int
cmd_remove (int argc, char *argv[])
{
char *id;
int result;
hsm_key_t *key = NULL;
if (argc != 1) {
usage();
return -1;
}
id = strdup(argv[0]);
key = hsm_find_key_by_id(NULL, id);
if (!key) {
printf("Key not found: %s\n", id);
return -1;
}
result = hsm_remove_key(NULL, key);
if (!result) {
printf("Key remove successful.\n");
} else {
printf("Key remove failed.\n");
}
hsm_key_free(key);
return result;
}
int
main (int argc, char *argv[])
{
int result;
hsm_ctx_t *ctx;
hsm_key_t **keys;
hsm_key_t *key = NULL;
char *id;
size_t key_count = 0;
size_t i;
ldns_rr_list *rrset;
ldns_rr *rr, *sig, *dnskey_rr;
ldns_status status;
hsm_sign_params_t *sign_params;
int do_generate = 0;
int do_sign = 0;
int do_delete = 0;
int do_random = 0;
int res;
uint32_t r32;
uint64_t r64;
char *config = NULL;
const char *repository = "default";
int ch;
progname = argv[0];
while ((ch = getopt(argc, argv, "hgsdrc:")) != -1) {
switch (ch) {
case 'c':
config = strdup(optarg);
break;
case 'g':
do_generate = 1;
break;
case 'h':
usage();
exit(0);
break;
case 's':
do_sign = 1;
break;
case 'd':
do_delete = 1;
break;
case 'r':
do_random = 1;
break;
default:
usage();
exit(1);
}
}
if (!config) {
usage();
exit(1);
}
/*
* Open HSM library
*/
fprintf(stdout, "Starting HSM lib test\n");
result = hsm_open(config, hsm_prompt_pin);
fprintf(stdout, "hsm_open result: %d\n", result);
/*
* Create HSM context
*/
ctx = hsm_create_context();
printf("global: ");
hsm_print_ctx(NULL);
printf("my: ");
hsm_print_ctx(ctx);
/*
* Generate a new key OR find any key with an ID
*/
if (do_generate) {
key = hsm_generate_rsa_key(ctx, repository, 1024);
if (key) {
printf("\nCreated key!\n");
hsm_print_key(key);
printf("\n");
} else {
printf("Error creating key, bad token name?\n");
hsm_print_error(ctx);
exit(1);
}
} else if (do_sign || do_delete) {
keys = hsm_list_keys(ctx, &key_count);
printf("I have found %u keys\n", (unsigned int) key_count);
/* let's just use the very first key we find and throw away the rest */
for (i = 0; i < key_count && !key; i++) {
printf("\nFound key!\n");
hsm_print_key(keys[i]);
id = hsm_get_key_id(ctx, keys[i]);
if (id) {
printf("Using key ID: %s\n", id);
if (key) hsm_key_free(key);
key = hsm_find_key_by_id(ctx, id);
printf("ptr: 0x%p\n", (void *) key);
free(id);
} else {
printf("Got no key ID (broken key?), skipped...\n");
}
hsm_key_free(keys[i]);
}
free(keys);
if (!key) {
printf("Failed to find useful key\n");
exit(1);
}
}
/*
* Do some signing
*/
if (do_sign) {
printf("\nSigning with:\n");
hsm_print_key(key);
printf("\n");
rrset = ldns_rr_list_new();
status = ldns_rr_new_frm_str(&rr, "regress.opendnssec.se. IN A 123.123.123.123", 0, NULL, NULL);
if (status == LDNS_STATUS_OK) ldns_rr_list_push_rr(rrset, rr);
status = ldns_rr_new_frm_str(&rr, "regress.opendnssec.se. IN A 124.124.124.124", 0, NULL, NULL);
if (status == LDNS_STATUS_OK) ldns_rr_list_push_rr(rrset, rr);
sign_params = hsm_sign_params_new();
sign_params->algorithm = LDNS_RSASHA1;
sign_params->owner = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, "opendnssec.se.");
dnskey_rr = hsm_get_dnskey(ctx, key, sign_params);
sign_params->keytag = ldns_calc_keytag(dnskey_rr);
sig = hsm_sign_rrset(ctx, rrset, key, sign_params);
if (sig) {
ldns_rr_list_print(stdout, rrset);
ldns_rr_print(stdout, sig);
ldns_rr_print(stdout, dnskey_rr);
ldns_rr_free(sig);
} else {
hsm_print_error(ctx);
exit(-1);
}
/* cleanup */
ldns_rr_list_deep_free(rrset);
hsm_sign_params_free(sign_params);
ldns_rr_free(dnskey_rr);
}
/*
* Delete key
*/
if (do_delete) {
printf("\nDelete key:\n");
hsm_print_key(key);
/* res = hsm_remove_key(ctx, key); */
res = hsm_remove_key(ctx, key);
printf("Deleted key. Result: %d\n", res);
printf("\n");
}
if (key) hsm_key_free(key);
/*
* Test random{32,64} functions
*/
if (do_random) {
r32 = hsm_random32(ctx);
printf("random 32: %u\n", r32);
r64 = hsm_random64(ctx);
printf("random 64: %llu\n", (long long unsigned int)r64);
}
/*
* Destroy HSM context
*/
if (ctx) {
hsm_destroy_context(ctx);
}
/*
* Close HSM library
*/
result = hsm_close();
fprintf(stdout, "all done! hsm_close result: %d\n", result);
if (config) free(config);
return 0;
}
int
cmd_purge (int argc, char *argv[])
{
int result;
int final_result = 0;
char *fresult;
size_t i;
char *repository = NULL;
char confirm[16];
size_t key_count = 0;
hsm_key_t **keys;
hsm_ctx_t *ctx = NULL;
if (argc != 1) {
usage();
return -1;
}
repository = strdup(argv[0]);
argc--;
argv++;
/* Check for repository before starting using it */
if (hsm_token_attached(ctx, repository) == 0) {
hsm_print_error(ctx);
return 1;
}
printf("Purging all keys from repository: %s\n", repository);
keys = hsm_list_keys_repository(NULL, &key_count, repository);
printf("%u %s found.\n\n", (unsigned int) key_count,
(key_count > 1 || key_count == 0 ? "keys" : "key"));
if (!keys) {
return -1;
}
if (key_count == 0) {
return -1;
}
printf("Are you sure you want to remove ALL keys from repository %s ? (YES/NO) ", repository);
fresult = fgets(confirm, sizeof(confirm) - 1, stdin);
if (fresult == NULL || strncasecmp(confirm, "yes", 3) != 0) {
printf("\nPurge cancelled.\n");
hsm_key_list_free(keys, key_count);
return -1;
} else {
printf("\nStarting purge...\n");
}
for (i = 0; i < key_count; i++) {
hsm_key_info_t *key_info;
hsm_key_t *key = keys[i];
key_info = hsm_get_key_info(NULL, key);
result = hsm_remove_key(NULL, key);
if (!result) {
printf("Key remove successful: %s\n",
key_info ? key_info->id : "NULL");
} else {
printf("Key remove failed: %s\n",
key_info ? key_info->id : "NULL");
final_result++;
}
hsm_key_info_free(key_info);
}
hsm_key_list_free(keys, key_count);
printf("Purge done.\n");
return final_result;
}
int
main (int argc, char *argv[])
{
int result;
hsm_ctx_t *ctx = NULL;
hsm_key_t *key = NULL;
unsigned int keysize = 1024;
unsigned int iterations = 1;
unsigned int threads = 1;
static struct timeval start,end;
char *config = NULL;
const char *repository = NULL;
sign_arg_t sign_arg_array[PTHREAD_THREADS_MAX];
pthread_t thread_array[PTHREAD_THREADS_MAX];
pthread_attr_t thread_attr;
void *thread_status;
int ch;
unsigned int n;
double elapsed, speed;
progname = argv[0];
while ((ch = getopt(argc, argv, "c:i:r:s:t:")) != -1) {
switch (ch) {
case 'c':
config = strdup(optarg);
break;
case 'i':
iterations = atoi(optarg);
break;
case 'r':
repository = strdup(optarg);
break;
case 's':
keysize = atoi(optarg);
break;
case 't':
threads = atoi(optarg);
break;
default:
usage();
exit(1);
}
}
if (!repository) {
usage();
exit(1);
}
#if 0
if (!config) {
usage();
exit(1);
}
#endif
/* Open HSM library */
fprintf(stderr, "Opening HSM Library...\n");
result = hsm_open(config, hsm_prompt_pin, NULL);
if (result) {
fprintf(stderr, "hsm_open() returned %d\n", result);
exit(-1);
}
/* Create HSM context */
ctx = hsm_create_context();
if (! ctx) {
fprintf(stderr, "hsm_create_context() returned error\n");
exit(-1);
}
/* Generate a temporary key */
fprintf(stderr, "Generating temporary key...\n");
key = hsm_generate_rsa_key(ctx, repository, keysize);
if (key) {
char *id = hsm_get_key_id(ctx, key);
fprintf(stderr, "Temporary key created: %s\n", id);
free(id);
} else {
fprintf(stderr, "Could not generate a key pair in repository \"%s\"\n", repository);
exit(-1);
}
/* Prepare threads */
pthread_attr_init(&thread_attr);
pthread_attr_setdetachstate(&thread_attr, PTHREAD_CREATE_JOINABLE);
for (n=0; n<threads; n++) {
sign_arg_array[n].id = n;
sign_arg_array[n].ctx = hsm_create_context();
if (! sign_arg_array[n].ctx) {
fprintf(stderr, "hsm_create_context() returned error\n");
exit(-1);
}
sign_arg_array[n].key = key;
sign_arg_array[n].iterations = iterations;
}
fprintf(stderr, "Signing %d RRsets with %s using %d %s...\n",
iterations, algoname, threads, (threads > 1 ? "threads" : "thread"));
gettimeofday(&start, NULL);
/* Create threads for signing */
for (n=0; n<threads; n++) {
result = pthread_create(&thread_array[n], &thread_attr,
sign, (void *) &sign_arg_array[n]);
if (result) {
fprintf(stderr, "pthread_create() returned %d\n", result);
exit(EXIT_FAILURE);
}
}
/* Wait for threads to finish */
for (n=0; n<threads; n++) {
result = pthread_join(thread_array[n], &thread_status);
if (result) {
fprintf(stderr, "pthread_join() returned %d\n", result);
exit(EXIT_FAILURE);
}
}
gettimeofday(&end, NULL);
fprintf(stderr, "Signing done.\n");
/* Report results */
end.tv_sec -= start.tv_sec;
end.tv_usec-= start.tv_usec;
elapsed =(double)(end.tv_sec)+(double)(end.tv_usec)*.000001;
speed = iterations / elapsed * threads;
printf("%d %s, %d signatures per thread, %.2f sig/s (RSA %d bits)\n",
threads, (threads > 1 ? "threads" : "thread"), iterations,
speed, keysize);
/* Delete temporary key */
fprintf(stderr, "Deleting temporary key...\n");
result = hsm_remove_key(ctx, key);
if (result) {
fprintf(stderr, "hsm_remove_key() returned %d\n", result);
exit(-1);
}
/* Clean up */
hsm_destroy_context(ctx);
(void) hsm_close();
if (config) free(config);
return 0;
}
int
hsm_test (const char *repository)
{
int result;
const unsigned int rsa_keysizes[] = { 512, 768, 1024, 1536, 2048, 4096 };
const unsigned int dsa_keysizes[] = { 512, 768, 1024 };
unsigned int keysize;
hsm_ctx_t *ctx = NULL;
hsm_key_t *key = NULL;
char *id;
int errors = 0;
unsigned int i = 0;
/* Check for repository before starting any tests */
if (hsm_token_attached(ctx, repository) == 0) {
hsm_print_error(ctx);
return 1;
}
/*
* Test key generation, signing and deletion for a number of key size
*/
for (i=0; i<(sizeof(rsa_keysizes)/sizeof(unsigned int)); i++) {
keysize = rsa_keysizes[i];
printf("Generating %d-bit RSA key... ", keysize);
key = hsm_generate_rsa_key(ctx, repository, keysize);
if (!key) {
errors++;
printf("Failed\n");
hsm_print_error(ctx);
printf("\n");
continue;
} else {
printf("OK\n");
}
printf("Extracting key identifier... ");
id = hsm_get_key_id(ctx, key);
if (!id) {
errors++;
printf("Failed\n");
hsm_print_error(ctx);
printf("\n");
} else {
printf("OK, %s\n", id);
}
free(id);
printf("Signing (RSA/SHA1) with key... ");
result = hsm_test_sign(ctx, key, LDNS_RSASHA1);
if (result) {
errors++;
printf("Failed, error: %d\n", result);
hsm_print_error(ctx);
} else {
printf("OK\n");
}
printf("Signing (RSA/SHA256) with key... ");
result = hsm_test_sign(ctx, key, LDNS_RSASHA256);
if (result) {
errors++;
printf("Failed, error: %d\n", result);
hsm_print_error(ctx);
} else {
printf("OK\n");
}
if ( keysize >= 1024) {
printf("Signing (RSA/SHA512) with key... ");
result = hsm_test_sign(ctx, key, LDNS_RSASHA512);
if (result) {
errors++;
printf("Failed, error: %d\n", result);
hsm_print_error(ctx);
} else {
printf("OK\n");
}
}
printf("Deleting key... ");
result = hsm_remove_key(ctx, key);
if (result) {
errors++;
printf("Failed: error: %d\n", result);
hsm_print_error(ctx);
} else {
printf("OK\n");
}
free(key);
printf("\n");
}
/*
* Test key generation, signing and deletion for a number of key size
*/
for (i=0; i<(sizeof(dsa_keysizes)/sizeof(unsigned int)); i++) {
keysize = dsa_keysizes[i];
printf("Generating %d-bit DSA key... ", keysize);
key = hsm_generate_dsa_key(ctx, repository, keysize);
if (!key) {
errors++;
printf("Failed\n");
hsm_print_error(ctx);
printf("\n");
continue;
} else {
printf("OK\n");
}
printf("Extracting key identifier... ");
id = hsm_get_key_id(ctx, key);
if (!id) {
errors++;
printf("Failed\n");
hsm_print_error(ctx);
printf("\n");
} else {
printf("OK, %s\n", id);
}
free(id);
printf("Signing (DSA/SHA1) with key... ");
result = hsm_test_sign(ctx, key, LDNS_DSA);
if (result) {
errors++;
printf("Failed, error: %d\n", result);
hsm_print_error(ctx);
} else {
printf("OK\n");
}
printf("Deleting key... ");
result = hsm_remove_key(ctx, key);
if (result) {
errors++;
printf("Failed: error: %d\n", result);
hsm_print_error(ctx);
} else {
printf("OK\n");
}
free(key);
printf("\n");
}
/*
* Test key generation, signing and deletion for a number of key size
*/
for (i=0; i<1; i++) {
printf("Generating 512-bit GOST key... ");
key = hsm_generate_gost_key(ctx, repository);
if (!key) {
errors++;
printf("Failed\n");
hsm_print_error(ctx);
printf("\n");
continue;
} else {
printf("OK\n");
}
printf("Extracting key identifier... ");
id = hsm_get_key_id(ctx, key);
if (!id) {
errors++;
printf("Failed\n");
hsm_print_error(ctx);
printf("\n");
} else {
printf("OK, %s\n", id);
}
free(id);
printf("Signing (GOST) with key... ");
result = hsm_test_sign(ctx, key, LDNS_ECC_GOST);
if (result) {
errors++;
printf("Failed, error: %d\n", result);
hsm_print_error(ctx);
} else {
printf("OK\n");
}
printf("Deleting key... ");
result = hsm_remove_key(ctx, key);
if (result) {
errors++;
printf("Failed: error: %d\n", result);
hsm_print_error(ctx);
} else {
printf("OK\n");
}
free(key);
printf("\n");
}
if (hsm_test_random()) {
errors++;
}
return errors;
}