Class | Dnsruby::RR::DNSKEY |
In: |
lib/Dnsruby/resource/DNSKEY.rb
|
Parent: | RR |
RFC4034, section 2 DNSSEC uses public key cryptography to sign and authenticate DNS resource record sets (RRsets). The public keys are stored in DNSKEY resource records and are used in the DNSSEC authentication process described in [RFC4035]: A zone signs its authoritative RRsets by using a private key and stores the corresponding public key in a DNSKEY RR. A resolver can then use the public key to validate signatures covering the RRsets in the zone, and thus to authenticate them.
TypeValue | = | Types::DNSKEY #:nodoc: all | ||
REVOKED_KEY | = | 0x80 | Key is revoked | |
ZONE_KEY | = | 0x100 | Key is a zone key | |
SEP_KEY | = | 0x1 | Key is a secure entry point key |
algorithm | [R] | The algorithm used for this key See Dnsruby::Algorithms for permitted values |
flags | [R] | The flags for the DNSKEY RR |
key | [R] | The public key |
protocol | [R] | The protocol for this DNSKEY RR. MUST be 3. |
# File lib/Dnsruby/resource/DNSKEY.rb, line 65 65: def algorithm=(a) 66: if (a.instance_of?String) 67: if (a.length == 1) 68: a = a.to_i 69: end 70: end 71: begin 72: alg = Algorithms.new(a) 73: @algorithm = alg 74: rescue ArgumentError => e 75: raise DecodeError.new(e) 76: end 77: end
# File lib/Dnsruby/resource/DNSKEY.rb, line 303 303: def dsa_key 304: t = @key[0] 305: t = t.getbyte(0) if t.class == String 306: pgy_len = t * 8 + 64 307: pos = 1 308: q = RR::get_num(@key[pos, 20]) 309: pos += 20 310: p = RR::get_num(@key[pos, pgy_len]) 311: pos += pgy_len 312: g = RR::get_num(@key[pos, pgy_len]) 313: pos += pgy_len 314: y = RR::get_num(@key[pos, pgy_len]) 315: pos += pgy_len 316: 317: pkey = OpenSSL::PKey::DSA.new 318: pkey.p = p 319: pkey.q = q 320: pkey.g = g 321: pkey.pub_key = y 322: 323: pkey 324: end
# File lib/Dnsruby/resource/DNSKEY.rb, line 115 115: def flags=(f) 116: # Only three values allowed - 117: # Zone Key flag (bit 7) 118: # Secure Entry Point flag (bit 15) 119: # Revoked bit (bit 8) - RFC 5011 120: if ((f & ~ZONE_KEY & ~SEP_KEY & ~REVOKED_KEY) > 0) 121: TheLog.info("DNSKEY: Only zone key, secure entry point and revoked flags allowed for DNSKEY" + 122: " (RFC4034 section 2.1.1) : #{f} entered as input") 123: end 124: 125: @flags = f 126: end
# File lib/Dnsruby/resource/DNSKEY.rb, line 142 142: def from_string(input) 143: if (input.length > 0) 144: data = input.split(" ") 145: self.flags=(data[0].to_i) 146: self.protocol=(data[1].to_i) 147: self.algorithm=(data[2]) 148: # key can include whitespace - include all text 149: # until we come to " )" at the end, and then gsub 150: # the white space out 151: # Also, brackets may or may not be present 152: # Not to mention comments! ";" 153: buf = "" 154: index = 3 155: end_index = data.length - 1 156: if (data[index]=="(") 157: end_index = data.length - 2 158: index = 4 159: end 160: (index..end_index).each {|i| 161: if (comment_index = data[i].index(";")) 162: buf += data[i].slice(0, comment_index) 163: # @TODO@ We lose the comments here - we should really keep them for when we write back to string format? 164: break 165: else 166: buf += data[i] 167: end 168: } 169: self.key=(buf) 170: end 171: end
# File lib/Dnsruby/resource/DNSKEY.rb, line 216 216: def generate_key_tag(rdata, algorithm) 217: tag=0 218: if (algorithm == Algorithms.RSAMD5) 219: #The key tag for algorithm 1 (RSA/MD5) is defined differently from the 220: #key tag for all other algorithms, for historical reasons. 221: d1 = rdata[rdata.length - 3] & 0xFF 222: d2 = rdata[rdata.length - 2] & 0xFF 223: tag = (d1 << 8) + d2 224: else 225: tag = 0 226: last = 0 227: 0.step(rdata.length - 1, 2) {|i| 228: last = i 229: d1 = rdata[i] 230: d2 = rdata[i + 1] || 0 # odd number of bytes possible 231: 232: d1 = d1.getbyte(0) if d1.class == String # Ruby 1.9 233: d2 = d2.getbyte(0) if d2.class == String # Ruby 1.9 234: 235: d1 = d1 & 0xFF 236: d2 = d2 & 0xFF 237: 238: tag += ((d1 << 8) + d2) 239: } 240: last+=2 241: if (last < rdata.length) 242: d1 = rdata[last] 243: 244: if (d1.class == String) # Ruby 1.9 245: d1 = d1.getbyte(0) 246: end 247: 248: d1 = d1 & 0xFF 249: tag += (d1 << 8) 250: end 251: tag += ((tag >> 16) & 0xFFFF) 252: end 253: tag=tag&0xFFFF 254: return tag 255: end
# File lib/Dnsruby/resource/DNSKEY.rb, line 51 51: def init_defaults 52: self.protocol=3 53: self.flags=ZONE_KEY 54: @algorithm=Algorithms.RSASHA1 55: @public_key = nil 56: end
# File lib/Dnsruby/resource/DNSKEY.rb, line 257 257: def key=(key_text) 258: key_text.gsub!(/\n/, "") 259: key_text.gsub!(/ /, "") 260: # @key=Base64.decode64(key_text) 261: @key=key_text.unpack("m*")[0] 262: end
Return the tag for this key
# File lib/Dnsruby/resource/DNSKEY.rb, line 208 208: def key_tag 209: rdata = MessageEncoder.new {|msg| 210: encode_rdata(msg) 211: }.to_s 212: tag = generate_key_tag(rdata, @algorithm) 213: return tag 214: end
Return the the key tag this key would have had before it was revoked If the key is not revoked, then the current key_tag will be returned
# File lib/Dnsruby/resource/DNSKEY.rb, line 198 198: def key_tag_pre_revoked 199: if (!revoked?) 200: return key_tag 201: end 202: new_key = clone 203: new_key.revoked = false 204: return new_key.key_tag 205: end
# File lib/Dnsruby/resource/DNSKEY.rb, line 58 58: def protocol=(p) 59: if (p!=3) 60: raise DecodeError.new("DNSKEY protocol field set to #{p}, contrary to RFC4034 section 2.1.2") 61: else @protocol = p 62: end 63: end
# File lib/Dnsruby/resource/DNSKEY.rb, line 264 264: def public_key 265: if (!@public_key) 266: if [Algorithms.RSASHA1, 267: Algorithms.RSASHA1_NSEC3_SHA1].include?(@algorithm) 268: @public_key = rsa_key 269: elsif [Algorithms.DSA, 270: Algorithms.DSA_NSEC3_SHA1].include?(@algorithm) 271: @public_key = dsa_key 272: end 273: end 274: # @TODO@ Support other key encodings! 275: return @public_key 276: end
# File lib/Dnsruby/resource/DNSKEY.rb, line 79 79: def revoked=(on) 80: if (on) 81: @flags |= REVOKED_KEY 82: else 83: @flags &= (~REVOKED_KEY) 84: end 85: end
# File lib/Dnsruby/resource/DNSKEY.rb, line 87 87: def revoked? 88: return ((@flags & REVOKED_KEY) > 0) 89: end
# File lib/Dnsruby/resource/DNSKEY.rb, line 278 278: def rsa_key 279: exponentLength = @key[0] 280: if (exponentLength.class == String) 281: exponentLength = exponentLength.getbyte(0) # Ruby 1.9 282: end 283: pos = 1 284: if (exponentLength == 0) 285: key1 = @key[1] 286: if (key1.class == String) # Ruby 1.9 287: key1 = key1.getbyte(0) 288: end 289: exponentLength = (key1<<8) + key1 290: pos += 2 291: end 292: exponent = RR::get_num(@key[pos, exponentLength]) 293: pos += exponentLength 294: 295: modulus = RR::get_num(@key[pos, @key.length]) 296: 297: pkey = OpenSSL::PKey::RSA.new 298: pkey.e = exponent 299: pkey.n = modulus 300: return pkey 301: end
# File lib/Dnsruby/resource/DNSKEY.rb, line 103 103: def sep_key=(on) 104: if (on) 105: @flags |= SEP_KEY 106: else 107: @flags &= (~SEP_KEY) 108: end 109: end
# File lib/Dnsruby/resource/DNSKEY.rb, line 111 111: def sep_key? 112: return ((@flags & SEP_KEY) > 0) 113: end
# File lib/Dnsruby/resource/DNSKEY.rb, line 91 91: def zone_key=(on) 92: if (on) 93: @flags |= ZONE_KEY 94: else 95: @flags &= (~ZONE_KEY) 96: end 97: end