/*%
* Reads a public key from disk
*/
isc_result_t
dst_key_read_public(const char *filename, int type,
isc_mem_t *mctx, dst_key_t **keyp)
{
u_char rdatabuf[DST_KEY_MAXSIZE];
isc_buffer_t b;
dns_fixedname_t name;
isc_lex_t *lex = NULL;
isc_token_t token;
isc_result_t ret;
dns_rdata_t rdata = DNS_RDATA_INIT;
unsigned int opt = ISC_LEXOPT_DNSMULTILINE;
dns_rdataclass_t rdclass = dns_rdataclass_in;
isc_lexspecials_t specials;
isc_uint32_t ttl = 0;
isc_result_t result;
dns_rdatatype_t keytype;
/*
* Open the file and read its formatted contents
* File format:
* domain.name [ttl] [class] [KEY|DNSKEY] <flags> <protocol> <algorithm> <key>
*/
/* 1500 should be large enough for any key */
ret = isc_lex_create(mctx, 1500, &lex);
if (ret != ISC_R_SUCCESS)
goto cleanup;
memset(specials, 0, sizeof(specials));
specials['('] = 1;
specials[')'] = 1;
specials['"'] = 1;
isc_lex_setspecials(lex, specials);
isc_lex_setcomments(lex, ISC_LEXCOMMENT_DNSMASTERFILE);
ret = isc_lex_openfile(lex, filename);
if (ret != ISC_R_SUCCESS)
goto cleanup;
#define NEXTTOKEN(lex, opt, token) { \
ret = isc_lex_gettoken(lex, opt, token); \
if (ret != ISC_R_SUCCESS) \
goto cleanup; \
}
#define BADTOKEN() { \
ret = ISC_R_UNEXPECTEDTOKEN; \
goto cleanup; \
}
/* Read the domain name */
NEXTTOKEN(lex, opt, &token);
if (token.type != isc_tokentype_string)
BADTOKEN();
/*
* We don't support "@" in .key files.
*/
if (!strcmp(DST_AS_STR(token), "@"))
BADTOKEN();
dns_fixedname_init(&name);
isc_buffer_init(&b, DST_AS_STR(token), strlen(DST_AS_STR(token)));
isc_buffer_add(&b, strlen(DST_AS_STR(token)));
ret = dns_name_fromtext(dns_fixedname_name(&name), &b, dns_rootname,
0, NULL);
if (ret != ISC_R_SUCCESS)
goto cleanup;
/* Read the next word: either TTL, class, or 'KEY' */
NEXTTOKEN(lex, opt, &token);
if (token.type != isc_tokentype_string)
BADTOKEN();
/* If it's a TTL, read the next one */
result = dns_ttl_fromtext(&token.value.as_textregion, &ttl);
if (result == ISC_R_SUCCESS)
NEXTTOKEN(lex, opt, &token);
if (token.type != isc_tokentype_string)
BADTOKEN();
ret = dns_rdataclass_fromtext(&rdclass, &token.value.as_textregion);
if (ret == ISC_R_SUCCESS)
NEXTTOKEN(lex, opt, &token);
if (token.type != isc_tokentype_string)
BADTOKEN();
if (strcasecmp(DST_AS_STR(token), "DNSKEY") == 0)
keytype = dns_rdatatype_dnskey;
else if (strcasecmp(DST_AS_STR(token), "KEY") == 0)
keytype = dns_rdatatype_key; /*%< SIG(0), TKEY */
else
BADTOKEN();
if (((type & DST_TYPE_KEY) != 0 && keytype != dns_rdatatype_key) ||
((type & DST_TYPE_KEY) == 0 && keytype != dns_rdatatype_dnskey)) {
ret = DST_R_BADKEYTYPE;
goto cleanup;
}
isc_buffer_init(&b, rdatabuf, sizeof(rdatabuf));
ret = dns_rdata_fromtext(&rdata, rdclass, keytype, lex, NULL,
ISC_FALSE, mctx, &b, NULL);
if (ret != ISC_R_SUCCESS)
goto cleanup;
ret = dst_key_fromdns(dns_fixedname_name(&name), rdclass, &b, mctx,
keyp);
if (ret != ISC_R_SUCCESS)
goto cleanup;
dst_key_setttl(*keyp, ttl);
cleanup:
if (lex != NULL)
isc_lex_destroy(&lex);
return (ret);
}
int
dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
isc_mem_t *mctx, dst_private_t *priv)
{
int n = 0, major, minor;
isc_buffer_t b;
isc_token_t token;
unsigned char *data = NULL;
unsigned int opt = ISC_LEXOPT_EOL;
isc_result_t ret;
REQUIRE(priv != NULL);
priv->nelements = 0;
#define NEXTTOKEN(lex, opt, token) \
do { \
ret = isc_lex_gettoken(lex, opt, token); \
if (ret != ISC_R_SUCCESS) \
goto fail; \
} while (0)
#define READLINE(lex, opt, token) \
do { \
ret = isc_lex_gettoken(lex, opt, token); \
if (ret == ISC_R_EOF) \
break; \
else if (ret != ISC_R_SUCCESS) \
goto fail; \
} while ((*token).type != isc_tokentype_eol)
/*
* Read the description line.
*/
NEXTTOKEN(lex, opt, &token);
if (token.type != isc_tokentype_string ||
strcmp(DST_AS_STR(token), PRIVATE_KEY_STR) != 0)
{
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
}
NEXTTOKEN(lex, opt, &token);
if (token.type != isc_tokentype_string ||
(DST_AS_STR(token))[0] != 'v')
{
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
}
if (sscanf(DST_AS_STR(token), "v%d.%d", &major, &minor) != 2)
{
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
}
if (major > MAJOR_VERSION ||
(major == MAJOR_VERSION && minor > MINOR_VERSION))
{
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
}
READLINE(lex, opt, &token);
/*
* Read the algorithm line.
*/
NEXTTOKEN(lex, opt, &token);
if (token.type != isc_tokentype_string ||
strcmp(DST_AS_STR(token), ALGORITHM_STR) != 0)
{
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
}
NEXTTOKEN(lex, opt | ISC_LEXOPT_NUMBER, &token);
if (token.type != isc_tokentype_number ||
token.value.as_ulong != (unsigned long) dst_key_alg(key))
{
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
}
READLINE(lex, opt, &token);
/*
* Read the key data.
*/
for (n = 0; n < MAXFIELDS; n++) {
int tag;
isc_region_t r;
do {
ret = isc_lex_gettoken(lex, opt, &token);
if (ret == ISC_R_EOF)
goto done;
if (ret != ISC_R_SUCCESS)
goto fail;
} while (token.type == isc_tokentype_eol);
if (token.type != isc_tokentype_string) {
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
}
memset(&priv->elements[n], 0, sizeof(dst_private_element_t));
tag = find_value(DST_AS_STR(token), alg);
if (tag < 0 || TAG_ALG(tag) != alg) {
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
}
priv->elements[n].tag = tag;
data = (unsigned char *) isc_mem_get(mctx, MAXFIELDSIZE);
if (data == NULL)
goto fail;
isc_buffer_init(&b, data, MAXFIELDSIZE);
ret = isc_base64_tobuffer(lex, &b, -1);
if (ret != ISC_R_SUCCESS)
goto fail;
isc_buffer_usedregion(&b, &r);
priv->elements[n].length = r.length;
priv->elements[n].data = r.base;
READLINE(lex, opt, &token);
data = NULL;
}
done:
priv->nelements = n;
if (check_data(priv, alg) < 0)
goto fail;
return (ISC_R_SUCCESS);
fail:
priv->nelements = n;
dst__privstruct_free(priv, mctx);
if (data != NULL)
isc_mem_put(mctx, data, MAXFIELDSIZE);
return (ret);
}
isc_result_t
dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
isc_mem_t *mctx, dst_private_t *priv)
{
int n = 0, major, minor, check;
isc_buffer_t b;
isc_token_t token;
unsigned char *data = NULL;
unsigned int opt = ISC_LEXOPT_EOL;
isc_stdtime_t when;
isc_result_t ret;
isc_boolean_t external = ISC_FALSE;
REQUIRE(priv != NULL);
priv->nelements = 0;
memset(priv->elements, 0, sizeof(priv->elements));
#define NEXTTOKEN(lex, opt, token) \
do { \
ret = isc_lex_gettoken(lex, opt, token); \
if (ret != ISC_R_SUCCESS) \
goto fail; \
} while (/*CONSTCOND*/0)
#define READLINE(lex, opt, token) \
do { \
ret = isc_lex_gettoken(lex, opt, token); \
if (ret == ISC_R_EOF) \
break; \
else if (ret != ISC_R_SUCCESS) \
goto fail; \
} while ((*token).type != isc_tokentype_eol)
/*
* Read the description line.
*/
NEXTTOKEN(lex, opt, &token);
if (token.type != isc_tokentype_string ||
strcmp(DST_AS_STR(token), PRIVATE_KEY_STR) != 0)
{
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
}
NEXTTOKEN(lex, opt, &token);
if (token.type != isc_tokentype_string ||
(DST_AS_STR(token))[0] != 'v')
{
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
}
if (sscanf(DST_AS_STR(token), "v%d.%d", &major, &minor) != 2)
{
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
}
if (major > DST_MAJOR_VERSION) {
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
}
/*
* Store the private key format version number
*/
dst_key_setprivateformat(key, major, minor);
READLINE(lex, opt, &token);
/*
* Read the algorithm line.
*/
NEXTTOKEN(lex, opt, &token);
if (token.type != isc_tokentype_string ||
strcmp(DST_AS_STR(token), ALGORITHM_STR) != 0)
{
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
}
NEXTTOKEN(lex, opt | ISC_LEXOPT_NUMBER, &token);
if (token.type != isc_tokentype_number ||
token.value.as_ulong != (unsigned long) dst_key_alg(key))
{
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
}
READLINE(lex, opt, &token);
/*
* Read the key data.
*/
for (n = 0; n < MAXFIELDS; n++) {
int tag;
isc_region_t r;
do {
ret = isc_lex_gettoken(lex, opt, &token);
if (ret == ISC_R_EOF)
goto done;
if (ret != ISC_R_SUCCESS)
goto fail;
} while (token.type == isc_tokentype_eol);
if (token.type != isc_tokentype_string) {
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
}
if (strcmp(DST_AS_STR(token), "External:") == 0) {
external = ISC_TRUE;
goto next;
}
/* Numeric metadata */
tag = find_numericdata(DST_AS_STR(token));
if (tag >= 0) {
INSIST(tag < NUMERIC_NTAGS);
NEXTTOKEN(lex, opt | ISC_LEXOPT_NUMBER, &token);
if (token.type != isc_tokentype_number) {
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
}
dst_key_setnum(key, tag, token.value.as_ulong);
goto next;
}
/* Timing metadata */
tag = find_timedata(DST_AS_STR(token));
if (tag >= 0) {
INSIST(tag < TIMING_NTAGS);
NEXTTOKEN(lex, opt, &token);
if (token.type != isc_tokentype_string) {
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
}
ret = dns_time32_fromtext(DST_AS_STR(token), &when);
if (ret != ISC_R_SUCCESS)
goto fail;
dst_key_settime(key, tag, when);
goto next;
}
/* Key data */
tag = find_value(DST_AS_STR(token), alg);
if (tag < 0 && minor > DST_MINOR_VERSION)
goto next;
else if (tag < 0) {
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
}
priv->elements[n].tag = tag;
data = (unsigned char *) isc_mem_get(mctx, MAXFIELDSIZE);
if (data == NULL)
goto fail;
isc_buffer_init(&b, data, MAXFIELDSIZE);
ret = isc_base64_tobuffer(lex, &b, -1);
if (ret != ISC_R_SUCCESS)
goto fail;
isc_buffer_usedregion(&b, &r);
priv->elements[n].length = r.length;
priv->elements[n].data = r.base;
priv->nelements++;
next:
READLINE(lex, opt, &token);
data = NULL;
}
done:
if (external && priv->nelements != 0) {
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
}
check = check_data(priv, alg, ISC_TRUE, external);
if (check < 0) {
ret = DST_R_INVALIDPRIVATEKEY;
goto fail;
} else if (check != ISC_R_SUCCESS) {
ret = check;
goto fail;
}
key->external = external;
return (ISC_R_SUCCESS);
fail:
dst__privstruct_free(priv, mctx);
if (data != NULL)
isc_mem_put(mctx, data, MAXFIELDSIZE);
return (ret);
}
