dns cert support
Peter Palfrader
gnupg-users=gnupg.org at lists.palfrader.org
Wed Apr 5 10:02:28 CEST 2006
On Tue, 04 Apr 2006, David Shaw wrote:
> > Also, is there a tool that produces a snippet which is ready for
> > inclusion into a zone file anywhere? Something similar to ssh-keygen
> > for SSHFP RRs:
> > weasel at galaxy:~$ ssh-keygen -r galaxy -f /etc/ssh/ssh_host_rsa_key -g
> > galaxy IN TYPE44 \# 22 01 01 40cc5559546421d15fe9c1064713636a02373ad2
> > weasel at galaxy:~$ ssh-keygen -r galaxy -f /etc/ssh/ssh_host_rsa_key
> > galaxy IN SSHFP 1 1 40cc5559546421d15fe9c1064713636a02373ad2
>
> Good idea. I just checked one in to the GnuPG SVN.
It seems it considers whitespace part of the fpr when creating IPGP
data.
For instance:
| weasel at galaxy:~/local/src/gnupg/gnupg14/tools$ ./make-dns-cert -f '5B00 C96D 5D54 AEE1 206B AF84 DE7A AF6E 94C0 9C7F' -n foo
| foo TYPE37 \# 31 0006 0000 00 19 5B00 C96D 5D54 AEE1 206B AF84 DE7A AF6E 94C0 9C7F
^^
| weasel at galaxy:~/local/src/gnupg/gnupg14/tools$ ./make-dns-cert -f '5B00 C96D 5D54 AEE1 206B AF84 DE7A AF6E94C09C7F' -n foo
| foo TYPE37 \# 30 0006 0000 00 18 5B00 C96D 5D54 AEE1 206B AF84 DE7A AF6E94C09C7F
^^
It should just ignore whitespace when counting fingerprint length.
| ./make-dns-cert -f '5B00 C96D 5D54 AEE1 206B AF84 DE7A AF6E94C09C7F' -n foo
| foo TYPE37 \# 26 0006 0000 00 14 5B00 C96D 5D54 AEE1 206B AF84 DE7A AF6E94C09C7F
This should fix it:
Index: make-dns-cert.c
===================================================================
--- make-dns-cert.c (revision 4091)
+++ make-dns-cert.c (working copy)
@@ -24,6 +24,7 @@
#ifdef HAVE_GETOPT_H
#include <getopt.h>
#endif
+#include <ctype.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -97,7 +98,20 @@
if(fpr)
{
- fprlen=strlen(fpr);
+ const char *tmp = fpr;
+ while (*tmp)
+ {
+ if (isxdigit(*tmp))
+ {
+ fprlen++;
+ }
+ else if (!isspace(*tmp))
+ {
+ printf("Fingerprint must consist of only hex digits (and whitespace)\n");
+ return 1;
+ }
+ tmp++;
+ }
if(fprlen%2)
{
printf("Fingerprint must be an even number of characters\n");
And a second patch that uses stderr for errors on top of this one:
--- make-dns-cert.c.orig 2006-04-05 09:57:48.725050937 +0200
+++ make-dns-cert.c 2006-04-05 10:00:23.675749478 +0200
@@ -45,20 +45,20 @@
fd=open(keyfile,O_RDONLY);
if(fd==-1)
{
- printf("Cannot open key file %s: %s\n",keyfile,strerror(errno));
+ fprintf(stderr, "Cannot open key file %s: %s\n",keyfile,strerror(errno));
return 1;
}
err=fstat(fd,&statbuf);
if(err==-1)
{
- printf("Unable to stat key file %s: %s\n",keyfile,strerror(errno));
+ fprintf(stderr, "Unable to stat key file %s: %s\n",keyfile,strerror(errno));
goto fail;
}
if(statbuf.st_size>32768)
{
- printf("Key %s too large for CERT encoding\n",keyfile);
+ fprintf(stderr, "Key %s too large for CERT encoding\n",keyfile);
goto fail;
}
@@ -73,7 +73,7 @@
err=read(fd,buffer,1024);
if(err==-1)
{
- printf("Unable to read key file %s: %s\n",keyfile,strerror(errno));
+ fprintf(stderr, "Unable to read key file %s: %s\n",keyfile,strerror(errno));
goto fail;
}
@@ -107,14 +107,14 @@
}
else if (!isspace(*tmp))
{
- printf("Fingerprint must consist of only hex digits (and whitespace)\n");
+ fprintf(stderr, "Fingerprint must consist of only hex digits (and whitespace)\n");
return 1;
}
tmp++;
}
if(fprlen%2)
{
- printf("Fingerprint must be an even number of characters\n");
+ fprintf(stderr, "Fingerprint must be an even number of characters\n");
return 1;
}
@@ -127,7 +127,7 @@
if(!fpr && !url)
{
- printf("Cannot generate a CERT without either a fingerprint or URL\n");
+ fprintf(stderr, "Cannot generate a CERT without either a fingerprint or URL\n");
return 1;
}
@@ -150,13 +150,13 @@
}
static void
-usage(void)
+usage(FILE *f)
{
- printf("make-dns-cert\n");
- printf("\t-f\tfingerprint\n");
- printf("\t-u\tURL\n");
- printf("\t-k\tkey file\n");
- printf("\t-n\tDNS name\n");
+ fprintf(f, "make-dns-cert\n");
+ fprintf(f, "\t-f\tfingerprint\n");
+ fprintf(f, "\t-u\tURL\n");
+ fprintf(f, "\t-k\tkey file\n");
+ fprintf(f, "\t-n\tDNS name\n");
}
int
@@ -167,7 +167,7 @@
if(argc==1)
{
- usage();
+ usage(stderr);
return 0;
}
else if(argc>1 && strcmp(argv[1],"--version")==0)
@@ -177,7 +177,7 @@
}
else if(argc>1 && strcmp(argv[1],"--help")==0)
{
- usage();
+ usage(stdout);
return 0;
}
@@ -186,7 +186,7 @@
{
default:
case 'h':
- usage();
+ usage(stdout);
exit(0);
case 'f':
@@ -208,14 +208,14 @@
if(!name)
{
- printf("No name provided\n");
+ fprintf(stderr, "No name provided\n");
return 1;
}
if(keyfile && (fpr || url))
{
- printf("Cannot generate a CERT record with both a keyfile and"
- " a fingerprint or URL\n");
+ fprintf(stderr, "Cannot generate a CERT record with both a"
+ " keyfile and a fingerprint or URL\n");
return 1;
}
More information about the Gnupg-users
mailing list