Пример #1
0
static int
hsm_test_random()
{
    hsm_ctx_t *ctx = NULL;

    int result;
    unsigned char rnd_buf[1024];
    uint32_t r32;
    uint64_t r64;

    printf("Generating %lu bytes of random data... ",
        (unsigned long) sizeof(rnd_buf));
    result = hsm_random_buffer(ctx, rnd_buf, sizeof(rnd_buf));
    if (result) {
        printf("Failed, error: %d\n", result);
        hsm_print_error(ctx);
        return 1;
    } else {
        printf("OK\n");
    }

    printf("Generating 32-bit random data... ");
    r32 = hsm_random32(ctx);
    printf("%u\n", r32);

    printf("Generating 64-bit random data... ");
    r64 = hsm_random64(ctx);
    printf("%llu\n", (long long unsigned int)r64);

    return 0;
}
Пример #2
0
int
cmd_logout ()
{
    if (hsm_logout_pin() != HSM_OK) {
        printf("Failed to erase the credentials.\n");
        hsm_print_error(NULL);
        return 1;
    }

    printf("The credentials has been erased.\n");

    return 0;
}
Пример #3
0
int
main (int argc, char *argv[])
{
    int result;
    hsm_ctx_t *ctx;
    hsm_key_t **keys;
    hsm_key_t *key = NULL;
    char *id;
    size_t key_count = 0;
    size_t i;
    ldns_rr_list *rrset;
    ldns_rr *rr, *sig, *dnskey_rr;
    ldns_status status;
    hsm_sign_params_t *sign_params;

    int do_generate = 0;
    int do_sign = 0;
    int do_delete = 0;
    int do_random = 0;

    int res;
    uint32_t r32;
    uint64_t r64;

    char *config = NULL;
    const char *repository = "default";

    int ch;

    progname = argv[0];

    while ((ch = getopt(argc, argv, "hgsdrc:")) != -1) {
        switch (ch) {
        case 'c':
            config = strdup(optarg);
            break;
        case 'g':
            do_generate = 1;
            break;
        case 'h':
            usage();
            exit(0);
            break;
        case 's':
            do_sign = 1;
            break;
        case 'd':
            do_delete = 1;
            break;
        case 'r':
            do_random = 1;
            break;
        default:
            usage();
            exit(1);
        }
    }

    if (!config) {
        usage();
        exit(1);
    }

    /*
     * Open HSM library
     */
    fprintf(stdout, "Starting HSM lib test\n");
    result = hsm_open(config, hsm_prompt_pin);
    fprintf(stdout, "hsm_open result: %d\n", result);

    /*
     * Create HSM context
     */
    ctx = hsm_create_context();
    printf("global: ");
    hsm_print_ctx(NULL);
    printf("my: ");
    hsm_print_ctx(ctx);

    /*
     * Generate a new key OR find any key with an ID
     */
    if (do_generate) {
        key = hsm_generate_rsa_key(ctx, repository, 1024);

        if (key) {
            printf("\nCreated key!\n");
            hsm_print_key(key);
            printf("\n");
        } else {
            printf("Error creating key, bad token name?\n");
            hsm_print_error(ctx);
            exit(1);
        }
    } else if (do_sign || do_delete) {
        keys = hsm_list_keys(ctx, &key_count);
        printf("I have found %u keys\n", (unsigned int) key_count);

        /* let's just use the very first key we find and throw away the rest */
        for (i = 0; i < key_count && !key; i++) {
            printf("\nFound key!\n");
            hsm_print_key(keys[i]);

            id = hsm_get_key_id(ctx, keys[i]);

            if (id) {
                printf("Using key ID: %s\n", id);
                if (key) hsm_key_free(key);
                key = hsm_find_key_by_id(ctx, id);
                printf("ptr: 0x%p\n", (void *) key);
                free(id);
            } else {
                printf("Got no key ID (broken key?), skipped...\n");
            }

            hsm_key_free(keys[i]);
        }
        free(keys);

        if (!key) {
            printf("Failed to find useful key\n");
            exit(1);
        }
    }

    /*
     * Do some signing
     */
    if (do_sign) {
        printf("\nSigning with:\n");
        hsm_print_key(key);
        printf("\n");

        rrset = ldns_rr_list_new();

        status = ldns_rr_new_frm_str(&rr, "regress.opendnssec.se. IN A 123.123.123.123", 0, NULL, NULL);
        if (status == LDNS_STATUS_OK) ldns_rr_list_push_rr(rrset, rr);
        status = ldns_rr_new_frm_str(&rr, "regress.opendnssec.se. IN A 124.124.124.124", 0, NULL, NULL);
        if (status == LDNS_STATUS_OK) ldns_rr_list_push_rr(rrset, rr);

        sign_params = hsm_sign_params_new();
        sign_params->algorithm = LDNS_RSASHA1;
        sign_params->owner = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, "opendnssec.se.");
        dnskey_rr = hsm_get_dnskey(ctx, key, sign_params);
        sign_params->keytag = ldns_calc_keytag(dnskey_rr);

        sig = hsm_sign_rrset(ctx, rrset, key, sign_params);
        if (sig) {
            ldns_rr_list_print(stdout, rrset);
            ldns_rr_print(stdout, sig);
            ldns_rr_print(stdout, dnskey_rr);
            ldns_rr_free(sig);
        } else {
            hsm_print_error(ctx);
            exit(-1);
        }

        /* cleanup */
        ldns_rr_list_deep_free(rrset);
        hsm_sign_params_free(sign_params);
        ldns_rr_free(dnskey_rr);
    }

    /*
     * Delete key
     */
    if (do_delete) {
        printf("\nDelete key:\n");
        hsm_print_key(key);
        /* res = hsm_remove_key(ctx, key); */
        res = hsm_remove_key(ctx, key);
        printf("Deleted key. Result: %d\n", res);
        printf("\n");
    }

    if (key) hsm_key_free(key);

    /*
     * Test random{32,64} functions
     */
    if (do_random) {
        r32 = hsm_random32(ctx);
        printf("random 32: %u\n", r32);
        r64 = hsm_random64(ctx);
        printf("random 64: %llu\n", (long long unsigned int)r64);
    }

    /*
     * Destroy HSM context
     */
    if (ctx) {
        hsm_destroy_context(ctx);
    }

    /*
     * Close HSM library
     */
    result = hsm_close();
    fprintf(stdout, "all done! hsm_close result: %d\n", result);

    if (config) free(config);
    
    return 0;
}
Пример #4
0
int
cmd_list (int argc, char *argv[])
{
    size_t i;
    char *repository = NULL;

    size_t key_count = 0;
    size_t key_count_valid = 0;
    hsm_key_t **keys;
    hsm_ctx_t *ctx = NULL;

    const char *key_info_format = "%-20s  %-32s  %-10s\n";


    if (argc) {
        repository = strdup(argv[0]);
        argc--;
        argv++;

        /* Check for repository before starting using it */
        if (hsm_token_attached(ctx, repository) == 0) {
           hsm_print_error(ctx);
           return 1;
        }

        fprintf(stdout, "\nListing keys in repository: %s\n", repository);
        keys = hsm_list_keys_repository(NULL, &key_count, repository);
    } else {
        fprintf(stdout, "\nListing keys in all repositories.\n");
        keys = hsm_list_keys(NULL, &key_count);
    }

    fprintf(stdout, "%u %s found.\n\n", (unsigned int) key_count,
        (key_count > 1 || key_count == 0 ? "keys" : "key"));

    if (!keys) {
        return -1;
    }

    /* print fancy header */
    fprintf(stdout, key_info_format, "Repository", "ID", "Type");
    fprintf(stdout, key_info_format, "----------", "--", "----");

    for (i = 0; i < key_count; i++) {
        hsm_key_info_t *key_info;
        hsm_key_t *key = NULL;
        char key_type[HSM_MAX_ALGONAME + 8];
        char *key_id = NULL;

        key = keys[i];
        if (key == NULL) {
            /* Skip NULL key for now */
            continue;
        }

        key_count_valid++;

        key_info = hsm_get_key_info(NULL, key);

        if (key_info) {
            snprintf(key_type, sizeof(key_type), "%s/%lu",
                key_info->algorithm_name, key_info->keysize);
            key_id = key_info->id;
        } else {
            snprintf(key_type, sizeof(key_type), "UNKNOWN");
            key_id = "UNKNOWN";
        }

        printf(key_info_format, key->module->name, key_id, key_type);

        hsm_key_info_free(key_info);
    }
    hsm_key_list_free(keys, key_count);

    if (key_count != key_count_valid) {
        size_t invalid_keys;
        invalid_keys = key_count - key_count_valid;
        printf("\n");
        fprintf(stderr, "Warning: %u %s not usable by OpenDNSSEC was found.\n",
            (unsigned int) invalid_keys, invalid_keys > 1 ? "keys" : "key");
    }

    return 0;
}
Пример #5
0
int
main (int argc, char *argv[])
{
    int result;

    char *config = NULL;

    int ch;
    progname = argv[0];

    while ((ch = getopt(argc, argv, "c:vVh")) != -1) {
        switch (ch) {
        case 'c':
            config = strdup(optarg);
            break;
        case 'v':
            verbose++;
            break;
        case 'V':
            version();
            exit(0);
            break;
        case 'h':
            usage();
            exit(0);
            break;
        default:
            usage();
            exit(1);
        }
    }
    argc -= optind;
    argv += optind;

    if (!argc) {
        usage();
        exit(1);
    }


    if (!strcasecmp(argv[0], "logout")) {
        if (config) free(config);
        exit(cmd_logout());
    }

    result = hsm_open(config, hsm_prompt_pin);
    if (result) {
        hsm_print_error(NULL);
        exit(-1);
    }

    openlog("hsmutil", LOG_PID, LOG_USER);

    if (!strcasecmp(argv[0], "login")) {
        argc --;
        argv ++;
        result = cmd_login();
    } else if (!strcasecmp(argv[0], "list")) {
        argc --;
        argv ++;
        result = cmd_list(argc, argv);
    } else if (!strcasecmp(argv[0], "generate")) {
        argc --;
        argv ++;
        result = cmd_generate(argc, argv);
    } else if (!strcasecmp(argv[0], "remove")) {
        argc --;
        argv ++;
        result = cmd_remove(argc, argv);
    } else if (!strcasecmp(argv[0], "purge")) {
        argc --;
        argv ++;
        result = cmd_purge(argc, argv);
    } else if (!strcasecmp(argv[0], "dnskey")) {
        argc --;
        argv ++;
        result = cmd_dnskey(argc, argv);
    } else if (!strcasecmp(argv[0], "test")) {
        argc --;
        argv ++;
        result = cmd_test(argc, argv);
    } else if (!strcasecmp(argv[0], "info")) {
        argc --;
        argv ++;
        result = cmd_info();
    } else if (!strcasecmp(argv[0], "debug")) {
        argc --;
        argv ++;
        result = cmd_debug();
    } else {
        usage();
        result = -1;
    }

    (void) hsm_close();
    if (config) free(config);

    closelog();

    exit(result);
}
Пример #6
0
int
cmd_purge (int argc, char *argv[])
{
    int result;
    int final_result = 0;
    char *fresult;

    size_t i;
    char *repository = NULL;
    char confirm[16];

    size_t key_count = 0;
    hsm_key_t **keys;
    hsm_ctx_t *ctx = NULL;

    if (argc != 1) {
        usage();
        return -1;
    }

    repository = strdup(argv[0]);
    argc--;
    argv++;

    /* Check for repository before starting using it */
    if (hsm_token_attached(ctx, repository) == 0) {
        hsm_print_error(ctx);
        return 1;
    }

    printf("Purging all keys from repository: %s\n", repository);
    keys = hsm_list_keys_repository(NULL, &key_count, repository);

    printf("%u %s found.\n\n", (unsigned int) key_count,
        (key_count > 1 || key_count == 0 ? "keys" : "key"));

    if (!keys) {
        return -1;
    }

    if (key_count == 0) {
       return -1;
    }

    printf("Are you sure you want to remove ALL keys from repository %s ? (YES/NO) ", repository);
    fresult = fgets(confirm, sizeof(confirm) - 1, stdin);
    if (fresult == NULL || strncasecmp(confirm, "yes", 3) != 0) {
        printf("\nPurge cancelled.\n");
        hsm_key_list_free(keys, key_count);
        return -1;
    } else {
        printf("\nStarting purge...\n");
    }

    for (i = 0; i < key_count; i++) {
        hsm_key_info_t *key_info;
        hsm_key_t *key = keys[i];

        key_info = hsm_get_key_info(NULL, key);
        result = hsm_remove_key(NULL, key);

        if (!result) {
            printf("Key remove successful: %s\n",
                key_info ? key_info->id : "NULL");
        } else {
            printf("Key remove failed: %s\n",
                key_info ? key_info->id : "NULL");
            final_result++;
        }

        hsm_key_info_free(key_info);
    }
    hsm_key_list_free(keys, key_count);

    printf("Purge done.\n");

    return final_result;
}
Пример #7
0
int
cmd_generate (int argc, char *argv[])
{
    char *repository = NULL;
    char *algorithm = NULL;
    unsigned int keysize = 1024;

    hsm_key_t *key = NULL;
    hsm_ctx_t *ctx = NULL;

    if (argc < 2 || argc > 3) {
        usage();
        return -1;
    }

    repository = strdup(argv[0]);

    /* Check for repository before starting using it */
    if (hsm_token_attached(ctx, repository) == 0) {
       hsm_print_error(ctx);
       return 1;
    }

    algorithm = strdup(argv[1]);
    if (argc == 3) {
        keysize = atoi(argv[2]);
    }

    if (!strcasecmp(algorithm, "rsa")) {
        printf("Generating %d bit RSA key in repository: %s\n",
            keysize, repository);

        key = hsm_generate_rsa_key(NULL, repository, keysize);
    } else if (!strcasecmp(algorithm, "dsa")) {
        printf("Generating %d bit DSA key in repository: %s\n",
            keysize, repository);

        key = hsm_generate_dsa_key(NULL, repository, keysize);
    } else if (!strcasecmp(algorithm, "gost")) {
        printf("Generating 512 bit GOST key in repository: %s\n",
            repository);

        key = hsm_generate_gost_key(NULL, repository);
    } else if (!strcasecmp(algorithm, "ecdsa")) {
        if (keysize == 256) {
            printf("Generating a P-256 ECDSA key in repository: %s\n",
                repository);

            key = hsm_generate_ecdsa_key(NULL, repository, "P-256");
        } else if (keysize == 384) {
            printf("Generating a P-384 ECDSA key in repository: %s\n",
                repository);

            key = hsm_generate_ecdsa_key(NULL, repository, "P-384");
        } else {
            printf("Invalid ECDSA key size: %d\n", keysize);
            printf("Expecting 256 or 384.\n");
            return -1;
        }
    } else {
        printf("Unknown algorithm: %s\n", algorithm);
        return -1;
    }

    if (key) {
        hsm_key_info_t *key_info;

        key_info = hsm_get_key_info(NULL, key);
        printf("Key generation successful: %s\n",
            key_info ? key_info->id : "NULL");
        hsm_key_info_free(key_info);
        if (verbose) hsm_print_key(key);
        hsm_key_free(key);
    } else {
        printf("Key generation failed.\n");
        return -1;
    }

    return 0;
}
Пример #8
0
int
hsm_test (const char *repository)
{
    int result;
    const unsigned int rsa_keysizes[] = { 512, 768, 1024, 1536, 2048, 4096 };
    const unsigned int dsa_keysizes[] = { 512, 768, 1024 };
    unsigned int keysize;

    hsm_ctx_t *ctx = NULL;
    hsm_key_t *key = NULL;
    char *id;
    int errors = 0;
    unsigned int i = 0;

    /* Check for repository before starting any tests */
    if (hsm_token_attached(ctx, repository) == 0) {
        hsm_print_error(ctx);
        return 1;
    }

    /*
     * Test key generation, signing and deletion for a number of key size
     */
    for (i=0; i<(sizeof(rsa_keysizes)/sizeof(unsigned int)); i++) {
        keysize = rsa_keysizes[i];

        printf("Generating %d-bit RSA key... ", keysize);
        key = hsm_generate_rsa_key(ctx, repository, keysize);
        if (!key) {
            errors++;
            printf("Failed\n");
            hsm_print_error(ctx);
            printf("\n");
            continue;
        } else {
            printf("OK\n");
        }

        printf("Extracting key identifier... ");
        id = hsm_get_key_id(ctx, key);
        if (!id) {
            errors++;
            printf("Failed\n");
            hsm_print_error(ctx);
            printf("\n");
        } else {
            printf("OK, %s\n", id);
        }
        free(id);

        printf("Signing (RSA/SHA1) with key... ");
        result = hsm_test_sign(ctx, key, LDNS_RSASHA1);
        if (result) {
            errors++;
            printf("Failed, error: %d\n", result);
            hsm_print_error(ctx);
        } else {
            printf("OK\n");
        }

        printf("Signing (RSA/SHA256) with key... ");
        result = hsm_test_sign(ctx, key, LDNS_RSASHA256);
        if (result) {
            errors++;
            printf("Failed, error: %d\n", result);
            hsm_print_error(ctx);
        } else {
            printf("OK\n");
        }

        if ( keysize >= 1024) {
            printf("Signing (RSA/SHA512) with key... ");
            result = hsm_test_sign(ctx, key, LDNS_RSASHA512);
            if (result) {
                errors++;
                printf("Failed, error: %d\n", result);
                hsm_print_error(ctx);
            } else {
                printf("OK\n");
            }
        }

        printf("Deleting key... ");
        result = hsm_remove_key(ctx, key);
        if (result) {
            errors++;
            printf("Failed: error: %d\n", result);
            hsm_print_error(ctx);
        } else {
            printf("OK\n");
        }

        free(key);

        printf("\n");
    }

    /*
     * Test key generation, signing and deletion for a number of key size
     */
    for (i=0; i<(sizeof(dsa_keysizes)/sizeof(unsigned int)); i++) {
        keysize = dsa_keysizes[i];

        printf("Generating %d-bit DSA key... ", keysize);
        key = hsm_generate_dsa_key(ctx, repository, keysize);
        if (!key) {
            errors++;
            printf("Failed\n");
            hsm_print_error(ctx);
            printf("\n");
            continue;
        } else {
            printf("OK\n");
        }

        printf("Extracting key identifier... ");
        id = hsm_get_key_id(ctx, key);
        if (!id) {
            errors++;
            printf("Failed\n");
            hsm_print_error(ctx);
            printf("\n");
        } else {
            printf("OK, %s\n", id);
        }
        free(id);

        printf("Signing (DSA/SHA1) with key... ");
        result = hsm_test_sign(ctx, key, LDNS_DSA);
        if (result) {
            errors++;
            printf("Failed, error: %d\n", result);
            hsm_print_error(ctx);
        } else {
            printf("OK\n");
        }

        printf("Deleting key... ");
        result = hsm_remove_key(ctx, key);
        if (result) {
            errors++;
            printf("Failed: error: %d\n", result);
            hsm_print_error(ctx);
        } else {
            printf("OK\n");
        }

        free(key);

        printf("\n");
    }

    /*
     * Test key generation, signing and deletion for a number of key size
     */
    for (i=0; i<1; i++) {
        printf("Generating 512-bit GOST key... ");
        key = hsm_generate_gost_key(ctx, repository);
        if (!key) {
            errors++;
            printf("Failed\n");
            hsm_print_error(ctx);
            printf("\n");
            continue;
        } else {
            printf("OK\n");
        }

        printf("Extracting key identifier... ");
        id = hsm_get_key_id(ctx, key);
        if (!id) {
            errors++;
            printf("Failed\n");
            hsm_print_error(ctx);
            printf("\n");
        } else {
            printf("OK, %s\n", id);
        }
        free(id);

        printf("Signing (GOST) with key... ");
        result = hsm_test_sign(ctx, key, LDNS_ECC_GOST);
        if (result) {
            errors++;
            printf("Failed, error: %d\n", result);
            hsm_print_error(ctx);
        } else {
            printf("OK\n");
        }

        printf("Deleting key... ");
        result = hsm_remove_key(ctx, key);
        if (result) {
            errors++;
            printf("Failed: error: %d\n", result);
            hsm_print_error(ctx);
        } else {
            printf("OK\n");
        }

        free(key);

        printf("\n");
    }

    if (hsm_test_random()) {
        errors++;
    }

    return errors;
}