convert Knot DNS sigantures certs to BIND format.

Petr Mensik pemensik at redhat.com
Wed Mar 20 09:34:48 UTC 2019 

Hi Tony and Milan,

softhsm2 contains useful tool that converts bind private key file into
PKCS#8 format: softhsm2-keyconv.

Or modify dnssec-keyfromlabel to be able read files from different file
formats as well?

Maybe, just maybe it would be easier to modify that tool to be able
producing also the other direction.

On 3/12/19 5:11 PM, Tony Finch wrote:
> Milan Jeskynka Kazatel <KazatelM at seznam.cz> wrote:
>>
>> I received a hint for a tool which allows converting .pem format used in
>> Knot to .key and .private used in BIND, but it, unfortunately, does not
>> support ECDSAP256SHA256 algorithm which I used.
> 
> Ah, sounds like Knot uses a relatively familiar key format, so we can hack
> around with OpenSSL command line tools.
> 
> Unless I have missed something, BIND doesn't have any support for non-BIND
> key files: it has its own code for reading and writing keys, which knows
> about OpenSSL's in-memory key format. (I think this is related to support
> for multiple crypto providers, and the fact that supporting PEM implies
> supporting ASN.1 which is not a task any wise programmer would take on.)
> 
> So I think you'll have to get dirty with the key internals; fortunately
> the modern key types handle the private material as a blob so you don't
> have to fiddle around with half a dozen parameters.
> 
> If you have an ECDSA key in PEM format, you can break it open like
> this. The short blob is the private key and the long one is the public
> key.
> 
> $ openssl ec </var/lib/knot/keys/keys/c3e8539dc582bb2ceeca0ab9fb7b89d521a4f658.pem |
>   openssl asn1parse -dump
> read EC key
> writing EC key
>     0:d=0  hl=2 l= 119 cons: SEQUENCE
>     2:d=1  hl=2 l=   1 prim: INTEGER           :01
>     5:d=1  hl=2 l=  32 prim: OCTET STRING
>       0000 - f5 60 92 ac fe 6f 49 3a-cf 32 b3 16 21 2c f7 37   .`...oI:.2..!,.7
>       0010 - 46 94 eb 06 4f 71 11 f1-71 92 84 f6 0d 16 73 de   F...Oq..q.....s.
>    39:d=1  hl=2 l=  10 cons: cont [ 0 ]
>    41:d=2  hl=2 l=   8 prim: OBJECT            :prime256v1
>    51:d=1  hl=2 l=  68 cons: cont [ 1 ]
>    53:d=2  hl=2 l=  66 prim: BIT STRING
>       0000 - 00 04 87 d7 36 06 dc d7-86 36 07 49 d2 c2 f9 7b   ....6....6.I...{
>       0010 - 2d 30 64 3a 1c 12 e0 a1-ea dc cd 1f be a4 0f e8   -0d:............
>       0020 - c2 d5 af fe 30 71 be 12-62 60 ba 07 ea 07 17 28   ....0q..b`.....(
>       0030 - 97 5d 08 cd c4 55 c1 88-bf db b6 e5 34 12 1d 0e   .]...U......4...
>       0040 - d2 ac                                             ..
> 
> BIND wants these in base64. A not completely impossible way to do this is
> to feed the binary (DER) form of the key to a bit of perl. (PEM is base64
> encoded DER.) This involves some magic numbers for the offsets of the
> blobs derived from the asn1 dump above.
> 
> $ openssl ec -outform der </var/lib/knot/keys/keys/c3e8539dc582bb2ceeca0ab9fb7b89d521a4f658.pem |
>   perl -Mv5.10 -MMIME::Base64 -e '
>     undef $/; my $k = <STDIN>;
>     print encode_base64 substr $k, 7, 32;
>     print encode_base64 substr $k, -64;'
> read EC key
> writing EC key
> 9WCSrP5vSTrPMrMWISz3N0aU6wZPcRHxcZKE9g0Wc94=
> h9c2BtzXhjYHSdLC+XstMGQ6HBLgoerczR++pA/owtWv/jBxvhJiYLoH6gcXKJddCM3EVcGIv9u2
> 5TQSHQ7SrA==
> 
> The first line is the private key; the second and third lines are the
> public key. We can check it matches:
> 
> $ cat /var/lib/knot/keys/zone_example.com.json
> {
>   "policy": "\u0006policy",
>   "nsec3_salt": null,
>   "nsec3_salt_created": null,
>   "keys": [
>     {
>       "id": "c3e8539dc582bb2ceeca0ab9fb7b89d521a4f658",
>       "keytag": 19633,
>       "algorithm": 13,
>       "public_key": "h9c2BtzXhjYHSdLC+XstMGQ6HBLgoerczR++pA/owtWv/jBxvhJiYLoH6gcXKJddCM3EVcGIv9u25TQSHQ7SrA==",
>       "ksk": false,
>       "created": "2019-03-12T15:44:02+0000"
>     }
>   ]
> }
> 
> Probably the easiest way to turn this into BIND key files is to run
> `dnssec-keygen -a ecdsa256 example.com` and edit the output to insert the
> short private and long public base64 blobs emitted by the perl. You will
> also need to rename the files to match the keytag in knot's zone_*.json
> file.
> 
> Tony.
> 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com  PGP: 65C6C973

More information about the bind-users mailing list