asetkey: add 'add-random' command

Add a new command, 'add-random', to allow the creation of a new key with random data. This is helpful for certain rxgk keys, which only need to exist in KeyFileExt and not in any other database (like a krb5 KDC), and so aren't derived from a krb5 keytab. Change-Id: I1f3b27e074b0931deb8645f7550e0b315d82e249 Reviewed-on: https://gerrit.openafs.org/12768 Tested-by: BuildBot <buildbot@rampaginggeek.com> Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
2025-01-18 15:00:12 +00:00 · 2017-11-09 12:50:53 -06:00 · 2017-11-09 12:50:53 -06:00 · 9779dd29e7
commit 9779dd29e7
parent 5120409cc9
2 changed files with 90 additions and 0 deletions
--- a/doc/man-pages/pod8/asetkey.pod
+++ b/doc/man-pages/pod8/asetkey.pod
@ -15,6 +15,10 @@ B<asetkey> add <I<type>> <I<kvno>> <I<subtype>> <I<key>>

 B<asetkey> add <I<type>> <I<kvno>> <I<subtype>> <I<keyfile>> <I<princ>>

+B<asetkey> add-random <I<type>> <I<kvno>>
+
+B<asetkey> add-random <I<type>> <I<kvno>> <I<subtype>>
+
 B<asetkey> delete <I<kvno>>

 B<asetkey> delete <I<type>> <I<kvno>>
@ -54,6 +58,10 @@ C<getprinc> function of B<kadmin>).  I<principal> should be the name of
 the AFS principal in the keytab, which must be either C<afs> or
 C<afs/I<cell name>>.

+The B<asetkey add-random> command can be used to create randomized keys,
+instead of using keys derived from an existing krb5 principal. This is useful
+primarily for some rxgk keys.
+
 =head1 CAUTIONS

 Historically, AFS only supported des-cbc-crc:v4 Kerberos keys.  In environments
--- a/src/aklog/asetkey.c
+++ b/src/aklog/asetkey.c
@ -237,6 +237,83 @@ addKey(struct afsconf_dir *dir, int argc, char **argv) {
    }
 }

+static struct afsconf_typedKey *
+random_key(char **argv, int type, int kvno, int subtype)
+{
+    struct afsconf_typedKey *typedKey;
+    krb5_context ctx;
+    krb5_keyblock keyblock;
+    struct rx_opaque key;
+    int code;
+
+    code = krb5_init_context(&ctx);
+    if (code) {
+        afs_com_err(argv[0], code, "while initializing krb5 ctx");
+        exit(1);
+    }
+
+    memset(&keyblock, 0, sizeof(keyblock));
+    code = krb5_c_make_random_key(ctx, subtype, &keyblock);
+    if (code) {
+        afs_com_err(argv[0], code, "while generating random key");
+        exit(1);
+    }
+
+    memset(&key, 0, sizeof(key));
+    key.len = keyblock.length;
+    key.val = keyblock.contents;
+
+    typedKey = afsconf_typedKey_new(type, kvno, subtype, &key);
+
+    krb5_free_keyblock_contents(ctx, &keyblock);
+    krb5_free_context(ctx);
+
+    return typedKey;
+}
+
+static void
+addRandomKey(struct afsconf_dir *dir, int argc, char **argv)
+{
+    struct afsconf_typedKey *typedKey;
+    int type;
+    int kvno;
+    int code;
+    int subtype;
+
+    /* Just pick a reasonable enctype */
+    const int RAND_ENCTYPE = ENCTYPE_AES128_CTS_HMAC_SHA1_96;
+
+    subtype = RAND_ENCTYPE;
+
+    switch (argc) {
+    case 5:
+        subtype = atoi(argv[4]);
+        /* fall through */
+    case 4:
+        type = stringToType(argv[2]);
+        kvno = atoi(argv[3]);
+
+        typedKey = random_key(argv, type, kvno, subtype);
+
+        code = afsconf_AddTypedKey(dir, typedKey, 1);
+        afsconf_typedKey_put(&typedKey);
+        if (code) {
+            afs_com_err(argv[0], code, "while adding random key");
+            exit(1);
+        }
+
+        printf("Added random key with type %d kvno %d subtype %d\n",
+               type, kvno, subtype);
+        break;
+
+    default:
+	fprintf(stderr, "%s add-random: usage is '%s add-random <type> <kvno>\n",
+                argv[0], argv[0]);
+	fprintf(stderr, "\tOR\n\t%s add-random <type> <kvno> <subtype>\n", argv[0]);
+        exit(1);
+    }
+}
+
 static void
 deleteKey(struct afsconf_dir *dir, int argc, char **argv)
 {
@ -357,6 +434,8 @@ main(int argc, char *argv[])
 	fprintf(stderr, "\tOR\n\t%s add <type> <kvno> <subtype> <keyfile> <princ>\n",
 	        argv[0]);
 	fprintf(stderr, "\t\tEx: %s add 0 \"80b6a7cd7a9dadb6\"\n", argv[0]);
+	fprintf(stderr, "\t%s add-random <type> <kvno>\n", argv[0]);
+	fprintf(stderr, "\t%s add-random <type> <kvno> <subtype>\n", argv[0]);
 	fprintf(stderr, "\t%s delete <kvno>\n", argv[0]);
 	fprintf(stderr, "\t%s delete <type> <kvno>\n", argv[0]);
 	fprintf(stderr, "\t%s delete <type> <kvno> <subtype>\n", argv[0]);
@ -382,6 +461,9 @@ main(int argc, char *argv[])
 	listKey(tdir, argc, argv);

    }
+    else if (strcmp(argv[1], "add-random") == 0) {
+        addRandomKey(tdir, argc, argv);
+    }
    else {
 	fprintf(stderr, "%s: unknown operation '%s', type '%s' for "
 		"assistance\n", argv[0], argv[1], argv[0]);