||
rv = pkcs_C_GetMechanismInfo(slot, CKM_DH_PKCS_PARAMETER_GEN,
|
||||
&mechInfo);
|
||||
if ((rv != CKR_OK) || ((mechInfo.flags & CKF_GENERATE) == 0)) {
|
||||
PK11_TRACEM(CKM_DH_PKCS_PARAMETER_GEN);
|
||||
}
|
||||
rv = pkcs_C_GetMechanismInfo(slot, CKM_DH_PKCS_KEY_PAIR_GEN,
|
||||
&mechInfo);
|
||||
if ((rv != CKR_OK) ||
|
||||
((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) {
|
||||
#ifndef PK11_DH_PKCS_PARAMETER_GEN_SKIP
|
||||
bad = true;
|
||||
#endif
|
||||
PK11_TRACEM(CKM_DH_PKCS_KEY_PAIR_GEN);
|
||||
}
|
||||
rv = pkcs_C_GetMechanismInfo(slot, CKM_DH_PKCS_DERIVE,
|
||||
&mechInfo);
|
||||
if ((rv != CKR_OK) || ((mechInfo.flags & CKF_DERIVE) == 0)) {
|
||||
bad = true;
|
||||
PK11_TRACEM(CKM_DH_PKCS_DERIVE);
|
||||
}
|
||||
if (!bad) {
|
||||
token->operations |= 1 << OP_DH;
|
||||
if (best_dh_token == NULL) {
|
||||
best_dh_token = token;
|
||||
}
|
||||
}
|
||||
|
||||
/* Check for ECDSA support */
|
||||
bad = false;
|
||||
rv = pkcs_C_GetMechanismInfo(slot, CKM_EC_KEY_PAIR_GEN,
|
||||
|
|
@ -651,9 +622,6 @@ pk11_get_best_token(pk11_optype_t optype) {
|
|||
case OP_RSA:
|
||||
token = best_rsa_token;
|
||||
break;
|
||||
case OP_DH:
|
||||
token = best_dh_token;
|
||||
break;
|
||||
case OP_ECDSA:
|
||||
token = best_ecdsa_token;
|
||||
break;
|
||||
|
|
@ -999,8 +967,6 @@ pk11_parse_uri(pk11_object_t *obj, const char *label,
|
|||
if (token == NULL) {
|
||||
if (optype == OP_RSA) {
|
||||
token = best_rsa_token;
|
||||
} else if (optype == OP_DH) {
|
||||
token = best_dh_token;
|
||||
} else if (optype == OP_ECDSA) {
|
||||
token = best_ecdsa_token;
|
||||
} else if (optype == OP_EDDSA) {
|
||||
|
|
@ -1058,12 +1024,6 @@ pk11_dump_tokens(void) {
|
|||
first = false;
|
||||
printf("RSA");
|
||||
}
|
||||
if (token->operations & (1 << OP_DH)) {
|
||||
if (!first)
|
||||
printf(",");
|
||||
first = false;
|
||||
printf("DH");
|
||||
}
|
||||
if (token->operations & (1 << OP_ECDSA)) {
|
||||
if (!first)
|
||||
printf(",");
|
||||
|
|
|
|||
Loading…
Reference in a new issue