Re: [dns-operations] calculating DNSSEC keytags in sed (was: RE: calculating DNSSEC keytags in awk)

Thu, 16 Apr 2015 07:55:13 -0700 

* Frank [2015-04-16 15:27]:
> I do not want to read it. I want to calculate it.
> In order to save it in my zone file.

See attached keytag.py.

Usage:
> $ python keytag.py DNSKEY  257 3 8 
> AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF 
> FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX 
> bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD 
> X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz 
> W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS 
> Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=
> RSA exponent: 65537
> RSA keylength: 2048 bit
> keytag: 19036

Regards,
Matt

#!/usr/bin/env python

import base64
import struct
import sys

def keytag(flags, protocol, algorithm, key):
    # legacy specification for RSA/MD5 in RFC 4034 Appendix B.1
    if algorithm == 1:
        (keytag,) = struct.unpack('>H', key[-3:-1])
        return keytag

    # all RDATA in wire format
    rdata = struct.pack(">HBB", flags, protocol, algorithm)
    rdata += key

    # RFC 4034 Appendix B
    ac = 0
    for i in xrange(0, len(rdata)):
        (ubyte,) = struct.unpack('B', rdata[i])
        ac += ubyte if (i & 1) else ubyte << 8

    ac += (ac >> 16) & 0xFFFF
    return ac & 0xFFFF

# works only for RSA keys as specified in RFC 3110 Sec. 2
def parsekey(key):
    # read first byte
    (explength,) = struct.unpack('>B', key[0])
    offset = 1
    if explength == 0:
        print >>sys.stderr, "Exponent length is two bytes!"
        # read next two bytes
        (explength,) = struct.unpack('>H', key[1:3])
        offset = 3

    # read binary of variable length as big-endian decimal number
    expbuf = struct.unpack('>{0}B'.format(explength), 
key[offset:(offset+explength)])
    exponent = reduce(lambda x,y: (x<<8) + y, expbuf, 0)
    
    offset += explength
    modulus = key[offset:]
    keysize = len(modulus) * 8
    return (exponent, keysize, modulus) # exponent is decimal number, keysize 
is decimal number of public key bits

if len(sys.argv) < 5:
    print "usage:", sys.argv[0], "DNSKEY flags protocol algorithm key"
    sys.exit(1)
    
offset = 2 if sys.argv[1] == 'DNSKEY' else 1

flags = int(sys.argv[offset])
protocol = int(sys.argv[offset+1])
algorithm = int(sys.argv[offset+2])
keytext = ''.join(sys.argv[offset+3:])
key = base64.b64decode(keytext)

if algorithm in (1, 3, 5, 7, 8):
    (exponent, keysize, modulus) = parsekey(key)
    print "RSA exponent:", exponent
    print "RSA keylength:", keysize, "bit"
print "keytag:", keytag(flags, protocol, algorithm, key)

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

Reply via email to