1
<?xml version="1.0" encoding="ISO-8859-1"?>
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
3
"http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
4
<!-- lifted from troff+man by doclifter -->
7
<refentrytitle>IPSEC_KEYBLOBTOID</refentrytitle>
8
<manvolnum>3</manvolnum>
9
<refmiscinfo class='date'>25 March 2002</refmiscinfo>
11
<refnamediv id='name'>
12
<refname>ipsec keyblobtoid</refname>
13
<refname>splitkeytoid</refname>
14
<refpurpose>generate key IDs from RSA keys</refpurpose>
16
<!-- body begins here -->
17
<refsynopsisdiv id='synopsis'>
20
#include <freeswan.h>
24
<funcdef>size_t <function>keyblobtoid</function></funcdef>
25
<paramdef>const unsigned char * <parameter>blob</parameter></paramdef>
26
<paramdef>size_t <parameter>bloblen</parameter></paramdef>
27
<paramdef>char * <parameter>dst</parameter></paramdef>
28
<paramdef>size_t <parameter>dstlen</parameter></paramdef>
34
<funcdef>size_t <function>splitkeytoid</function></funcdef>
35
<paramdef>const unsigned char * <parameter>e</parameter></paramdef>
36
<paramdef>size_t <parameter>elen</parameter></paramdef>
37
<paramdef>const unsigned char * <parameter>m</parameter></paramdef>
38
<paramdef>size_t <parameter>mlen</parameter></paramdef>
39
<paramdef>char * <parameter>dst</parameter></paramdef>
40
<paramdef>size_t <parameter>dstlen</parameter></paramdef>
46
<refsect1 id='description'><title>DESCRIPTION</title>
47
<para><emphasis remap='I'>Keyblobtoid</emphasis>
49
<function>splitkeytoid</function>
53
for use in messages and reporting,
55
<varname role='parameter'>dst</varname>.
57
<emphasis remap='I'>key ID</emphasis>
58
is a short ASCII string identifying a key;
59
currently it is just the first nine characters of the base64
60
encoding of the RFC 2537/3110 “byte blob” representation of the key.
61
(Beware that no finite key ID can be collision-proof:
62
there is always some small chance of two random keys having the
65
<para><emphasis remap='I'>Keyblobtoid</emphasis>
66
generates a key ID from a key which is already in the form of an
67
RFC 2537/3110 binary key
68
<varname role='parameter'>blob</varname>
69
(encoded exponent length, exponent, modulus).</para>
71
<para><emphasis remap='I'>Splitkeytoid</emphasis>
72
generates a key ID from a key given in the form of a separate
74
<varname role='parameter'>e</varname>
76
<varname role='parameter'>m</varname>.</para>
79
<varname role='parameter'>dstlen</varname>
81
specifies the size of the
82
<varname role='parameter'>dst</varname>
84
under no circumstances are more than
85
<varname role='parameter'>dstlen</varname>
87
<varname role='parameter'>dst</varname>.
88
A result which will not fit is truncated.
89
<emphasis remap='I'>Dstlen</emphasis>
90
can be zero, in which case
91
<varname role='parameter'>dst</varname>
92
need not be valid and no result is written,
93
but the return value is unaffected;
94
in all other cases, the (possibly truncated) result is NUL-terminated.
96
<emphasis remap='I'>freeswan.h</emphasis>
97
header file defines a constant
98
<emphasis remap='B'>KEYID_BUF</emphasis>
99
which is the size of a buffer large enough for worst-case results.</para>
101
<para>Both functions return
103
for a failure, and otherwise
104
always return the size of buffer which would
106
accommodate the full conversion result, including terminating NUL;
107
it is the caller's responsibility to check this against the size of
108
the provided buffer to determine whether truncation has occurred.</para>
110
<para>With keys generated by
111
<citerefentry><refentrytitle>ipsec_rsasigkey</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
112
the first two base64 digits are always the same,
113
and the third carries only about one bit of information.
114
It's worse with keys using longer fixed exponents,
115
e.g. the 24-bit exponent that's common in X.509 certificates.
116
However, being able to relate key IDs to the full
117
base64 text form of keys by eye is sufficiently useful that this
118
waste of space seems justifiable.
119
The choice of nine digits is a compromise between bulk and
120
probability of collision.</para>
123
<refsect1 id='see_also'><title>SEE ALSO</title>
125
<emphasis remap='I'>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</emphasis>,
127
(superseding the older but better-known RFC 2537).</para>
130
<refsect1 id='diagnostics'><title>DIAGNOSTICS</title>
131
<para>Fatal errors are:
132
key too short to supply enough bits to construct a complete key ID
133
(almost certainly indicating a garbage key);
134
exponent too long for its length to be representable.</para>
137
<refsect1 id='history'><title>HISTORY</title>
138
<para>Written for the FreeS/WAN project by Henry Spencer.</para>