SEC::Private(3) User Contributed Perl Documentation SEC::Private(3)NAMENet::DNS::SEC::Private - DNS SIG Private key object
SYNOPSIS
use Net::DNS::SEC::Private; my
$private=Net::DNS::SEC::Private->new($keypath);
DESCRIPTION
Class containing a the private key as read from a dnssec-keygen
generate zonefile. The class is written to be used only in the context
of the Net::DNS::RR::SIG create method. This class is not designed to
interact with any other system.
METHODS
new
$private->new("/home/foo/ Kexample.com.+001+11567.private")
Creator method. The argument is the full path to a private key
generated by the BIND dnssec-keygen tool. Note that the filename
contains information about the algorithm and keyid.
private
$private->private
Returns the private key material. This is either a Crypt::OpenSSL::RSA
or Crypt::OpenSSL::DSA object. This is really only relevant to the
Net::DNS::RR::SIG class.
algorithm, keytag, signame, created, publish, activate
$private->algorithm
$private->keytag
$private->signame
$private->created
$private->publish
$private->activate
Returns components as determined from the filename and needed by
Net::DNS::RR::RRSIG. The 'created', 'publish' and 'activate'
components are only available in version 1.3 or higher formatted files.
RSASHA1 specific helper functions
These functions may be usefull to read and transfer BIND private keys
to and from X509 format.
new_rsa_private
Constructor method.
my $private=Net::DNS::SEC::Private->new_rsa_private($keyblob,$domain,$flag);
Creates a Net::DNS::SEC::Private object from the supplied string. For
the object to be useful you will have to provide the "domain" name for
which this key is to be used as the second argument and the flag
(either 256 or 257 for a non SEP and a SEP key respectivly).
The string should include the -----BEGIN...----- and -----END...-----
lines. The padding is set to PKCS1_OAEP, but can be changed with the
use_xxx_padding methods
It is the same
dump_rsa_priv
my $bind_keyfilecontent=$private->dump_rsa_priv
Returns the content of a BIND private keyfile (Private-key-format:
v1.2).
An empty string will be returned if not all parameters are available
(please supply the author with example code if this ever happens).
dump_rsa_pub
my $bind_keyfilecontent=$private->dump_rsa_pub
Returns the publick key part of the DNSKEY RR.
Returns an empty string on failure.
dump_rsa_keytag
my $flags=257; # SEP key.
my $keytag=$private->dump_rsa_keytag($flags);
This function will calculate the keyt with the value of the DNSKEY
flags as input.
The flags field may be needed in case it was not specified when the key
was created. If the object allready knows it's flags vallue the input
is ignored.
returns undefined on failure
dump_rsa_private_der
my $keyblob=$private->dump_rsa_privat_der
Return the DER-encoded PKCS1 representation of the private key. (Same
format that can be read with the read_rsa_private method.)
generate_rsa
my $keypair=Net::DNS::SEC::Private->generate_rsa("example.com",$flag,1024,$random);
prin $newkey->dump_rsa_priv;
print $newkey->dump_rsa_pub();
Uses Crypt::OpenSSL::RSA generate_key to create a keypair.
First argument is the name of the key, the second argument is the flag
field (take a value of 257 for Keysigning keys and a value of 256 for
zone signing keys). The 3rd argument is the keysize.
If the 4th argument is defined it is passed to the
Crypt::OpenSSL::Random::random_seed method (see Crypt::OpenSSL::RSA for
details), not needed with a proper /dev/random.
Example
This is a code sniplet from the test script. First a new keypair is
generated. An Net::DNS::RR object is created by constructing the
resource record string - using the dump_rsa_pub() method.
Then a self signature over the public key is created and verified.
my $newkey=Net::DNS::SEC::Private->generate_rsa("example.com",257,1024);
my $tstpubkeyrr= Net::DNS::RR->new ($newkey->signame .
" IN DNSKEY 257 3 5 ".
$newkey->dump_rsa_pub());
# flags not needed as argument for dump_rsa_keytag
$ since they where set by generate_rsa
is($tstpubkeyrr->keytag,$newkey->dump_rsa_keytag(),
"Consistent keytag calculation");
my $sigrr= create Net::DNS::RR::RRSIG([$tstpubkeyrr],$newkey);
is ($sigrr->keytag,$tstpubkeyrr->keytag,
"Consisted keytag in the created signature");;
ok($sigrr->verify([$tstpubkeyrr],$tstpubkeyrr),
"Self verification consistent.");
COPYRIGHT
Copyright (c) 2002-2005 RIPE NCC. Author Olaf M. Kolkman
<olaf@net-dns.org>
All Rights Reserved
Permission to use, copy, modify, and distribute this software and its
documentation for any purpose and without fee is hereby granted,
provided that the above copyright notice appear in all copies and that
both that copyright notice and this permission notice appear in
supporting documentation, and that the name of the author not be used
in advertising or publicity pertaining to distribution of the software
without specific, written prior permission.
THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS; IN NO
EVENT SHALL AUTHOR BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL
DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF
THIS SOFTWARE.
This code uses Crypt::OpenSSL which uses the openssl library
SEE ALSO
http://www.net-dns.org/ <http://www.net-dns.org/>
perl(1), Net::DNS, Net::DNS::RR::SIG,
Crypt::OpenSSL::RSA,Crypt::OpenSSL::DSA, RFC 2435 Section 4, RFC 2931.
perl v5.14.2 2012-03-19 SEC::Private(3)