static int
hsm_test_random()
{
hsm_ctx_t *ctx = NULL;
int result;
unsigned char rnd_buf[1024];
uint32_t r32;
uint64_t r64;
printf("Generating %lu bytes of random data... ",
(unsigned long) sizeof(rnd_buf));
result = hsm_random_buffer(ctx, rnd_buf, sizeof(rnd_buf));
if (result) {
printf("Failed, error: %d\n", result);
hsm_print_error(ctx);
return 1;
} else {
printf("OK\n");
}
printf("Generating 32-bit random data... ");
r32 = hsm_random32(ctx);
printf("%u\n", r32);
printf("Generating 64-bit random data... ");
r64 = hsm_random64(ctx);
printf("%llu\n", (long long unsigned int)r64);
return 0;
}
int
cmd_logout ()
{
if (hsm_logout_pin() != HSM_OK) {
printf("Failed to erase the credentials.\n");
hsm_print_error(NULL);
return 1;
}
printf("The credentials has been erased.\n");
return 0;
}
int
main (int argc, char *argv[])
{
int result;
hsm_ctx_t *ctx;
hsm_key_t **keys;
hsm_key_t *key = NULL;
char *id;
size_t key_count = 0;
size_t i;
ldns_rr_list *rrset;
ldns_rr *rr, *sig, *dnskey_rr;
ldns_status status;
hsm_sign_params_t *sign_params;
int do_generate = 0;
int do_sign = 0;
int do_delete = 0;
int do_random = 0;
int res;
uint32_t r32;
uint64_t r64;
char *config = NULL;
const char *repository = "default";
int ch;
progname = argv[0];
while ((ch = getopt(argc, argv, "hgsdrc:")) != -1) {
switch (ch) {
case 'c':
config = strdup(optarg);
break;
case 'g':
do_generate = 1;
break;
case 'h':
usage();
exit(0);
break;
case 's':
do_sign = 1;
break;
case 'd':
do_delete = 1;
break;
case 'r':
do_random = 1;
break;
default:
usage();
exit(1);
}
}
if (!config) {
usage();
exit(1);
}
/*
* Open HSM library
*/
fprintf(stdout, "Starting HSM lib test\n");
result = hsm_open(config, hsm_prompt_pin);
fprintf(stdout, "hsm_open result: %d\n", result);
/*
* Create HSM context
*/
ctx = hsm_create_context();
printf("global: ");
hsm_print_ctx(NULL);
printf("my: ");
hsm_print_ctx(ctx);
/*
* Generate a new key OR find any key with an ID
*/
if (do_generate) {
key = hsm_generate_rsa_key(ctx, repository, 1024);
if (key) {
printf("\nCreated key!\n");
hsm_print_key(key);
printf("\n");
} else {
printf("Error creating key, bad token name?\n");
hsm_print_error(ctx);
exit(1);
}
} else if (do_sign || do_delete) {
keys = hsm_list_keys(ctx, &key_count);
printf("I have found %u keys\n", (unsigned int) key_count);
/* let's just use the very first key we find and throw away the rest */
for (i = 0; i < key_count && !key; i++) {
printf("\nFound key!\n");
hsm_print_key(keys[i]);
id = hsm_get_key_id(ctx, keys[i]);
if (id) {
printf("Using key ID: %s\n", id);
if (key) hsm_key_free(key);
key = hsm_find_key_by_id(ctx, id);
printf("ptr: 0x%p\n", (void *) key);
free(id);
} else {
printf("Got no key ID (broken key?), skipped...\n");
}
hsm_key_free(keys[i]);
}
free(keys);
if (!key) {
printf("Failed to find useful key\n");
exit(1);
}
}
/*
* Do some signing
*/
if (do_sign) {
printf("\nSigning with:\n");
hsm_print_key(key);
printf("\n");
rrset = ldns_rr_list_new();
status = ldns_rr_new_frm_str(&rr, "regress.opendnssec.se. IN A 123.123.123.123", 0, NULL, NULL);
if (status == LDNS_STATUS_OK) ldns_rr_list_push_rr(rrset, rr);
status = ldns_rr_new_frm_str(&rr, "regress.opendnssec.se. IN A 124.124.124.124", 0, NULL, NULL);
if (status == LDNS_STATUS_OK) ldns_rr_list_push_rr(rrset, rr);
sign_params = hsm_sign_params_new();
sign_params->algorithm = LDNS_RSASHA1;
sign_params->owner = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, "opendnssec.se.");
dnskey_rr = hsm_get_dnskey(ctx, key, sign_params);
sign_params->keytag = ldns_calc_keytag(dnskey_rr);
sig = hsm_sign_rrset(ctx, rrset, key, sign_params);
if (sig) {
ldns_rr_list_print(stdout, rrset);
ldns_rr_print(stdout, sig);
ldns_rr_print(stdout, dnskey_rr);
ldns_rr_free(sig);
} else {
hsm_print_error(ctx);
exit(-1);
}
/* cleanup */
ldns_rr_list_deep_free(rrset);
hsm_sign_params_free(sign_params);
ldns_rr_free(dnskey_rr);
}
/*
* Delete key
*/
if (do_delete) {
printf("\nDelete key:\n");
hsm_print_key(key);
/* res = hsm_remove_key(ctx, key); */
res = hsm_remove_key(ctx, key);
printf("Deleted key. Result: %d\n", res);
printf("\n");
}
if (key) hsm_key_free(key);
/*
* Test random{32,64} functions
*/
if (do_random) {
r32 = hsm_random32(ctx);
printf("random 32: %u\n", r32);
r64 = hsm_random64(ctx);
printf("random 64: %llu\n", (long long unsigned int)r64);
}
/*
* Destroy HSM context
*/
if (ctx) {
hsm_destroy_context(ctx);
}
/*
* Close HSM library
*/
result = hsm_close();
fprintf(stdout, "all done! hsm_close result: %d\n", result);
if (config) free(config);
return 0;
}
int
cmd_list (int argc, char *argv[])
{
size_t i;
char *repository = NULL;
size_t key_count = 0;
size_t key_count_valid = 0;
hsm_key_t **keys;
hsm_ctx_t *ctx = NULL;
const char *key_info_format = "%-20s %-32s %-10s\n";
if (argc) {
repository = strdup(argv[0]);
argc--;
argv++;
/* Check for repository before starting using it */
if (hsm_token_attached(ctx, repository) == 0) {
hsm_print_error(ctx);
return 1;
}
fprintf(stdout, "\nListing keys in repository: %s\n", repository);
keys = hsm_list_keys_repository(NULL, &key_count, repository);
} else {
fprintf(stdout, "\nListing keys in all repositories.\n");
keys = hsm_list_keys(NULL, &key_count);
}
fprintf(stdout, "%u %s found.\n\n", (unsigned int) key_count,
(key_count > 1 || key_count == 0 ? "keys" : "key"));
if (!keys) {
return -1;
}
/* print fancy header */
fprintf(stdout, key_info_format, "Repository", "ID", "Type");
fprintf(stdout, key_info_format, "----------", "--", "----");
for (i = 0; i < key_count; i++) {
hsm_key_info_t *key_info;
hsm_key_t *key = NULL;
char key_type[HSM_MAX_ALGONAME + 8];
char *key_id = NULL;
key = keys[i];
if (key == NULL) {
/* Skip NULL key for now */
continue;
}
key_count_valid++;
key_info = hsm_get_key_info(NULL, key);
if (key_info) {
snprintf(key_type, sizeof(key_type), "%s/%lu",
key_info->algorithm_name, key_info->keysize);
key_id = key_info->id;
} else {
snprintf(key_type, sizeof(key_type), "UNKNOWN");
key_id = "UNKNOWN";
}
printf(key_info_format, key->module->name, key_id, key_type);
hsm_key_info_free(key_info);
}
hsm_key_list_free(keys, key_count);
if (key_count != key_count_valid) {
size_t invalid_keys;
invalid_keys = key_count - key_count_valid;
printf("\n");
fprintf(stderr, "Warning: %u %s not usable by OpenDNSSEC was found.\n",
(unsigned int) invalid_keys, invalid_keys > 1 ? "keys" : "key");
}
return 0;
}
int
main (int argc, char *argv[])
{
int result;
char *config = NULL;
int ch;
progname = argv[0];
while ((ch = getopt(argc, argv, "c:vVh")) != -1) {
switch (ch) {
case 'c':
config = strdup(optarg);
break;
case 'v':
verbose++;
break;
case 'V':
version();
exit(0);
break;
case 'h':
usage();
exit(0);
break;
default:
usage();
exit(1);
}
}
argc -= optind;
argv += optind;
if (!argc) {
usage();
exit(1);
}
if (!strcasecmp(argv[0], "logout")) {
if (config) free(config);
exit(cmd_logout());
}
result = hsm_open(config, hsm_prompt_pin);
if (result) {
hsm_print_error(NULL);
exit(-1);
}
openlog("hsmutil", LOG_PID, LOG_USER);
if (!strcasecmp(argv[0], "login")) {
argc --;
argv ++;
result = cmd_login();
} else if (!strcasecmp(argv[0], "list")) {
argc --;
argv ++;
result = cmd_list(argc, argv);
} else if (!strcasecmp(argv[0], "generate")) {
argc --;
argv ++;
result = cmd_generate(argc, argv);
} else if (!strcasecmp(argv[0], "remove")) {
argc --;
argv ++;
result = cmd_remove(argc, argv);
} else if (!strcasecmp(argv[0], "purge")) {
argc --;
argv ++;
result = cmd_purge(argc, argv);
} else if (!strcasecmp(argv[0], "dnskey")) {
argc --;
argv ++;
result = cmd_dnskey(argc, argv);
} else if (!strcasecmp(argv[0], "test")) {
argc --;
argv ++;
result = cmd_test(argc, argv);
} else if (!strcasecmp(argv[0], "info")) {
argc --;
argv ++;
result = cmd_info();
} else if (!strcasecmp(argv[0], "debug")) {
argc --;
argv ++;
result = cmd_debug();
} else {
usage();
result = -1;
}
(void) hsm_close();
if (config) free(config);
closelog();
exit(result);
}
int
cmd_purge (int argc, char *argv[])
{
int result;
int final_result = 0;
char *fresult;
size_t i;
char *repository = NULL;
char confirm[16];
size_t key_count = 0;
hsm_key_t **keys;
hsm_ctx_t *ctx = NULL;
if (argc != 1) {
usage();
return -1;
}
repository = strdup(argv[0]);
argc--;
argv++;
/* Check for repository before starting using it */
if (hsm_token_attached(ctx, repository) == 0) {
hsm_print_error(ctx);
return 1;
}
printf("Purging all keys from repository: %s\n", repository);
keys = hsm_list_keys_repository(NULL, &key_count, repository);
printf("%u %s found.\n\n", (unsigned int) key_count,
(key_count > 1 || key_count == 0 ? "keys" : "key"));
if (!keys) {
return -1;
}
if (key_count == 0) {
return -1;
}
printf("Are you sure you want to remove ALL keys from repository %s ? (YES/NO) ", repository);
fresult = fgets(confirm, sizeof(confirm) - 1, stdin);
if (fresult == NULL || strncasecmp(confirm, "yes", 3) != 0) {
printf("\nPurge cancelled.\n");
hsm_key_list_free(keys, key_count);
return -1;
} else {
printf("\nStarting purge...\n");
}
for (i = 0; i < key_count; i++) {
hsm_key_info_t *key_info;
hsm_key_t *key = keys[i];
key_info = hsm_get_key_info(NULL, key);
result = hsm_remove_key(NULL, key);
if (!result) {
printf("Key remove successful: %s\n",
key_info ? key_info->id : "NULL");
} else {
printf("Key remove failed: %s\n",
key_info ? key_info->id : "NULL");
final_result++;
}
hsm_key_info_free(key_info);
}
hsm_key_list_free(keys, key_count);
printf("Purge done.\n");
return final_result;
}
int
cmd_generate (int argc, char *argv[])
{
char *repository = NULL;
char *algorithm = NULL;
unsigned int keysize = 1024;
hsm_key_t *key = NULL;
hsm_ctx_t *ctx = NULL;
if (argc < 2 || argc > 3) {
usage();
return -1;
}
repository = strdup(argv[0]);
/* Check for repository before starting using it */
if (hsm_token_attached(ctx, repository) == 0) {
hsm_print_error(ctx);
return 1;
}
algorithm = strdup(argv[1]);
if (argc == 3) {
keysize = atoi(argv[2]);
}
if (!strcasecmp(algorithm, "rsa")) {
printf("Generating %d bit RSA key in repository: %s\n",
keysize, repository);
key = hsm_generate_rsa_key(NULL, repository, keysize);
} else if (!strcasecmp(algorithm, "dsa")) {
printf("Generating %d bit DSA key in repository: %s\n",
keysize, repository);
key = hsm_generate_dsa_key(NULL, repository, keysize);
} else if (!strcasecmp(algorithm, "gost")) {
printf("Generating 512 bit GOST key in repository: %s\n",
repository);
key = hsm_generate_gost_key(NULL, repository);
} else if (!strcasecmp(algorithm, "ecdsa")) {
if (keysize == 256) {
printf("Generating a P-256 ECDSA key in repository: %s\n",
repository);
key = hsm_generate_ecdsa_key(NULL, repository, "P-256");
} else if (keysize == 384) {
printf("Generating a P-384 ECDSA key in repository: %s\n",
repository);
key = hsm_generate_ecdsa_key(NULL, repository, "P-384");
} else {
printf("Invalid ECDSA key size: %d\n", keysize);
printf("Expecting 256 or 384.\n");
return -1;
}
} else {
printf("Unknown algorithm: %s\n", algorithm);
return -1;
}
if (key) {
hsm_key_info_t *key_info;
key_info = hsm_get_key_info(NULL, key);
printf("Key generation successful: %s\n",
key_info ? key_info->id : "NULL");
hsm_key_info_free(key_info);
if (verbose) hsm_print_key(key);
hsm_key_free(key);
} else {
printf("Key generation failed.\n");
return -1;
}
return 0;
}
int
hsm_test (const char *repository)
{
int result;
const unsigned int rsa_keysizes[] = { 512, 768, 1024, 1536, 2048, 4096 };
const unsigned int dsa_keysizes[] = { 512, 768, 1024 };
unsigned int keysize;
hsm_ctx_t *ctx = NULL;
hsm_key_t *key = NULL;
char *id;
int errors = 0;
unsigned int i = 0;
/* Check for repository before starting any tests */
if (hsm_token_attached(ctx, repository) == 0) {
hsm_print_error(ctx);
return 1;
}
/*
* Test key generation, signing and deletion for a number of key size
*/
for (i=0; i<(sizeof(rsa_keysizes)/sizeof(unsigned int)); i++) {
keysize = rsa_keysizes[i];
printf("Generating %d-bit RSA key... ", keysize);
key = hsm_generate_rsa_key(ctx, repository, keysize);
if (!key) {
errors++;
printf("Failed\n");
hsm_print_error(ctx);
printf("\n");
continue;
} else {
printf("OK\n");
}
printf("Extracting key identifier... ");
id = hsm_get_key_id(ctx, key);
if (!id) {
errors++;
printf("Failed\n");
hsm_print_error(ctx);
printf("\n");
} else {
printf("OK, %s\n", id);
}
free(id);
printf("Signing (RSA/SHA1) with key... ");
result = hsm_test_sign(ctx, key, LDNS_RSASHA1);
if (result) {
errors++;
printf("Failed, error: %d\n", result);
hsm_print_error(ctx);
} else {
printf("OK\n");
}
printf("Signing (RSA/SHA256) with key... ");
result = hsm_test_sign(ctx, key, LDNS_RSASHA256);
if (result) {
errors++;
printf("Failed, error: %d\n", result);
hsm_print_error(ctx);
} else {
printf("OK\n");
}
if ( keysize >= 1024) {
printf("Signing (RSA/SHA512) with key... ");
result = hsm_test_sign(ctx, key, LDNS_RSASHA512);
if (result) {
errors++;
printf("Failed, error: %d\n", result);
hsm_print_error(ctx);
} else {
printf("OK\n");
}
}
printf("Deleting key... ");
result = hsm_remove_key(ctx, key);
if (result) {
errors++;
printf("Failed: error: %d\n", result);
hsm_print_error(ctx);
} else {
printf("OK\n");
}
free(key);
printf("\n");
}
/*
* Test key generation, signing and deletion for a number of key size
*/
for (i=0; i<(sizeof(dsa_keysizes)/sizeof(unsigned int)); i++) {
keysize = dsa_keysizes[i];
printf("Generating %d-bit DSA key... ", keysize);
key = hsm_generate_dsa_key(ctx, repository, keysize);
if (!key) {
errors++;
printf("Failed\n");
hsm_print_error(ctx);
printf("\n");
continue;
} else {
printf("OK\n");
}
printf("Extracting key identifier... ");
id = hsm_get_key_id(ctx, key);
if (!id) {
errors++;
printf("Failed\n");
hsm_print_error(ctx);
printf("\n");
} else {
printf("OK, %s\n", id);
}
free(id);
printf("Signing (DSA/SHA1) with key... ");
result = hsm_test_sign(ctx, key, LDNS_DSA);
if (result) {
errors++;
printf("Failed, error: %d\n", result);
hsm_print_error(ctx);
} else {
printf("OK\n");
}
printf("Deleting key... ");
result = hsm_remove_key(ctx, key);
if (result) {
errors++;
printf("Failed: error: %d\n", result);
hsm_print_error(ctx);
} else {
printf("OK\n");
}
free(key);
printf("\n");
}
/*
* Test key generation, signing and deletion for a number of key size
*/
for (i=0; i<1; i++) {
printf("Generating 512-bit GOST key... ");
key = hsm_generate_gost_key(ctx, repository);
if (!key) {
errors++;
printf("Failed\n");
hsm_print_error(ctx);
printf("\n");
continue;
} else {
printf("OK\n");
}
printf("Extracting key identifier... ");
id = hsm_get_key_id(ctx, key);
if (!id) {
errors++;
printf("Failed\n");
hsm_print_error(ctx);
printf("\n");
} else {
printf("OK, %s\n", id);
}
free(id);
printf("Signing (GOST) with key... ");
result = hsm_test_sign(ctx, key, LDNS_ECC_GOST);
if (result) {
errors++;
printf("Failed, error: %d\n", result);
hsm_print_error(ctx);
} else {
printf("OK\n");
}
printf("Deleting key... ");
result = hsm_remove_key(ctx, key);
if (result) {
errors++;
printf("Failed: error: %d\n", result);
hsm_print_error(ctx);
} else {
printf("OK\n");
}
free(key);
printf("\n");
}
if (hsm_test_random()) {
errors++;
}
return errors;
}