diff options
Diffstat (limited to '')
-rw-r--r-- | external/unbound/testcode/signit.c | 284 |
1 files changed, 284 insertions, 0 deletions
diff --git a/external/unbound/testcode/signit.c b/external/unbound/testcode/signit.c new file mode 100644 index 000000000..af4e0fe37 --- /dev/null +++ b/external/unbound/testcode/signit.c @@ -0,0 +1,284 @@ +/* + * testcode/signit.c - debug tool to sign rrsets with given keys. + * + * Copyright (c) 2007, NLnet Labs. All rights reserved. + * + * This software is open source. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * Neither the name of the NLNET LABS nor the names of its contributors may + * be used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/** + * \file + * + * This program signs rrsets with the given keys. It can be used to + * construct input to test the validator with. + */ +#include "config.h" +#include <ldns/ldns.h> +#include <assert.h> + +#define DNSKEY_BIT_ZSK 0x0100 + +/** + * Key settings + */ +struct keysets { + /** signature inception */ + uint32_t incep; + /** signature expiration */ + uint32_t expi; + /** owner name */ + char* owner; + /** keytag */ + uint16_t keytag; + /** DNSKEY flags */ + uint16_t flags; +}; + +/** print usage and exit */ +static void +usage() +{ + printf("usage: signit expi ince keytag owner keyfile\n"); + printf("present rrset data on stdin.\n"); + printf("signed data is printed to stdout.\n"); + printf("\n"); + printf("Or use: signit NSEC3PARAM hash flags iter salt\n"); + printf("present names on stdin, hashed names are printed to stdout.\n"); + exit(1); +} + +static time_t +convert_timeval(const char* str) +{ + time_t t; + struct tm tm; + memset(&tm, 0, sizeof(tm)); + if(strlen(str) < 14) + return 0; + if(sscanf(str, "%4d%2d%2d%2d%2d%2d", &tm.tm_year, &tm.tm_mon, + &tm.tm_mday, &tm.tm_hour, &tm.tm_min, &tm.tm_sec) != 6) + return 0; + tm.tm_year -= 1900; + tm.tm_mon--; + /* Check values */ + if (tm.tm_year < 70) return 0; + if (tm.tm_mon < 0 || tm.tm_mon > 11) return 0; + if (tm.tm_mday < 1 || tm.tm_mday > 31) return 0; + if (tm.tm_hour < 0 || tm.tm_hour > 23) return 0; + if (tm.tm_min < 0 || tm.tm_min > 59) return 0; + if (tm.tm_sec < 0 || tm.tm_sec > 59) return 0; + /* call ldns conversion function */ + t = ldns_mktime_from_utc(&tm); + return t; +} + +static void fatal_exit(const char* format, ...) +{ + va_list args; + va_start(args, format); + printf("fatal exit: "); + vprintf(format, args); + va_end(args); + exit(1); +} + +/** read expi ince keytag owner from cmdline */ +static void +parse_cmdline(char *argv[], struct keysets* s) +{ + s->expi = convert_timeval(argv[1]); + s->incep = convert_timeval(argv[2]); + s->keytag = (uint16_t)atoi(argv[3]); + s->owner = argv[4]; + s->flags = DNSKEY_BIT_ZSK; /* to enforce signing */ +} + +/** read all key files, exit on error */ +static ldns_key_list* +read_keys(int num, char* names[], struct keysets* set) +{ + int i; + ldns_key_list* keys = ldns_key_list_new(); + ldns_key* k; + ldns_rdf* rdf; + ldns_status s; + int b; + FILE* in; + + if(!keys) fatal_exit("alloc failure"); + for(i=0; i<num; i++) { + printf("read keyfile %s\n", names[i]); + in = fopen(names[i], "r"); + if(!in) fatal_exit("could not open %s: %s", names[i], + strerror(errno)); + s = ldns_key_new_frm_fp(&k, in); + fclose(in); + if(s != LDNS_STATUS_OK) + fatal_exit("bad keyfile %s: %s", names[i], + ldns_get_errorstr_by_id(s)); + ldns_key_set_expiration(k, set->expi); + ldns_key_set_inception(k, set->incep); + s = ldns_str2rdf_dname(&rdf, set->owner); + if(s != LDNS_STATUS_OK) + fatal_exit("bad owner name %s: %s", set->owner, + ldns_get_errorstr_by_id(s)); + ldns_key_set_pubkey_owner(k, rdf); + ldns_key_set_flags(k, set->flags); + ldns_key_set_keytag(k, set->keytag); + b = ldns_key_list_push_key(keys, k); + assert(b); + } + return keys; +} + +/** read list of rrs from the file */ +static ldns_rr_list* +read_rrs(FILE* in) +{ + uint32_t my_ttl = 3600; + ldns_rdf *my_origin = NULL; + ldns_rdf *my_prev = NULL; + ldns_status s; + int line_nr = 1; + int b; + + ldns_rr_list* list; + ldns_rr *rr; + + list = ldns_rr_list_new(); + if(!list) fatal_exit("alloc error"); + + while(!feof(in)) { + s = ldns_rr_new_frm_fp_l(&rr, in, &my_ttl, &my_origin, + &my_prev, &line_nr); + if(s == LDNS_STATUS_SYNTAX_TTL || + s == LDNS_STATUS_SYNTAX_ORIGIN || + s == LDNS_STATUS_SYNTAX_EMPTY) + continue; + else if(s != LDNS_STATUS_OK) + fatal_exit("parse error in line %d: %s", line_nr, + ldns_get_errorstr_by_id(s)); + b = ldns_rr_list_push_rr(list, rr); + assert(b); + } + printf("read %d lines\n", line_nr); + + return list; +} + +/** sign the rrs with the keys */ +static void +signit(ldns_rr_list* rrs, ldns_key_list* keys) +{ + ldns_rr_list* rrset; + ldns_rr_list* sigs; + + while(ldns_rr_list_rr_count(rrs) > 0) { + rrset = ldns_rr_list_pop_rrset(rrs); + if(!rrset) fatal_exit("copy alloc failure"); + sigs = ldns_sign_public(rrset, keys); + if(!sigs) fatal_exit("failed to sign"); + ldns_rr_list_print(stdout, rrset); + ldns_rr_list_print(stdout, sigs); + printf("\n"); + ldns_rr_list_free(rrset); + ldns_rr_list_free(sigs); + } +} + +/** process keys and signit */ +static void +process_keys(int argc, char* argv[]) +{ + ldns_rr_list* rrs; + ldns_key_list* keys; + struct keysets settings; + assert(argc == 6); + + parse_cmdline(argv, &settings); + keys = read_keys(1, argv+5, &settings); + rrs = read_rrs(stdin); + signit(rrs, keys); + + ldns_rr_list_deep_free(rrs); + ldns_key_list_free(keys); +} + +/** process nsec3 params and perform hashing */ +static void +process_nsec3(int argc, char* argv[]) +{ + char line[10240]; + ldns_rdf* salt; + ldns_rdf* in, *out; + ldns_status status; + status = ldns_str2rdf_nsec3_salt(&salt, argv[5]); + if(status != LDNS_STATUS_OK) + fatal_exit("Could not parse salt %s: %s", argv[5], + ldns_get_errorstr_by_id(status)); + assert(argc == 6); + while(fgets(line, (int)sizeof(line), stdin)) { + if(strlen(line) > 0) + line[strlen(line)-1] = 0; /* remove trailing newline */ + if(line[0]==0) + continue; + status = ldns_str2rdf_dname(&in, line); + if(status != LDNS_STATUS_OK) + fatal_exit("Could not parse name %s: %s", line, + ldns_get_errorstr_by_id(status)); + ldns_rdf_print(stdout, in); + printf(" -> "); + /* arg 3 is flags, unused */ + out = ldns_nsec3_hash_name(in, (uint8_t)atoi(argv[2]), + (uint16_t)atoi(argv[4]), + ldns_rdf_data(salt)[0], ldns_rdf_data(salt)+1); + if(!out) + fatal_exit("Could not hash %s", line); + ldns_rdf_print(stdout, out); + printf("\n"); + ldns_rdf_deep_free(in); + ldns_rdf_deep_free(out); + } + ldns_rdf_deep_free(salt); +} + +/** main program */ +int main(int argc, char* argv[]) +{ + if(argc != 6) { + usage(); + } + if(strcmp(argv[1], "NSEC3PARAM") == 0) { + process_nsec3(argc, argv); + return 0; + } + process_keys(argc, argv); + return 0; +} |