summaryrefslogtreecommitdiff
path: root/doc/manpage.d/ipsec_splitkeytoid.3.html
blob: 109cfafa742fedc4c188566cf246e8c0c887056d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
Content-type: text/html

<HTML><HEAD><TITLE>Manpage of IPSEC_KEYBLOBTOID</TITLE>
</HEAD><BODY>
<H1>IPSEC_KEYBLOBTOID</H1>
Section: C Library Functions (3)<BR>Updated: 25 March 2002<BR><A HREF="#index">Index</A>
<A HREF="http://localhost/cgi-bin/man/man2html">Return to Main Contents</A><HR>


<A NAME="lbAB">&nbsp;</A>
<H2>NAME</H2>

ipsec keyblobtoid, splitkeytoid - generate key IDs from RSA keys
<A NAME="lbAC">&nbsp;</A>
<H2>SYNOPSIS</H2>

<B>#include &lt;<A HREF="file:/usr/include/freeswan.h">freeswan.h</A>&gt;</B>

<P>
<B>size_t keyblobtoid(const unsigned char *blob,</B>

<BR>
&nbsp;
<B>size_t bloblen, char *dst, size_t dstlen);</B>

<BR>

<B>size_t splitkeytoid(const unsigned char *e, size_t elen,</B>

<BR>
&nbsp;
<B>const unsigned char *m, size_t mlen, char *dst,</B>

<BR>
&nbsp;
<B>size_t dstlen);</B>

<A NAME="lbAD">&nbsp;</A>
<H2>DESCRIPTION</H2>

<I>Keyblobtoid</I>

and
<I>splitkeytoid</I>

generate
key IDs
from RSA keys,
for use in messages and reporting,
writing the result to
<I>dst</I>.

A
<I>key ID</I>

is a short ASCII string identifying a key;
currently it is just the first nine characters of the base64
encoding of the RFC 2537/3110 ``byte blob'' representation of the key.
(Beware that no finite key ID can be collision-proof:
there is always some small chance of two random keys having the
same ID.)
<P>

<I>Keyblobtoid</I>

generates a key ID from a key which is already in the form of an
RFC 2537/3110 binary key
<I>blob</I>

(encoded exponent length, exponent, modulus).
<P>

<I>Splitkeytoid</I>

generates a key ID from a key given in the form of a separate
(binary) exponent
<I>e</I>

and modulus
<I>m</I>.

<P>

The
<I>dstlen</I>

parameter of either
specifies the size of the
<I>dst</I>

parameter;
under no circumstances are more than
<I>dstlen</I>

bytes written to
<I>dst</I>.

A result which will not fit is truncated.
<I>Dstlen</I>

can be zero, in which case
<I>dst</I>

need not be valid and no result is written,
but the return value is unaffected;
in all other cases, the (possibly truncated) result is NUL-terminated.
The
<I>freeswan.h</I>

header file defines a constant
<B>KEYID_BUF</B>

which is the size of a buffer large enough for worst-case results.
<P>

Both functions return
<B>0</B>

for a failure, and otherwise
always return the size of buffer which would 
be needed to
accommodate the full conversion result, including terminating NUL;
it is the caller's responsibility to check this against the size of
the provided buffer to determine whether truncation has occurred.

With keys generated by
<I><A HREF="ipsec_rsasigkey.3.html">ipsec_rsasigkey</A></I>(3),

the first two base64 digits are always the same,
and the third carries only about one bit of information.
It's worse with keys using longer fixed exponents,
e.g. the 24-bit exponent that's common in X.509 certificates.
However, being able to relate key IDs to the full
base64 text form of keys by eye is sufficiently useful that this
waste of space seems justifiable.
The choice of nine digits is a compromise between bulk and
probability of collision.
<A NAME="lbAE">&nbsp;</A>
<H2>SEE ALSO</H2>

RFC 3110,
<I>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</I>,
Eastlake, 2001
(superseding the older but better-known RFC 2537).
<A NAME="lbAF">&nbsp;</A>
<H2>DIAGNOSTICS</H2>

Fatal errors are:
key too short to supply enough bits to construct a complete key ID
(almost certainly indicating a garbage key);
exponent too long for its length to be representable.
<A NAME="lbAG">&nbsp;</A>
<H2>HISTORY</H2>

Written for the FreeS/WAN project by Henry Spencer.
<P>

<HR>
<A NAME="index">&nbsp;</A><H2>Index</H2>
<DL>
<DT><A HREF="#lbAB">NAME</A><DD>
<DT><A HREF="#lbAC">SYNOPSIS</A><DD>
<DT><A HREF="#lbAD">DESCRIPTION</A><DD>
<DT><A HREF="#lbAE">SEE ALSO</A><DD>
<DT><A HREF="#lbAF">DIAGNOSTICS</A><DD>
<DT><A HREF="#lbAG">HISTORY</A><DD>
</DL>
<HR>
This document was created by
<A HREF="http://localhost/cgi-bin/man/man2html">man2html</A>,
using the manual pages.<BR>
Time: 21:40:18 GMT, November 11, 2003
</BODY>
</HTML>