From 3bd38f9fbc69a3582ee4e09679ea0975ce54775d Mon Sep 17 00:00:00 2001 From: David Blacka Date: Sun, 10 Sep 2006 16:48:21 +0000 Subject: [PATCH] add large exponent option to the key generation code git-svn-id: https://svn.verisignlabs.com/jdnssec/tools/trunk@87 4cbd57fe-54e5-0310-bd9a-f30fe5ea5e6e --- ChangeLog | 6 ++++ src/com/verisignlabs/dnssec/cl/KeyGen.java | 17 ++++++---- .../dnssec/security/DnsKeyAlgorithm.java | 32 +++++++++++++++++-- .../dnssec/security/JCEDnsSecSigner.java | 6 ++-- 4 files changed, 51 insertions(+), 10 deletions(-) diff --git a/ChangeLog b/ChangeLog index b39aec2..943190a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2006-09-10 David Blacka + + * Added the "-e" option to jdnssec-keygen, to instruct the key + generator to use the (common) large exponent in RSA key + generation. + 2006-08-31 David Blacka * Modified jdnssec-signzone to set the ttls of NSEC3 records (so diff --git a/src/com/verisignlabs/dnssec/cl/KeyGen.java b/src/com/verisignlabs/dnssec/cl/KeyGen.java index 08914ea..683a330 100644 --- a/src/com/verisignlabs/dnssec/cl/KeyGen.java +++ b/src/com/verisignlabs/dnssec/cl/KeyGen.java @@ -54,6 +54,7 @@ public class KeyGen private Options opts; public int algorithm = 5; public int keylength = 1024; + public boolean useLargeE = false; public String outputfile = null; public File keydir = null; public boolean zoneKey = true; @@ -81,7 +82,8 @@ public class KeyGen "kskflag", false, "Key is a key-signing-key (sets the SEP flag)."); - + opts.addOption("e", "large-exponent", false, "Use large RSA exponent"); + // Argument options OptionBuilder.hasArg(); OptionBuilder.withLongOpt("nametype"); @@ -164,6 +166,8 @@ public class KeyGen if (cli.hasOption('k')) kskFlag = true; + if (cli.hasOption('e')) useLargeE = true; + outputfile = cli.getOptionValue('f'); if ((optstr = cli.getOptionValue('d')) != null) @@ -307,11 +311,12 @@ public class KeyGen + ", length = " + state.keylength + ")"); DnsKeyPair pair = signer.generateKey(owner_name, - state.ttl, - DClass.IN, - state.algorithm, - flags, - state.keylength); + state.ttl, + DClass.IN, + state.algorithm, + flags, + state.keylength, + state.useLargeE); if (state.outputfile != null) { diff --git a/src/com/verisignlabs/dnssec/security/DnsKeyAlgorithm.java b/src/com/verisignlabs/dnssec/security/DnsKeyAlgorithm.java index 8a9d5aa..9867588 100644 --- a/src/com/verisignlabs/dnssec/security/DnsKeyAlgorithm.java +++ b/src/com/verisignlabs/dnssec/security/DnsKeyAlgorithm.java @@ -29,10 +29,12 @@ package com.verisignlabs.dnssec.security; +import java.security.InvalidAlgorithmParameterException; import java.security.KeyPair; import java.security.KeyPairGenerator; import java.security.NoSuchAlgorithmException; import java.security.Signature; +import java.security.spec.RSAKeyGenParameterSpec; import java.util.HashMap; import java.util.logging.Logger; @@ -226,7 +228,7 @@ public class DnsKeyAlgorithm return (baseType(algorithm) == DSA); } - public KeyPair generateKeyPair(int algorithm, int keysize) + public KeyPair generateKeyPair(int algorithm, int keysize, boolean useLargeExp) throws NoSuchAlgorithmException { KeyPair pair = null; @@ -237,7 +239,27 @@ public class DnsKeyAlgorithm { mRSAKeyGenerator = KeyPairGenerator.getInstance("RSA"); } - mRSAKeyGenerator.initialize(keysize); + + RSAKeyGenParameterSpec rsa_spec; + if (useLargeExp) + { + rsa_spec = new RSAKeyGenParameterSpec(keysize, RSAKeyGenParameterSpec.F4); + } + else + { + rsa_spec = new RSAKeyGenParameterSpec(keysize, RSAKeyGenParameterSpec.F0); + } + try + { + mRSAKeyGenerator.initialize(rsa_spec); + } + catch (InvalidAlgorithmParameterException e) + { + // Fold the InvalidAlgorithmParameterException into our existing + // thrown exception. Ugly, but requires less code change. + throw new NoSuchAlgorithmException("invalid key parameter spec"); + } + pair = mRSAKeyGenerator.generateKeyPair(); break; case DSA : @@ -255,6 +277,12 @@ public class DnsKeyAlgorithm return pair; } + public KeyPair generateKeyPair(int algorithm, int keysize) + throws NoSuchAlgorithmException + { + return generateKeyPair(algorithm, keysize, false); + } + public static DnsKeyAlgorithm getInstance() { if (mInstance == null) mInstance = new DnsKeyAlgorithm(); diff --git a/src/com/verisignlabs/dnssec/security/JCEDnsSecSigner.java b/src/com/verisignlabs/dnssec/security/JCEDnsSecSigner.java index 76484db..e26e1fe 100644 --- a/src/com/verisignlabs/dnssec/security/JCEDnsSecSigner.java +++ b/src/com/verisignlabs/dnssec/security/JCEDnsSecSigner.java @@ -63,16 +63,18 @@ public class JCEDnsSecSigner * @param algorithm the DNSSEC algorithm (RSAMD5, RSASHA1, or DSA). * @param flags any flags for the KEY RR. * @param keysize the size of the key to generate. + * @param useLargeExponent if generating an RSA key, use the large exponent. * @return a DnsKeyPair with the public and private keys populated. */ public DnsKeyPair generateKey(Name owner, long ttl, int dclass, - int algorithm, int flags, int keysize) throws NoSuchAlgorithmException + int algorithm, int flags, int keysize, boolean useLargeExponent) + throws NoSuchAlgorithmException { DnsKeyAlgorithm algorithms = DnsKeyAlgorithm.getInstance(); if (ttl < 0) ttl = 86400; // set to a reasonable default. - KeyPair pair = algorithms.generateKeyPair(algorithm, keysize); + KeyPair pair = algorithms.generateKeyPair(algorithm, keysize, useLargeExponent); if (mKeyConverter == null) {