1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
|
#!/usr/bin/python
# This software is provided 'as-is', without any express or implied
# warranty. In no event will the author be held liable for any damages
# arising from the use of this software.
#
# Permission is granted to anyone to use this software for any purpose,
# including commercial applications, and to alter it and redistribute it
# freely, subject to the following restrictions:
#
# 1. The origin of this software must not be misrepresented; you must not
# claim that you wrote the original software. If you use this software
# in a product, an acknowledgment in the product documentation would be
# appreciated but is not required.
# 2. Altered source versions must be plainly marked as such, and must not be
# misrepresented as being the original software.
# 3. This notice may not be removed or altered from any source distribution.
#
# Copyright (c) 2016 Google, Inc.
# Contact: Brandon Long <blong@google.com>
# Modified by Scott Kitterman <scott@kitterman.com>
# Copyright (c) 2017,2018 Scott Kitterman
"""Generates new domainkeys pairs.
"""
import os
import subprocess
import sys
import tempfile
import argparse
import hashlib
import base64
# how strong are our keys?
BITS_REQUIRED = 2048
# what openssl binary do we use to do key manipulation?
OPENSSL_BINARY = '/usr/bin/openssl'
def GenRSAKeys(private_key_file):
""" Generates a suitable private key. Output is unprotected.
You should encrypt your keys.
"""
print >> sys.stderr, 'generating ' + private_key_file
subprocess.check_call([OPENSSL_BINARY, 'genrsa', '-out', private_key_file,
str(BITS_REQUIRED)])
def GenEd25519Keys(private_key_file):
"""Generates a base64 encoded private key for ed25519 DKIM signing.
Output is unprotected. You should encrypt your keys.
"""
import nacl.signing # Yes, pep-8, but let's not make everyone install nacl
import nacl.encoding
import os
skg = nacl.signing.SigningKey(seed=os.urandom(32))
priv_key = skg.generate()
print >> sys.stderr, 'generating ' + private_key_file
pkf = open(private_key_file, "w+")
print >> pkf, priv_key.encode(encoder=nacl.encoding.Base64Encoder)
pkf.close()
return(priv_key)
def ExtractRSADnsPublicKey(private_key_file, dns_file):
""" Given a key, extract the bit we should place in DNS.
"""
print >> sys.stderr, 'extracting ' + private_key_file
working_file = tempfile.NamedTemporaryFile(delete=False).name
subprocess.check_call([OPENSSL_BINARY, 'rsa', '-in', private_key_file,
'-out', working_file, '-pubout', '-outform', 'PEM'])
cmd = 'grep -v ^-- %s | tr -d \'\\n\'' % working_file
try:
output = subprocess.check_output(cmd, shell=True)
finally:
os.unlink(working_file)
dns_fp = open(dns_file, "w+")
print >> sys.stderr, 'writing ' + dns_file
print >> dns_fp, "k=rsa; h=sha256; p={0}".format(output)
dns_fp.close()
def ExtractEd25519PublicKey(private_key_file, dns_file, priv_key):
""" Given a ed25519 key, extract the bit we should place in DNS.
"""
import nacl.encoding # Yes, pep-8, but let's not make everyone install nacl
pubkey = priv_key.verify_key
output = pubkey.encode(encoder=nacl.encoding.Base64Encoder)
dns_fp = open(dns_file, "w+")
print >> sys.stderr, 'writing ' + dns_file
print >> dns_fp, "k=ed25519; p={0}".format(output)
dns_fp.close()
def main(argv):
parser = argparse.ArgumentParser(
description='Produce DKIM keys.',)
parser.add_argument('key_name', action="store")
parser.add_argument('--ktype', choices=['rsa', 'ed25519'],
default='rsa',
help='DKIM key type: Default is rsa')
args=parser.parse_args()
if sys.version_info[0] >= 3:
args.key_name = bytes(args.key_name, encoding='UTF-8')
args.ktype = bytes(args.ktype, encoding='UTF-8')
# Make sys.stdin and stdout binary streams.
sys.stdin = sys.stdin.detach()
sys.stdout = sys.stdout.detach()
key_name = args.key_name
key_type = args.ktype
private_key_file = key_name + '.key'
dns_file = key_name + '.dns'
if key_type == 'rsa':
GenRSAKeys(private_key_file)
ExtractRSADnsPublicKey(private_key_file, dns_file)
elif key_type == 'ed25519':
priv_key = GenEd25519Keys(private_key_file)
ExtractEd25519PublicKey(private_key_file, dns_file, priv_key)
else:
print >> sys.stderr, "Unknown key type - no key generated."
if __name__ == '__main__':
main(sys.argv)
|