dns cert support

Peter Palfrader gnupg-users=gnupg.org at lists.palfrader.org
Wed Apr 5 10:02:28 CEST 2006


On Tue, 04 Apr 2006, David Shaw wrote:

> > Also, is there a tool that produces a snippet which is ready for
> > inclusion into a zone file anywhere?  Something similar to ssh-keygen
> > for SSHFP RRs:
> >   weasel at galaxy:~$ ssh-keygen -r galaxy -f /etc/ssh/ssh_host_rsa_key -g
> >   galaxy IN TYPE44 \# 22 01 01 40cc5559546421d15fe9c1064713636a02373ad2
> >   weasel at galaxy:~$ ssh-keygen -r galaxy -f /etc/ssh/ssh_host_rsa_key
> >   galaxy IN SSHFP 1 1 40cc5559546421d15fe9c1064713636a02373ad2
> 
> Good idea.  I just checked one in to the GnuPG SVN.

It seems it considers whitespace part of the fpr when creating IPGP
data.

For instance:
| weasel at galaxy:~/local/src/gnupg/gnupg14/tools$ ./make-dns-cert -f '5B00 C96D 5D54 AEE1 206B  AF84 DE7A AF6E 94C0 9C7F' -n foo
| foo     TYPE37  \# 31 0006 0000 00 19 5B00 C96D 5D54 AEE1 206B  AF84 DE7A AF6E 94C0 9C7F
                                     ^^
| weasel at galaxy:~/local/src/gnupg/gnupg14/tools$ ./make-dns-cert -f '5B00 C96D 5D54 AEE1 206B  AF84 DE7A AF6E94C09C7F' -n foo 
| foo     TYPE37  \# 30 0006 0000 00 18 5B00 C96D 5D54 AEE1 206B  AF84 DE7A AF6E94C09C7F
                                     ^^

It should just ignore whitespace when counting fingerprint length.
| ./make-dns-cert -f '5B00 C96D 5D54 AEE1 206B  AF84 DE7A AF6E94C09C7F' -n foo
| foo     TYPE37  \# 26 0006 0000 00 14 5B00 C96D 5D54 AEE1 206B  AF84 DE7A AF6E94C09C7F

This should fix it:

Index: make-dns-cert.c
===================================================================
--- make-dns-cert.c	(revision 4091)
+++ make-dns-cert.c	(working copy)
@@ -24,6 +24,7 @@
 #ifdef HAVE_GETOPT_H
 #include <getopt.h>
 #endif
+#include <ctype.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -97,7 +98,20 @@
 
   if(fpr)
     {
-      fprlen=strlen(fpr);
+      const char *tmp = fpr;
+      while (*tmp)
+	{
+	  if (isxdigit(*tmp))
+	    {
+	      fprlen++;
+	    }
+	  else if (!isspace(*tmp))
+	    {
+	      printf("Fingerprint must consist of only hex digits (and whitespace)\n");
+	      return 1;
+	    }
+	  tmp++;
+	}
       if(fprlen%2)
 	{
 	  printf("Fingerprint must be an even number of characters\n");




And a second patch that uses stderr for errors on top of this one:

--- make-dns-cert.c.orig	2006-04-05 09:57:48.725050937 +0200
+++ make-dns-cert.c	2006-04-05 10:00:23.675749478 +0200
@@ -45,20 +45,20 @@
   fd=open(keyfile,O_RDONLY);
   if(fd==-1)
     {
-      printf("Cannot open key file %s: %s\n",keyfile,strerror(errno));
+      fprintf(stderr, "Cannot open key file %s: %s\n",keyfile,strerror(errno));
       return 1;
     }
 
   err=fstat(fd,&statbuf);
   if(err==-1)
     {
-      printf("Unable to stat key file %s: %s\n",keyfile,strerror(errno));
+      fprintf(stderr, "Unable to stat key file %s: %s\n",keyfile,strerror(errno));
       goto fail;
     }
 
   if(statbuf.st_size>32768)
     {
-      printf("Key %s too large for CERT encoding\n",keyfile);
+      fprintf(stderr, "Key %s too large for CERT encoding\n",keyfile);
       goto fail;
     }
 
@@ -73,7 +73,7 @@
       err=read(fd,buffer,1024);
       if(err==-1)
 	{
-	  printf("Unable to read key file %s: %s\n",keyfile,strerror(errno));
+	  fprintf(stderr, "Unable to read key file %s: %s\n",keyfile,strerror(errno));
 	  goto fail;
 	}
 
@@ -107,14 +107,14 @@
 	    }
 	  else if (!isspace(*tmp))
 	    {
-	      printf("Fingerprint must consist of only hex digits (and whitespace)\n");
+	      fprintf(stderr, "Fingerprint must consist of only hex digits (and whitespace)\n");
 	      return 1;
 	    }
 	  tmp++;
 	}
       if(fprlen%2)
 	{
-	  printf("Fingerprint must be an even number of characters\n");
+	  fprintf(stderr, "Fingerprint must be an even number of characters\n");
 	  return 1;
 	}
 
@@ -127,7 +127,7 @@
 
   if(!fpr && !url)
     {
-      printf("Cannot generate a CERT without either a fingerprint or URL\n");
+      fprintf(stderr, "Cannot generate a CERT without either a fingerprint or URL\n");
       return 1;
     }
 
@@ -150,13 +150,13 @@
 }
 
 static void
-usage(void)
+usage(FILE *f)
 {
-  printf("make-dns-cert\n");
-  printf("\t-f\tfingerprint\n");
-  printf("\t-u\tURL\n");
-  printf("\t-k\tkey file\n");
-  printf("\t-n\tDNS name\n");
+  fprintf(f, "make-dns-cert\n");
+  fprintf(f, "\t-f\tfingerprint\n");
+  fprintf(f, "\t-u\tURL\n");
+  fprintf(f, "\t-k\tkey file\n");
+  fprintf(f, "\t-n\tDNS name\n");
 }
 
 int
@@ -167,7 +167,7 @@
 
   if(argc==1)
     {
-      usage();
+      usage(stderr);
       return 0;
     }
   else if(argc>1 && strcmp(argv[1],"--version")==0)
@@ -177,7 +177,7 @@
     }
   else if(argc>1 && strcmp(argv[1],"--help")==0)
     {
-      usage();
+      usage(stdout);
       return 0;
     }
 
@@ -186,7 +186,7 @@
       {
       default:
       case 'h':
-	usage();
+	usage(stdout);
 	exit(0);
 
       case 'f':
@@ -208,14 +208,14 @@
 
   if(!name)
     {
-      printf("No name provided\n");
+      fprintf(stderr, "No name provided\n");
       return 1;
     }
 
   if(keyfile && (fpr || url))
     {
-      printf("Cannot generate a CERT record with both a keyfile and"
-	     " a fingerprint or URL\n");
+      fprintf(stderr, "Cannot generate a CERT record with both a"
+	              " keyfile and a fingerprint or URL\n");
       return 1;
     }
 



More information about the Gnupg-users mailing list