convert Knot DNS sigantures certs to BIND format.

Milan Jeskynka Kazatel KazatelM at seznam.cz
Thu Mar 14 12:41:25 UTC 2019 

Hollo Tony,



many thanks, it´s an awesome trick.




I can confirm, that I´m able to "hack" private and public key from KNOT. I 
tried to re-write information in .key and .private files in BIND, but now it
seems to be an issue with the chain used in the zone.




When I tried to re-sign my zone in BIND by Webmin, then I get this error 
message below. My original "keytag" is 43121. I don´t understand, where is 
written information like example.com/ECDSAP256SHA256/45623




***

Failed to sign zone : dnssec-signzone: warning: /var/named/example.com:458: 
signature has expired dnssec-signzone: warning: dns_dnssec_
keylistfromrdataset: error reading private key file example.com/ECDSAP256SHA
256/45623: file not found dnssec-signzone: warning: dns_dnssec_
keylistfromrdataset: error reading private key file example.com/ECDSAP256SHA
256/43121: private key is invalid dnssec-signzone: fatal: failed to load the
zone keys: private key is invalid
***




Could you please help me dig, where I´m wrong?
Best regards, 

-- 
Smil Milan Jeskyňka Kazatel

---------- Původní e-mail ----------
Od: Tony Finch <dot at dotat.at>
Komu: Milan Jeskynka Kazatel <KazatelM at seznam.cz>
Datum: 12. 3. 2019 17:14:40
Předmět: Re: convert Knot DNS sigantures certs to BIND format.
"Milan Jeskynka Kazatel <KazatelM at seznam.cz> wrote: 
> 
> I received a hint for a tool which allows converting .pem format used in 
> Knot to .key and .private used in BIND, but it, unfortunately, does not 
> support ECDSAP256SHA256 algorithm which I used. 

Ah, sounds like Knot uses a relatively familiar key format, so we can hack 
around with OpenSSL command line tools. 

Unless I have missed something, BIND doesn't have any support for non-BIND 
key files: it has its own code for reading and writing keys, which knows 
about OpenSSL's in-memory key format. (I think this is related to support 
for multiple crypto providers, and the fact that supporting PEM implies 
supporting ASN.1 which is not a task any wise programmer would take on.) 

So I think you'll have to get dirty with the key internals; fortunately 
the modern key types handle the private material as a blob so you don't 
have to fiddle around with half a dozen parameters. 

If you have an ECDSA key in PEM format, you can break it open like 
this. The short blob is the private key and the long one is the public 
key. 

$ openssl ec </var/lib/knot/keys/keys/c3e8539dc582bb2ceeca0ab9fb7b89d521a4f
658.pem | 
openssl asn1parse -dump 
read EC key 
writing EC key 
0:d=0 hl=2 l= 119 cons: SEQUENCE 
2:d=1 hl=2 l= 1 prim: INTEGER :01 
5:d=1 hl=2 l= 32 prim: OCTET STRING 
0000 - f5 60 92 ac fe 6f 49 3a-cf 32 b3 16 21 2c f7 37 .`...oI:.2..!,.7 
0010 - 46 94 eb 06 4f 71 11 f1-71 92 84 f6 0d 16 73 de F...Oq..q.....s. 
39:d=1 hl=2 l= 10 cons: cont [ 0 ] 
41:d=2 hl=2 l= 8 prim: OBJECT :prime256v1 
51:d=1 hl=2 l= 68 cons: cont [ 1 ] 
53:d=2 hl=2 l= 66 prim: BIT STRING 
0000 - 00 04 87 d7 36 06 dc d7-86 36 07 49 d2 c2 f9 7b ....6....6.I...{ 
0010 - 2d 30 64 3a 1c 12 e0 a1-ea dc cd 1f be a4 0f e8 -0d:............ 
0020 - c2 d5 af fe 30 71 be 12-62 60 ba 07 ea 07 17 28 ....0q..b`.....( 
0030 - 97 5d 08 cd c4 55 c1 88-bf db b6 e5 34 12 1d 0e .]...U......4... 
0040 - d2 ac .. 

BIND wants these in base64. A not completely impossible way to do this is 
to feed the binary (DER) form of the key to a bit of perl. (PEM is base64 
encoded DER.) This involves some magic numbers for the offsets of the 
blobs derived from the asn1 dump above. 

$ openssl ec -outform der </var/lib/knot/keys/keys/c3e8539dc582bb2ceeca0ab9
fb7b89d521a4f658.pem | 
perl -Mv5.10 -MMIME::Base64 -e ' 
undef $/; my $k = <STDIN>; 
print encode_base64 substr $k, 7, 32; 
print encode_base64 substr $k, -64;' 
read EC key 
writing EC key 
9WCSrP5vSTrPMrMWISz3N0aU6wZPcRHxcZKE9g0Wc94= 
h9c2BtzXhjYHSdLC+XstMGQ6HBLgoerczR++pA/owtWv/jBxvhJiYLoH6gcXKJddCM3EVcGIv9u2

5TQSHQ7SrA== 

The first line is the private key; the second and third lines are the 
public key. We can check it matches: 

$ cat /var/lib/knot/keys/zone_example.com.json 
{ 
"policy": "\u0006policy", 
"nsec3_salt": null, 
"nsec3_salt_created": null, 
"keys": [ 
{ 
"id": "c3e8539dc582bb2ceeca0ab9fb7b89d521a4f658", 
"keytag": 19633, 
"algorithm": 13, 
"public_key": "h9c2BtzXhjYHSdLC+XstMGQ6HBLgoerczR++pA/owtWv/jBxvhJiYLoH6
gcXKJddCM3EVcGIv9u25TQSHQ7SrA==", 
"ksk": false, 
"created": "2019-03-12T15:44:02+0000" 
} 
] 
} 

Probably the easiest way to turn this into BIND key files is to run 
`dnssec-keygen -a ecdsa256 example.com` and edit the output to insert the 
short private and long public base64 blobs emitted by the perl. You will 
also need to rename the files to match the keytag in knot's zone_*.json 
file. 

Tony. 
-- 
f.anthony.n.finch <dot at dotat.at> http://dotat.at/ 
public services available on equal terms to all"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190314/0e2793a1/attachment.html>

More information about the bind-users mailing list