add large exponent option to the key generation code

git-svn-id: https://svn.verisignlabs.com/jdnssec/tools/trunk@87 4cbd57fe-54e5-0310-bd9a-f30fe5ea5e6e
2006-09-10 16:48:21 +00:00 · 2006-09-10 16:48:21 +00:00 · 3bd38f9fbc
commit 3bd38f9fbc
parent 08b2c4bc32
4 changed files with 51 additions and 10 deletions
--- a/6
+++ b/6
@ -1,3 +1,9 @@
+2006-09-10  David Blacka  <davidb@fury.blacka.com>
+
+	* Added the "-e" option to jdnssec-keygen, to instruct the key
+	generator to use the (common) large exponent in RSA key
+	generation.
+
 2006-08-31  David Blacka  <davidb@fury.blacka.com>

 	* Modified jdnssec-signzone to set the ttls of NSEC3 records (so
--- a/src/com/verisignlabs/dnssec/cl/KeyGen.java
+++ b/src/com/verisignlabs/dnssec/cl/KeyGen.java
@ -54,6 +54,7 @@ public class KeyGen
    private Options opts;
    public int      algorithm  = 5;
    public int      keylength  = 1024;
+    public boolean  useLargeE  = false;
    public String   outputfile = null;
    public File     keydir     = null;
    public boolean  zoneKey    = true;
@ -81,6 +82,7 @@ public class KeyGen
          "kskflag",
          false,
          "Key is a key-signing-key (sets the SEP flag).");
+      opts.addOption("e", "large-exponent", false, "Use large RSA exponent");
      
      // Argument options
      OptionBuilder.hasArg();
@ -164,6 +166,8 @@ public class KeyGen

      if (cli.hasOption('k')) kskFlag = true;

+      if (cli.hasOption('e')) useLargeE = true;
+      
      outputfile = cli.getOptionValue('f');

      if ((optstr = cli.getOptionValue('d')) != null)
@ -307,11 +311,12 @@ public class KeyGen
        + ", length = " + state.keylength + ")");

    DnsKeyPair pair = signer.generateKey(owner_name,
-        state.ttl,
-        DClass.IN,
-        state.algorithm,
-        flags,
-        state.keylength);
+          state.ttl,
+          DClass.IN,
+          state.algorithm,
+          flags,
+          state.keylength,
+          state.useLargeE);

    if (state.outputfile != null)
    {
--- a/src/com/verisignlabs/dnssec/security/DnsKeyAlgorithm.java
+++ b/src/com/verisignlabs/dnssec/security/DnsKeyAlgorithm.java
@ -29,10 +29,12 @@

 package com.verisignlabs.dnssec.security;

+import java.security.InvalidAlgorithmParameterException;
 import java.security.KeyPair;
 import java.security.KeyPairGenerator;
 import java.security.NoSuchAlgorithmException;
 import java.security.Signature;
+import java.security.spec.RSAKeyGenParameterSpec;
 import java.util.HashMap;
 import java.util.logging.Logger;

@ -226,7 +228,7 @@ public class DnsKeyAlgorithm
    return (baseType(algorithm) == DSA);
  }

-  public KeyPair generateKeyPair(int algorithm, int keysize)
+  public KeyPair generateKeyPair(int algorithm, int keysize, boolean useLargeExp)
      throws NoSuchAlgorithmException
  {
    KeyPair pair = null;
@ -237,7 +239,27 @@ public class DnsKeyAlgorithm
        {
          mRSAKeyGenerator = KeyPairGenerator.getInstance("RSA");
        }
-        mRSAKeyGenerator.initialize(keysize);
+        
+        RSAKeyGenParameterSpec rsa_spec;
+        if (useLargeExp)
+        {
+          rsa_spec = new RSAKeyGenParameterSpec(keysize, RSAKeyGenParameterSpec.F4);
+        }
+        else
+        {
+          rsa_spec = new RSAKeyGenParameterSpec(keysize, RSAKeyGenParameterSpec.F0);
+        }
+        try
+        {
+          mRSAKeyGenerator.initialize(rsa_spec);
+        }
+        catch (InvalidAlgorithmParameterException e)
+        {
+          // Fold the InvalidAlgorithmParameterException into our existing
+          // thrown exception. Ugly, but requires less code change.
+          throw new NoSuchAlgorithmException("invalid key parameter spec");
+        }
+        
        pair = mRSAKeyGenerator.generateKeyPair();
        break;
      case DSA :
@ -255,6 +277,12 @@ public class DnsKeyAlgorithm
    return pair;
  }

+  public KeyPair generateKeyPair(int algorithm, int keysize)
+      throws NoSuchAlgorithmException
+  {
+    return generateKeyPair(algorithm, keysize, false);
+  }
+  
  public static DnsKeyAlgorithm getInstance()
  {
    if (mInstance == null) mInstance = new DnsKeyAlgorithm();
--- a/src/com/verisignlabs/dnssec/security/JCEDnsSecSigner.java
+++ b/src/com/verisignlabs/dnssec/security/JCEDnsSecSigner.java
@ -63,16 +63,18 @@ public class JCEDnsSecSigner
   * @param algorithm the DNSSEC algorithm (RSAMD5, RSASHA1, or DSA).
   * @param flags any flags for the KEY RR.
   * @param keysize the size of the key to generate.
+   * @param useLargeExponent if generating an RSA key, use the large exponent.
   * @return a DnsKeyPair with the public and private keys populated.
   */
  public DnsKeyPair generateKey(Name owner, long ttl, int dclass,
-      int algorithm, int flags, int keysize) throws NoSuchAlgorithmException
+      int algorithm, int flags, int keysize, boolean useLargeExponent)
+      throws NoSuchAlgorithmException
  {
    DnsKeyAlgorithm algorithms = DnsKeyAlgorithm.getInstance();

    if (ttl < 0) ttl = 86400; // set to a reasonable default.

-    KeyPair pair = algorithms.generateKeyPair(algorithm, keysize);
+    KeyPair pair = algorithms.generateKeyPair(algorithm, keysize, useLargeExponent);

    if (mKeyConverter == null)
    {