Re: dns cert support

Wed, 05 Apr 2006 01:13:33 -0700 

On Tue, 04 Apr 2006, David Shaw wrote:

> > Also, is there a tool that produces a snippet which is ready for
> > inclusion into a zone file anywhere?  Something similar to ssh-keygen
> > for SSHFP RRs:
> >   [EMAIL PROTECTED]:~$ ssh-keygen -r galaxy -f /etc/ssh/ssh_host_rsa_key -g
> >   galaxy IN TYPE44 \# 22 01 01 40cc5559546421d15fe9c1064713636a02373ad2
> >   [EMAIL PROTECTED]:~$ ssh-keygen -r galaxy -f /etc/ssh/ssh_host_rsa_key
> >   galaxy IN SSHFP 1 1 40cc5559546421d15fe9c1064713636a02373ad2
> 
> Good idea.  I just checked one in to the GnuPG SVN.

It seems it considers whitespace part of the fpr when creating IPGP
data.

For instance:
| [EMAIL PROTECTED]:~/local/src/gnupg/gnupg14/tools$ ./make-dns-cert -f '5B00 
C96D 5D54 AEE1 206B  AF84 DE7A AF6E 94C0 9C7F' -n foo
| foo     TYPE37  \# 31 0006 0000 00 19 5B00 C96D 5D54 AEE1 206B  AF84 DE7A 
AF6E 94C0 9C7F
                                     ^^
| [EMAIL PROTECTED]:~/local/src/gnupg/gnupg14/tools$ ./make-dns-cert -f '5B00 
C96D 5D54 AEE1 206B  AF84 DE7A AF6E94C09C7F' -n foo 
| foo     TYPE37  \# 30 0006 0000 00 18 5B00 C96D 5D54 AEE1 206B  AF84 DE7A 
AF6E94C09C7F
                                     ^^

It should just ignore whitespace when counting fingerprint length.
| ./make-dns-cert -f '5B00 C96D 5D54 AEE1 206B  AF84 DE7A AF6E94C09C7F' -n foo
| foo     TYPE37  \# 26 0006 0000 00 14 5B00 C96D 5D54 AEE1 206B  AF84 DE7A 
AF6E94C09C7F

This should fix it:

Index: make-dns-cert.c
===================================================================
--- make-dns-cert.c     (revision 4091)
+++ make-dns-cert.c     (working copy)
@@ -24,6 +24,7 @@
 #ifdef HAVE_GETOPT_H
 #include <getopt.h>
 #endif
+#include <ctype.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -97,7 +98,20 @@
 
   if(fpr)
     {
-      fprlen=strlen(fpr);
+      const char *tmp = fpr;
+      while (*tmp)
+       {
+         if (isxdigit(*tmp))
+           {
+             fprlen++;
+           }
+         else if (!isspace(*tmp))
+           {
+             printf("Fingerprint must consist of only hex digits (and 
whitespace)\n");
+             return 1;
+           }
+         tmp++;
+       }
       if(fprlen%2)
        {
          printf("Fingerprint must be an even number of characters\n");




And a second patch that uses stderr for errors on top of this one:

--- make-dns-cert.c.orig        2006-04-05 09:57:48.725050937 +0200
+++ make-dns-cert.c     2006-04-05 10:00:23.675749478 +0200
@@ -45,20 +45,20 @@
   fd=open(keyfile,O_RDONLY);
   if(fd==-1)
     {
-      printf("Cannot open key file %s: %s\n",keyfile,strerror(errno));
+      fprintf(stderr, "Cannot open key file %s: %s\n",keyfile,strerror(errno));
       return 1;
     }
 
   err=fstat(fd,&statbuf);
   if(err==-1)
     {
-      printf("Unable to stat key file %s: %s\n",keyfile,strerror(errno));
+      fprintf(stderr, "Unable to stat key file %s: 
%s\n",keyfile,strerror(errno));
       goto fail;
     }
 
   if(statbuf.st_size>32768)
     {
-      printf("Key %s too large for CERT encoding\n",keyfile);
+      fprintf(stderr, "Key %s too large for CERT encoding\n",keyfile);
       goto fail;
     }
 
@@ -73,7 +73,7 @@
       err=read(fd,buffer,1024);
       if(err==-1)
        {
-         printf("Unable to read key file %s: %s\n",keyfile,strerror(errno));
+         fprintf(stderr, "Unable to read key file %s: 
%s\n",keyfile,strerror(errno));
          goto fail;
        }
 
@@ -107,14 +107,14 @@
            }
          else if (!isspace(*tmp))
            {
-             printf("Fingerprint must consist of only hex digits (and 
whitespace)\n");
+             fprintf(stderr, "Fingerprint must consist of only hex digits (and 
whitespace)\n");
              return 1;
            }
          tmp++;
        }
       if(fprlen%2)
        {
-         printf("Fingerprint must be an even number of characters\n");
+         fprintf(stderr, "Fingerprint must be an even number of characters\n");
          return 1;
        }
 
@@ -127,7 +127,7 @@
 
   if(!fpr && !url)
     {
-      printf("Cannot generate a CERT without either a fingerprint or URL\n");
+      fprintf(stderr, "Cannot generate a CERT without either a fingerprint or 
URL\n");
       return 1;
     }
 
@@ -150,13 +150,13 @@
 }
 
 static void
-usage(void)
+usage(FILE *f)
 {
-  printf("make-dns-cert\n");
-  printf("\t-f\tfingerprint\n");
-  printf("\t-u\tURL\n");
-  printf("\t-k\tkey file\n");
-  printf("\t-n\tDNS name\n");
+  fprintf(f, "make-dns-cert\n");
+  fprintf(f, "\t-f\tfingerprint\n");
+  fprintf(f, "\t-u\tURL\n");
+  fprintf(f, "\t-k\tkey file\n");
+  fprintf(f, "\t-n\tDNS name\n");
 }
 
 int
@@ -167,7 +167,7 @@
 
   if(argc==1)
     {
-      usage();
+      usage(stderr);
       return 0;
     }
   else if(argc>1 && strcmp(argv[1],"--version")==0)
@@ -177,7 +177,7 @@
     }
   else if(argc>1 && strcmp(argv[1],"--help")==0)
     {
-      usage();
+      usage(stdout);
       return 0;
     }
 
@@ -186,7 +186,7 @@
       {
       default:
       case 'h':
-       usage();
+       usage(stdout);
        exit(0);
 
       case 'f':
@@ -208,14 +208,14 @@
 
   if(!name)
     {
-      printf("No name provided\n");
+      fprintf(stderr, "No name provided\n");
       return 1;
     }
 
   if(keyfile && (fpr || url))
     {
-      printf("Cannot generate a CERT record with both a keyfile and"
-            " a fingerprint or URL\n");
+      fprintf(stderr, "Cannot generate a CERT record with both a"
+                     " keyfile and a fingerprint or URL\n");
       return 1;
     }
 

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to