int
cmd_list (int argc, char *argv[])
{
size_t i;
char *repository = NULL;
size_t key_count = 0;
size_t key_count_valid = 0;
hsm_key_t **keys;
hsm_ctx_t *ctx = NULL;
const char *key_info_format = "%-20s %-32s %-10s\n";
if (argc) {
repository = strdup(argv[0]);
argc--;
argv++;
/* Check for repository before starting using it */
if (hsm_token_attached(ctx, repository) == 0) {
hsm_print_error(ctx);
return 1;
}
fprintf(stdout, "\nListing keys in repository: %s\n", repository);
keys = hsm_list_keys_repository(NULL, &key_count, repository);
} else {
fprintf(stdout, "\nListing keys in all repositories.\n");
keys = hsm_list_keys(NULL, &key_count);
}
fprintf(stdout, "%u %s found.\n\n", (unsigned int) key_count,
(key_count > 1 || key_count == 0 ? "keys" : "key"));
if (!keys) {
return -1;
}
/* print fancy header */
fprintf(stdout, key_info_format, "Repository", "ID", "Type");
fprintf(stdout, key_info_format, "----------", "--", "----");
for (i = 0; i < key_count; i++) {
hsm_key_info_t *key_info;
hsm_key_t *key = NULL;
char key_type[HSM_MAX_ALGONAME + 8];
char *key_id = NULL;
key = keys[i];
if (key == NULL) {
/* Skip NULL key for now */
continue;
}
key_count_valid++;
key_info = hsm_get_key_info(NULL, key);
if (key_info) {
snprintf(key_type, sizeof(key_type), "%s/%lu",
key_info->algorithm_name, key_info->keysize);
key_id = key_info->id;
} else {
snprintf(key_type, sizeof(key_type), "UNKNOWN");
key_id = "UNKNOWN";
}
printf(key_info_format, key->module->name, key_id, key_type);
hsm_key_info_free(key_info);
}
hsm_key_list_free(keys, key_count);
if (key_count != key_count_valid) {
size_t invalid_keys;
invalid_keys = key_count - key_count_valid;
printf("\n");
fprintf(stderr, "Warning: %u %s not usable by OpenDNSSEC was found.\n",
(unsigned int) invalid_keys, invalid_keys > 1 ? "keys" : "key");
}
return 0;
}
int
cmd_generate (int argc, char *argv[])
{
char *repository = NULL;
char *algorithm = NULL;
unsigned int keysize = 1024;
hsm_key_t *key = NULL;
hsm_ctx_t *ctx = NULL;
if (argc < 2 || argc > 3) {
usage();
return -1;
}
repository = strdup(argv[0]);
/* Check for repository before starting using it */
if (hsm_token_attached(ctx, repository) == 0) {
hsm_print_error(ctx);
return 1;
}
algorithm = strdup(argv[1]);
if (argc == 3) {
keysize = atoi(argv[2]);
}
if (!strcasecmp(algorithm, "rsa")) {
printf("Generating %d bit RSA key in repository: %s\n",
keysize, repository);
key = hsm_generate_rsa_key(NULL, repository, keysize);
} else if (!strcasecmp(algorithm, "dsa")) {
printf("Generating %d bit DSA key in repository: %s\n",
keysize, repository);
key = hsm_generate_dsa_key(NULL, repository, keysize);
} else if (!strcasecmp(algorithm, "gost")) {
printf("Generating 512 bit GOST key in repository: %s\n",
repository);
key = hsm_generate_gost_key(NULL, repository);
} else if (!strcasecmp(algorithm, "ecdsa")) {
if (keysize == 256) {
printf("Generating a P-256 ECDSA key in repository: %s\n",
repository);
key = hsm_generate_ecdsa_key(NULL, repository, "P-256");
} else if (keysize == 384) {
printf("Generating a P-384 ECDSA key in repository: %s\n",
repository);
key = hsm_generate_ecdsa_key(NULL, repository, "P-384");
} else {
printf("Invalid ECDSA key size: %d\n", keysize);
printf("Expecting 256 or 384.\n");
return -1;
}
} else {
printf("Unknown algorithm: %s\n", algorithm);
return -1;
}
if (key) {
hsm_key_info_t *key_info;
key_info = hsm_get_key_info(NULL, key);
printf("Key generation successful: %s\n",
key_info ? key_info->id : "NULL");
hsm_key_info_free(key_info);
if (verbose) hsm_print_key(key);
hsm_key_free(key);
} else {
printf("Key generation failed.\n");
return -1;
}
return 0;
}
int
cmd_purge (int argc, char *argv[])
{
int result;
int final_result = 0;
char *fresult;
size_t i;
char *repository = NULL;
char confirm[16];
size_t key_count = 0;
hsm_key_t **keys;
hsm_ctx_t *ctx = NULL;
if (argc != 1) {
usage();
return -1;
}
repository = strdup(argv[0]);
argc--;
argv++;
/* Check for repository before starting using it */
if (hsm_token_attached(ctx, repository) == 0) {
hsm_print_error(ctx);
return 1;
}
printf("Purging all keys from repository: %s\n", repository);
keys = hsm_list_keys_repository(NULL, &key_count, repository);
printf("%u %s found.\n\n", (unsigned int) key_count,
(key_count > 1 || key_count == 0 ? "keys" : "key"));
if (!keys) {
return -1;
}
if (key_count == 0) {
return -1;
}
printf("Are you sure you want to remove ALL keys from repository %s ? (YES/NO) ", repository);
fresult = fgets(confirm, sizeof(confirm) - 1, stdin);
if (fresult == NULL || strncasecmp(confirm, "yes", 3) != 0) {
printf("\nPurge cancelled.\n");
hsm_key_list_free(keys, key_count);
return -1;
} else {
printf("\nStarting purge...\n");
}
for (i = 0; i < key_count; i++) {
hsm_key_info_t *key_info;
hsm_key_t *key = keys[i];
key_info = hsm_get_key_info(NULL, key);
result = hsm_remove_key(NULL, key);
if (!result) {
printf("Key remove successful: %s\n",
key_info ? key_info->id : "NULL");
} else {
printf("Key remove failed: %s\n",
key_info ? key_info->id : "NULL");
final_result++;
}
hsm_key_info_free(key_info);
}
hsm_key_list_free(keys, key_count);
printf("Purge done.\n");
return final_result;
}
int
hsm_test (const char *repository)
{
int result;
const unsigned int rsa_keysizes[] = { 512, 768, 1024, 1536, 2048, 4096 };
const unsigned int dsa_keysizes[] = { 512, 768, 1024 };
unsigned int keysize;
hsm_ctx_t *ctx = NULL;
hsm_key_t *key = NULL;
char *id;
int errors = 0;
unsigned int i = 0;
/* Check for repository before starting any tests */
if (hsm_token_attached(ctx, repository) == 0) {
hsm_print_error(ctx);
return 1;
}
/*
* Test key generation, signing and deletion for a number of key size
*/
for (i=0; i<(sizeof(rsa_keysizes)/sizeof(unsigned int)); i++) {
keysize = rsa_keysizes[i];
printf("Generating %d-bit RSA key... ", keysize);
key = hsm_generate_rsa_key(ctx, repository, keysize);
if (!key) {
errors++;
printf("Failed\n");
hsm_print_error(ctx);
printf("\n");
continue;
} else {
printf("OK\n");
}
printf("Extracting key identifier... ");
id = hsm_get_key_id(ctx, key);
if (!id) {
errors++;
printf("Failed\n");
hsm_print_error(ctx);
printf("\n");
} else {
printf("OK, %s\n", id);
}
free(id);
printf("Signing (RSA/SHA1) with key... ");
result = hsm_test_sign(ctx, key, LDNS_RSASHA1);
if (result) {
errors++;
printf("Failed, error: %d\n", result);
hsm_print_error(ctx);
} else {
printf("OK\n");
}
printf("Signing (RSA/SHA256) with key... ");
result = hsm_test_sign(ctx, key, LDNS_RSASHA256);
if (result) {
errors++;
printf("Failed, error: %d\n", result);
hsm_print_error(ctx);
} else {
printf("OK\n");
}
if ( keysize >= 1024) {
printf("Signing (RSA/SHA512) with key... ");
result = hsm_test_sign(ctx, key, LDNS_RSASHA512);
if (result) {
errors++;
printf("Failed, error: %d\n", result);
hsm_print_error(ctx);
} else {
printf("OK\n");
}
}
printf("Deleting key... ");
result = hsm_remove_key(ctx, key);
if (result) {
errors++;
printf("Failed: error: %d\n", result);
hsm_print_error(ctx);
} else {
printf("OK\n");
}
free(key);
printf("\n");
}
/*
* Test key generation, signing and deletion for a number of key size
*/
for (i=0; i<(sizeof(dsa_keysizes)/sizeof(unsigned int)); i++) {
keysize = dsa_keysizes[i];
printf("Generating %d-bit DSA key... ", keysize);
key = hsm_generate_dsa_key(ctx, repository, keysize);
if (!key) {
errors++;
printf("Failed\n");
hsm_print_error(ctx);
printf("\n");
continue;
} else {
printf("OK\n");
}
printf("Extracting key identifier... ");
id = hsm_get_key_id(ctx, key);
if (!id) {
errors++;
printf("Failed\n");
hsm_print_error(ctx);
printf("\n");
} else {
printf("OK, %s\n", id);
}
free(id);
printf("Signing (DSA/SHA1) with key... ");
result = hsm_test_sign(ctx, key, LDNS_DSA);
if (result) {
errors++;
printf("Failed, error: %d\n", result);
hsm_print_error(ctx);
} else {
printf("OK\n");
}
printf("Deleting key... ");
result = hsm_remove_key(ctx, key);
if (result) {
errors++;
printf("Failed: error: %d\n", result);
hsm_print_error(ctx);
} else {
printf("OK\n");
}
free(key);
printf("\n");
}
/*
* Test key generation, signing and deletion for a number of key size
*/
for (i=0; i<1; i++) {
printf("Generating 512-bit GOST key... ");
key = hsm_generate_gost_key(ctx, repository);
if (!key) {
errors++;
printf("Failed\n");
hsm_print_error(ctx);
printf("\n");
continue;
} else {
printf("OK\n");
}
printf("Extracting key identifier... ");
id = hsm_get_key_id(ctx, key);
if (!id) {
errors++;
printf("Failed\n");
hsm_print_error(ctx);
printf("\n");
} else {
printf("OK, %s\n", id);
}
free(id);
printf("Signing (GOST) with key... ");
result = hsm_test_sign(ctx, key, LDNS_ECC_GOST);
if (result) {
errors++;
printf("Failed, error: %d\n", result);
hsm_print_error(ctx);
} else {
printf("OK\n");
}
printf("Deleting key... ");
result = hsm_remove_key(ctx, key);
if (result) {
errors++;
printf("Failed: error: %d\n", result);
hsm_print_error(ctx);
} else {
printf("OK\n");
}
free(key);
printf("\n");
}
if (hsm_test_random()) {
errors++;
}
return errors;
}
