int cmd_list (int argc, char *argv[]) { size_t i; char *repository = NULL; size_t key_count = 0; size_t key_count_valid = 0; hsm_key_t **keys; hsm_ctx_t *ctx = NULL; const char *key_info_format = "%-20s %-32s %-10s\n"; if (argc) { repository = strdup(argv[0]); argc--; argv++; /* Check for repository before starting using it */ if (hsm_token_attached(ctx, repository) == 0) { hsm_print_error(ctx); return 1; } fprintf(stdout, "\nListing keys in repository: %s\n", repository); keys = hsm_list_keys_repository(NULL, &key_count, repository); } else { fprintf(stdout, "\nListing keys in all repositories.\n"); keys = hsm_list_keys(NULL, &key_count); } fprintf(stdout, "%u %s found.\n\n", (unsigned int) key_count, (key_count > 1 || key_count == 0 ? "keys" : "key")); if (!keys) { return -1; } /* print fancy header */ fprintf(stdout, key_info_format, "Repository", "ID", "Type"); fprintf(stdout, key_info_format, "----------", "--", "----"); for (i = 0; i < key_count; i++) { hsm_key_info_t *key_info; hsm_key_t *key = NULL; char key_type[HSM_MAX_ALGONAME + 8]; char *key_id = NULL; key = keys[i]; if (key == NULL) { /* Skip NULL key for now */ continue; } key_count_valid++; key_info = hsm_get_key_info(NULL, key); if (key_info) { snprintf(key_type, sizeof(key_type), "%s/%lu", key_info->algorithm_name, key_info->keysize); key_id = key_info->id; } else { snprintf(key_type, sizeof(key_type), "UNKNOWN"); key_id = "UNKNOWN"; } printf(key_info_format, key->module->name, key_id, key_type); hsm_key_info_free(key_info); } hsm_key_list_free(keys, key_count); if (key_count != key_count_valid) { size_t invalid_keys; invalid_keys = key_count - key_count_valid; printf("\n"); fprintf(stderr, "Warning: %u %s not usable by OpenDNSSEC was found.\n", (unsigned int) invalid_keys, invalid_keys > 1 ? "keys" : "key"); } return 0; }
int cmd_generate (int argc, char *argv[]) { char *repository = NULL; char *algorithm = NULL; unsigned int keysize = 1024; hsm_key_t *key = NULL; hsm_ctx_t *ctx = NULL; if (argc < 2 || argc > 3) { usage(); return -1; } repository = strdup(argv[0]); /* Check for repository before starting using it */ if (hsm_token_attached(ctx, repository) == 0) { hsm_print_error(ctx); return 1; } algorithm = strdup(argv[1]); if (argc == 3) { keysize = atoi(argv[2]); } if (!strcasecmp(algorithm, "rsa")) { printf("Generating %d bit RSA key in repository: %s\n", keysize, repository); key = hsm_generate_rsa_key(NULL, repository, keysize); } else if (!strcasecmp(algorithm, "dsa")) { printf("Generating %d bit DSA key in repository: %s\n", keysize, repository); key = hsm_generate_dsa_key(NULL, repository, keysize); } else if (!strcasecmp(algorithm, "gost")) { printf("Generating 512 bit GOST key in repository: %s\n", repository); key = hsm_generate_gost_key(NULL, repository); } else if (!strcasecmp(algorithm, "ecdsa")) { if (keysize == 256) { printf("Generating a P-256 ECDSA key in repository: %s\n", repository); key = hsm_generate_ecdsa_key(NULL, repository, "P-256"); } else if (keysize == 384) { printf("Generating a P-384 ECDSA key in repository: %s\n", repository); key = hsm_generate_ecdsa_key(NULL, repository, "P-384"); } else { printf("Invalid ECDSA key size: %d\n", keysize); printf("Expecting 256 or 384.\n"); return -1; } } else { printf("Unknown algorithm: %s\n", algorithm); return -1; } if (key) { hsm_key_info_t *key_info; key_info = hsm_get_key_info(NULL, key); printf("Key generation successful: %s\n", key_info ? key_info->id : "NULL"); hsm_key_info_free(key_info); if (verbose) hsm_print_key(key); hsm_key_free(key); } else { printf("Key generation failed.\n"); return -1; } return 0; }
int cmd_purge (int argc, char *argv[]) { int result; int final_result = 0; char *fresult; size_t i; char *repository = NULL; char confirm[16]; size_t key_count = 0; hsm_key_t **keys; hsm_ctx_t *ctx = NULL; if (argc != 1) { usage(); return -1; } repository = strdup(argv[0]); argc--; argv++; /* Check for repository before starting using it */ if (hsm_token_attached(ctx, repository) == 0) { hsm_print_error(ctx); return 1; } printf("Purging all keys from repository: %s\n", repository); keys = hsm_list_keys_repository(NULL, &key_count, repository); printf("%u %s found.\n\n", (unsigned int) key_count, (key_count > 1 || key_count == 0 ? "keys" : "key")); if (!keys) { return -1; } if (key_count == 0) { return -1; } printf("Are you sure you want to remove ALL keys from repository %s ? (YES/NO) ", repository); fresult = fgets(confirm, sizeof(confirm) - 1, stdin); if (fresult == NULL || strncasecmp(confirm, "yes", 3) != 0) { printf("\nPurge cancelled.\n"); hsm_key_list_free(keys, key_count); return -1; } else { printf("\nStarting purge...\n"); } for (i = 0; i < key_count; i++) { hsm_key_info_t *key_info; hsm_key_t *key = keys[i]; key_info = hsm_get_key_info(NULL, key); result = hsm_remove_key(NULL, key); if (!result) { printf("Key remove successful: %s\n", key_info ? key_info->id : "NULL"); } else { printf("Key remove failed: %s\n", key_info ? key_info->id : "NULL"); final_result++; } hsm_key_info_free(key_info); } hsm_key_list_free(keys, key_count); printf("Purge done.\n"); return final_result; }
int hsm_test (const char *repository) { int result; const unsigned int rsa_keysizes[] = { 512, 768, 1024, 1536, 2048, 4096 }; const unsigned int dsa_keysizes[] = { 512, 768, 1024 }; unsigned int keysize; hsm_ctx_t *ctx = NULL; hsm_key_t *key = NULL; char *id; int errors = 0; unsigned int i = 0; /* Check for repository before starting any tests */ if (hsm_token_attached(ctx, repository) == 0) { hsm_print_error(ctx); return 1; } /* * Test key generation, signing and deletion for a number of key size */ for (i=0; i<(sizeof(rsa_keysizes)/sizeof(unsigned int)); i++) { keysize = rsa_keysizes[i]; printf("Generating %d-bit RSA key... ", keysize); key = hsm_generate_rsa_key(ctx, repository, keysize); if (!key) { errors++; printf("Failed\n"); hsm_print_error(ctx); printf("\n"); continue; } else { printf("OK\n"); } printf("Extracting key identifier... "); id = hsm_get_key_id(ctx, key); if (!id) { errors++; printf("Failed\n"); hsm_print_error(ctx); printf("\n"); } else { printf("OK, %s\n", id); } free(id); printf("Signing (RSA/SHA1) with key... "); result = hsm_test_sign(ctx, key, LDNS_RSASHA1); if (result) { errors++; printf("Failed, error: %d\n", result); hsm_print_error(ctx); } else { printf("OK\n"); } printf("Signing (RSA/SHA256) with key... "); result = hsm_test_sign(ctx, key, LDNS_RSASHA256); if (result) { errors++; printf("Failed, error: %d\n", result); hsm_print_error(ctx); } else { printf("OK\n"); } if ( keysize >= 1024) { printf("Signing (RSA/SHA512) with key... "); result = hsm_test_sign(ctx, key, LDNS_RSASHA512); if (result) { errors++; printf("Failed, error: %d\n", result); hsm_print_error(ctx); } else { printf("OK\n"); } } printf("Deleting key... "); result = hsm_remove_key(ctx, key); if (result) { errors++; printf("Failed: error: %d\n", result); hsm_print_error(ctx); } else { printf("OK\n"); } free(key); printf("\n"); } /* * Test key generation, signing and deletion for a number of key size */ for (i=0; i<(sizeof(dsa_keysizes)/sizeof(unsigned int)); i++) { keysize = dsa_keysizes[i]; printf("Generating %d-bit DSA key... ", keysize); key = hsm_generate_dsa_key(ctx, repository, keysize); if (!key) { errors++; printf("Failed\n"); hsm_print_error(ctx); printf("\n"); continue; } else { printf("OK\n"); } printf("Extracting key identifier... "); id = hsm_get_key_id(ctx, key); if (!id) { errors++; printf("Failed\n"); hsm_print_error(ctx); printf("\n"); } else { printf("OK, %s\n", id); } free(id); printf("Signing (DSA/SHA1) with key... "); result = hsm_test_sign(ctx, key, LDNS_DSA); if (result) { errors++; printf("Failed, error: %d\n", result); hsm_print_error(ctx); } else { printf("OK\n"); } printf("Deleting key... "); result = hsm_remove_key(ctx, key); if (result) { errors++; printf("Failed: error: %d\n", result); hsm_print_error(ctx); } else { printf("OK\n"); } free(key); printf("\n"); } /* * Test key generation, signing and deletion for a number of key size */ for (i=0; i<1; i++) { printf("Generating 512-bit GOST key... "); key = hsm_generate_gost_key(ctx, repository); if (!key) { errors++; printf("Failed\n"); hsm_print_error(ctx); printf("\n"); continue; } else { printf("OK\n"); } printf("Extracting key identifier... "); id = hsm_get_key_id(ctx, key); if (!id) { errors++; printf("Failed\n"); hsm_print_error(ctx); printf("\n"); } else { printf("OK, %s\n", id); } free(id); printf("Signing (GOST) with key... "); result = hsm_test_sign(ctx, key, LDNS_ECC_GOST); if (result) { errors++; printf("Failed, error: %d\n", result); hsm_print_error(ctx); } else { printf("OK\n"); } printf("Deleting key... "); result = hsm_remove_key(ctx, key); if (result) { errors++; printf("Failed: error: %d\n", result); hsm_print_error(ctx); } else { printf("OK\n"); } free(key); printf("\n"); } if (hsm_test_random()) { errors++; } return errors; }