1
.TH IPSEC_KEYBLOBTOID 3 "25 March 2002"
2
.\" RCSID $Id: keyblobtoid.3,v 1.4 2002/04/24 07:36:49 mcr Exp $
4
ipsec keyblobtoid, splitkeytoid \- generate key IDs from RSA keys
6
.B "#include <freeswan.h>
8
.B "size_t keyblobtoid(const unsigned char *blob,"
10
.B "size_t bloblen, char *dst, size_t dstlen);"
12
.B "size_t splitkeytoid(const unsigned char *e, size_t elen,"
14
.B "const unsigned char *m, size_t mlen, char *dst,
24
for use in messages and reporting,
29
is a short ASCII string identifying a key;
30
currently it is just the first nine characters of the base64
31
encoding of the RFC 2537/3110 ``byte blob'' representation of the key.
32
(Beware that no finite key ID can be collision-proof:
33
there is always some small chance of two random keys having the
37
generates a key ID from a key which is already in the form of an
38
RFC 2537/3110 binary key
40
(encoded exponent length, exponent, modulus).
43
generates a key ID from a key given in the form of a separate
52
specifies the size of the
55
under no circumstances are more than
59
A result which will not fit is truncated.
61
can be zero, in which case
63
need not be valid and no result is written,
64
but the return value is unaffected;
65
in all other cases, the (possibly truncated) result is NUL-terminated.
68
header file defines a constant
70
which is the size of a buffer large enough for worst-case results.
74
for a failure, and otherwise
75
always return the size of buffer which would
77
accommodate the full conversion result, including terminating NUL;
78
it is the caller's responsibility to check this against the size of
79
the provided buffer to determine whether truncation has occurred.
81
With keys generated by
82
.IR ipsec_rsasigkey (3),
83
the first two base64 digits are always the same,
84
and the third carries only about one bit of information.
85
It's worse with keys using longer fixed exponents,
86
e.g. the 24-bit exponent that's common in X.509 certificates.
87
However, being able to relate key IDs to the full
88
base64 text form of keys by eye is sufficiently useful that this
89
waste of space seems justifiable.
90
The choice of nine digits is a compromise between bulk and
91
probability of collision.
94
\fIRSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)\fR,
96
(superseding the older but better-known RFC 2537).
99
key too short to supply enough bits to construct a complete key ID
100
(almost certainly indicating a garbage key);
101
exponent too long for its length to be representable.
103
Written for the FreeS/WAN project by Henry Spencer.