[dnssec] abstract key algorithm checking

c145b13e · Jan Včelák · 02d4cfad · c145b13e · c145b13e · c145b13e
Commit c145b13e authored 11 years ago by Jan Včelák
--- a/dnssec/lib/key/key.c
+++ b/dnssec/lib/key/key.c
@@ -13,6 +13,7 @@
 #include "key/keyid.h"
 #include "key/keytag.h"
 #include "key/privkey.h"
+#include "keystore/pem.h"
 #include "shared.h"
 #include "wire.h"

@@ -427,7 +428,7 @@ int dnssec_key_load_pkcs8(dnssec_key_t *key, const dnssec_binary_t *pem)

 	gnutls_privkey_t new_privkey = NULL;
 	dnssec_key_id_t new_key_id = { 0 };
-	int result = privkey_from_pem(pem, &new_privkey, new_key_id);
+	int result = pem_to_privkey(pem, &new_privkey, new_key_id);
 	if (result != DNSSEC_EOK) {
 		return result;
 	}

--- a/dnssec/lib/keystore/internal.h
+++ b/dnssec/lib/keystore/internal.h
 #pragma once

+#include <gnutls/gnutls.h>
+#include <gnutls/abstract.h>
+
+#include "key.h"
 #include "keystore.h"

 typedef struct keystore_functions {
@@ -11,9 +15,9 @@ typedef struct keystore_functions {
 	int (*close)(void *ctx);
 	// keystore access
 	int (*list_keys)(void *ctx, void *list);
-	int (*generate_key)(void *ctx, dnssec_key_algorithm_t algorithm,
+	int (*generate_key)(void *ctx, gnutls_pk_algorithm_t algorithm,
 			    unsigned bits, dnssec_key_id_t id);
-	int (*delete_key)(void *ctxx, const dnssec_key_id_t id);
+	int (*delete_key)(void *ctx, const dnssec_key_id_t id);
 } keystore_functions_t;

 struct dnssec_keystore {
@@ -24,8 +28,3 @@ struct dnssec_keystore {
 int keystore_create(dnssec_keystore_t **store_ptr,
 		    const keystore_functions_t *functions,
 		    void *ctx_custom_data, const char *open_config);
-
-//extern const keystore_functions_t PKCS8_FUNCTIONS;
-//extern const keystore_functions_t PKCS11_FUNCTIONS;
-//
-//extern const dnssec_keystore_pkcs8_functions_t PKCS8_DIR_FUNCTIONS;
--- a/dnssec/lib/keystore/keystore.c
+++ b/dnssec/lib/keystore/keystore.c
@@ -2,6 +2,7 @@
 #include <stdlib.h>

 #include "error.h"
+#include "key/algorithm.h"
 #include "keystore.h"
 #include "keystore/internal.h"
 #include "shared.h"
@@ -67,13 +68,24 @@ int dnssec_keystore_list_keys(dnssec_keystore_t *store, void *list)

 _public_
 int dnssec_keystore_generate_key(dnssec_keystore_t *store,
-				 dnssec_key_algorithm_t algorithm,
+				 dnssec_key_algorithm_t _algorithm,
 				 unsigned bits, dnssec_key_id_t key_id)
 {
-	if (!store || !algorithm || !key_id) {
+	if (!store || !_algorithm || !key_id) {
 		return DNSSEC_EINVAL;
 	}

+	// prepare parameters
+
+	gnutls_pk_algorithm_t algorithm = algorithm_to_gnutls(_algorithm);
+	if (algorithm == GNUTLS_PK_UNKNOWN) {
+		return DNSSEC_INVALID_KEY_ALGORITHM;
+	}
+
+	if (!dnssec_algorithm_key_size_check(_algorithm, bits)) {
+		return DNSSEC_INVALID_KEY_SIZE;
+	}
+
 	return store->functions->generate_key(store->ctx, algorithm, bits, key_id);
 }


--- a/dnssec/lib/keystore/pkcs11.c
+++ b/dnssec/lib/keystore/pkcs11.c
+#include <gnutls/gnutls.h>
+
 #include "error.h"
 #include "keystore.h"
 #include "keystore/internal.h"
@@ -37,7 +39,7 @@ static int pkcs11_list_keys(void *ctx, void *list)
 	return DNSSEC_NOT_IMPLEMENTED_ERROR;
 }

-static int pkcs11_generate_key(void *_ctx, dnssec_key_algorithm_t algorithm,
+static int pkcs11_generate_key(void *_ctx, gnutls_pk_algorithm_t algorithm,
 			       unsigned bits, dnssec_key_id_t id)
 {
 	return DNSSEC_NOT_IMPLEMENTED_ERROR;

--- a/dnssec/lib/keystore/pkcs8.c
+++ b/dnssec/lib/keystore/pkcs8.c
 #include <assert.h>

 #include "error.h"
-#include "key.h"
 #include "key/algorithm.h"
 #include "key/keyid.h"
 #include "keystore.h"
 #include "keystore/internal.h"
+#include "keystore/pem.h"
 #include "shared.h"

 /*!
@@ -58,52 +58,25 @@ static int pkcs8_list_keys(void *_ctx, void *list)
 	return DNSSEC_NOT_IMPLEMENTED_ERROR;
 }

-static int pkcs8_generate_key(void *_ctx, dnssec_key_algorithm_t _algorithm,
-			      unsigned bits, dnssec_key_id_t new_id)
+static int pkcs8_generate_key(void *_ctx, gnutls_pk_algorithm_t algorithm,
+			      unsigned bits, dnssec_key_id_t id)
 {
 	assert(_ctx);
+	assert(id);

 	pkcs8_ctx_t *ctx = _ctx;

-	// check parameters
+	// generate key

-	gnutls_pk_algorithm_t algorithm = algorithm_to_gnutls(_algorithm);
-	if (algorithm == GNUTLS_PK_UNKNOWN) {
-		return DNSSEC_INVALID_KEY_ALGORITHM;
-	}
-
-	if (!dnssec_algorithm_key_size_check(_algorithm, bits)) {
-		return DNSSEC_INVALID_KEY_SIZE;
-	}
-
-	// generate the key
-
-	_cleanup_x509_privkey_ gnutls_x509_privkey_t key = NULL;
-	int r = gnutls_x509_privkey_init(&key);
-	if (r != GNUTLS_E_SUCCESS) {
-		return DNSSEC_ENOMEM;
-	}
-
-	r = gnutls_x509_privkey_generate(key, algorithm, bits, 0);
-	if (r != GNUTLS_E_SUCCESS) {
-		return DNSSEC_KEY_GENERATE_ERROR;
-	}
-
-	// export key
-
-	dnssec_key_id_t id = { 0 };
-	gnutls_x509_privkey_to_key_id(key, id);
-
-	_cleanup_datum_ gnutls_datum_t pem = { 0 };
-	r = gnutls_x509_privkey_export2_pkcs8(key, GNUTLS_X509_FMT_PEM, NULL, 0, &pem);
-	if (r != GNUTLS_E_SUCCESS) {
-		return DNSSEC_KEY_EXPORT_ERROR;
+	dnssec_key_id_t new_id = { 0 };
+	_cleanup_binary_ dnssec_binary_t data = { 0 };
+	int r = pem_generate(algorithm, bits, &data, new_id);
+	if (r != DNSSEC_EOK) {
+		return r;
 	}

 	// save key

-	dnssec_binary_t data = { 0 };
-	datum_to_binary(&pem, &data);
 	r = ctx->functions->write(ctx->data, id, &data);
 	if (r != DNSSEC_EOK) {
 		return r;
@@ -111,7 +84,7 @@ static int pkcs8_generate_key(void *_ctx, dnssec_key_algorithm_t _algorithm,

 	// finish

-	dnssec_key_id_copy(id, new_id);
+	dnssec_key_id_copy(new_id, id);

 	return DNSSEC_EOK;
 }