crypto: improve help

Author: lws-team

CMakeLists.txt

@@ -392,7 +392,11 @@ endif()
 option(LWS_WITH_MCUFONT_ENCODER "Build the ttf to mcufont encoder" OFF)
 option(LWS_WITH_WAKE_LOGGING "Log each wake reason" OFF)
 option(LWS_WITH_DHT "Include DHT frontend client APIs" OFF)
-option(LWS_WITH_DHT_BACKEND "Include full DHT backend node functionality" OFF)
+set(LWS_WITH_DHT_BACKEND_DEFAULT OFF)
+if (LWS_WITH_DHT)
+	set(LWS_WITH_DHT_BACKEND_DEFAULT ON)
+endif()
+option(LWS_WITH_DHT_BACKEND "Include full DHT backend node functionality" ${LWS_WITH_DHT_BACKEND_DEFAULT})
 option(LWS_WITH_TRANSPORT_SEQUENCER "Include Transport Sequencer APIs" OFF)
 option(LWS_WITH_MNEMONIC "Include mnemonic key generation support" OFF)
 option(LWS_WITH_DTLS "Compile with support for Generic DTLS" OFF)

READMEs/README.dht.md

@@ -7,7 +7,7 @@ Libwebsockets provides an implementation of a Kademlia-based Distributed Hash Ta
 The DHT functionality is physically split into client and backend blocks to allow resource-constrained devices to participate as clients without maintaining full routing tables and storage on the device.
 
 *   `LWS_WITH_DHT`: Enables the DHT frontend and client API. This provides the core functionality to manage a DHT node ID (`dht-id.c`), serialize and parse base DHT protocol messages (`dht-bencode.c`), and manage networking and queries (`dht-tx.c`, `dht.c`).
-*   `LWS_WITH_DHT_BACKEND`: Enables the full DHT backend. This includes managing buckets, maintaining the complex routing table, coordinating decentralized searches, maintaining in-memory storage, and automatically responding to incoming RPCs like `ping`, `find_node`, `get_peers`, and `announce_peer`. Enabling this automatically requires and implies `LWS_WITH_DHT`.
+*   `LWS_WITH_DHT_BACKEND`: Enables the full DHT backend. This includes managing buckets, maintaining the complex routing table, coordinating decentralized searches, maintaining in-memory storage, and automatically responding to incoming RPCs like `ping`, `find_node`, `get_peers`, and `announce_peer`. This is automatically enabled by default when `LWS_WITH_DHT` is enabled, but can be forced off with `-DLWS_WITH_DHT_BACKEND=0`.
 
 ## Configuration Options (`lws_dht_info_t`)
 

include/libwebsockets/lws-dht-dnssec.h

@@ -29,22 +29,18 @@ struct lws_context;
 
 struct lws_dht_dnssec_keygen_args {
 	const char *domain;
+	const char *type;   /* e.g. "EC" or "RSA" */
 	const char *curve;
-	int is_ksk;
+	int bits;
 };
 
 struct lws_dht_dnssec_dsfromkey_args {
-	const char *key_file;
+	const char *domain;
 	const char *hash;   /* E.g., "SHA256" */
 };
 
 struct lws_dht_dnssec_signzone_args {
 	const char *domain;
-	const char *input_filepath;
-	const char *output_filepath;
-	const char *jws_filepath;
-	const char *zsk_jwk_filepath;
-	const char *ksk_jwk_filepath;
 	uint32_t sign_validity_duration;
 };
 

minimal-examples-lowlevel/crypto/minimal-crypto-cose-key/main.c

@@ -22,15 +22,15 @@ enum {
 };
 
 static const struct lws_switches switches[] = {
-	[LWS_SW_BITS]	= { "--bits",          "Enable --bits feature" },
-	[LWS_SW_CURVE]	= { "--curve",         "Enable --curve feature" },
-	[LWS_SW_KID]	= { "--kid",           "Enable --kid feature" },
-	[LWS_SW_KID_HEX]	= { "--kid-hex",       "Enable --kid-hex feature" },
-	[LWS_SW_KTY]	= { "--kty",           "Enable --kty feature" },
-	[LWS_SW_STDIN]	= { "--stdin",         "Enable --stdin feature" },
-	[LWS_SW_STDOUT]	= { "--stdout",        "Enable --stdout feature" },
+	[LWS_SW_BITS]	= { "--bits",          "Number of bits for the generated key (e.g. 2048)" },
+	[LWS_SW_CURVE]	= { "--curve",         "EC algorithm curve (e.g. P-256)" },
+	[LWS_SW_KID]	= { "--kid",           "Apply Key ID text format string" },
+	[LWS_SW_KID_HEX]	= { "--kid-hex",       "Apply Key ID in hex format" },
+	[LWS_SW_KTY]	= { "--kty",           "Key type (OKP, EC2, RSA, SYMMETRIC)" },
+	[LWS_SW_STDIN]	= { "--stdin",         "Take input from standard input" },
+	[LWS_SW_STDOUT]	= { "--stdout",        "Output to standard output" },
 	[LWS_SW_D]	= { "-d",              "Debug logs (e.g. -d 15)" },
-	[LWS_SW_HELP]	= { "--help",		"Show this help information" },
+	[LWS_SW_HELP]	= { "--help",		"Show this help information (-h, --help)" },
 };
 
 #include <sys/select.h>
@@ -147,7 +147,7 @@ int main(int argc, const char **argv)
 	lws_lec_pctx_t lec;
 	(void)switches;
 
-	if ((argc == 1) || lws_cmdline_option(argc, argv, switches[LWS_SW_HELP].sw)) {
+	if ((argc == 1) || lws_cmdline_option(argc, argv, "-h") || lws_cmdline_option(argc, argv, switches[LWS_SW_HELP].sw)) {
 		lws_switches_print_help(argv[0], switches, LWS_ARRAY_SIZE(switches));
 		return 0;
 	}

minimal-examples-lowlevel/crypto/minimal-crypto-cose-sign/main.c

@@ -27,20 +27,20 @@ enum {
 };
 
 static const struct lws_switches switches[] = {
-	[LWS_SW_ALG]	= { "--alg",           "Enable --alg feature" },
-	[LWS_SW_COSE_MAC]	= { "--cose-mac",      "Enable --cose-mac feature" },
-	[LWS_SW_COSE_MAC0]	= { "--cose-mac0",     "Enable --cose-mac0 feature" },
-	[LWS_SW_COSE_SIGN]	= { "--cose-sign",     "Enable --cose-sign feature" },
-	[LWS_SW_COSE_SIGN1]	= { "--cose-sign1",    "Enable --cose-sign1 feature" },
-	[LWS_SW_EXTRA]	= { "--extra",         "Enable --extra feature" },
-	[LWS_SW_KID]	= { "--kid",           "Enable --kid feature" },
-	[LWS_SW_KID_HEX]	= { "--kid-hex",       "Enable --kid-hex feature" },
-	[LWS_SW_STDIN]	= { "--stdin",         "Enable --stdin feature" },
-	[LWS_SW_STDOUT]	= { "--stdout",        "Enable --stdout feature" },
+	[LWS_SW_ALG]	= { "--alg",           "COSE alg to use for signing (e.g. ES256)" },
+	[LWS_SW_COSE_MAC]	= { "--cose-mac",      "Emit a COSE_Mac message" },
+	[LWS_SW_COSE_MAC0]	= { "--cose-mac0",     "Emit a COSE_Mac0 message" },
+	[LWS_SW_COSE_SIGN]	= { "--cose-sign",     "Emit a COSE_Sign message (multi-signature)" },
+	[LWS_SW_COSE_SIGN1]	= { "--cose-sign1",    "Emit a COSE_Sign1 message (single signature)" },
+	[LWS_SW_EXTRA]	= { "--extra",         "Extra application data appended to signature (hex)" },
+	[LWS_SW_KID]	= { "--kid",           "String specifying the kid to filter keys from keyset" },
+	[LWS_SW_KID_HEX]	= { "--kid-hex",       "Hex string specifying the kid to filter keys from keyset" },
+	[LWS_SW_STDIN]	= { "--stdin",         "Path to file to use as stdin (if not piping)" },
+	[LWS_SW_STDOUT]	= { "--stdout",        "Path to file to write to stdout (if not piping)" },
 	[LWS_SW_D]	= { "-d",              "Debug logs (e.g. -d 15)" },
-	[LWS_SW_K]	= { "-k",              "Key or cert path" },
-	[LWS_SW_S]	= { "-s",              "Use TLS / https" },
-	[LWS_SW_HELP]	= { "--help",		"Show this help information" },
+	[LWS_SW_K]	= { "-k",              "Path to keyset file to use" },
+	[LWS_SW_S]	= { "-s",              "Sign instead of verify" },
+	[LWS_SW_HELP]	= { "--help",		"Show this help information (-h, --help)" },
 };
 
 #include <sys/types.h>
@@ -146,7 +146,7 @@ int main(int argc, const char **argv)
 	const char *p;
 	(void)switches;
 
-	if ((argc == 1) || lws_cmdline_option(argc, argv, switches[LWS_SW_HELP].sw)) {
+	if ((argc == 1) || lws_cmdline_option(argc, argv, "-h") || lws_cmdline_option(argc, argv, switches[LWS_SW_HELP].sw)) {
 		lws_switches_print_help(argv[0], switches, LWS_ARRAY_SIZE(switches));
 		return 0;
 	}

minimal-examples-lowlevel/crypto/minimal-crypto-dnssec/main.c

@@ -16,22 +16,24 @@
 
 enum {
 	LWS_SW_CURVE,
+	LWS_SW_TYPE,
+	LWS_SW_BITS,
 	LWS_SW_DURATION,
 	LWS_SW_HASH,
-	LWS_SW_KSK,
-	LWS_SW_ZSK,
 	LWS_SW_D,
+	LWS_SW_P,
 	LWS_SW_HELP,
 };
 
 static const struct lws_switches switches[] = {
-	[LWS_SW_CURVE]	= { "--curve",         "Enable --curve feature" },
-	[LWS_SW_DURATION]	= { "--duration",      "Enable --duration feature" },
-	[LWS_SW_HASH]	= { "--hash",          "Enable --hash feature" },
-	[LWS_SW_KSK]	= { "--ksk",           "Enable --ksk feature" },
-	[LWS_SW_ZSK]	= { "--zsk",           "Enable --zsk feature" },
+	[LWS_SW_CURVE]	= { "--curve",         "Set crypto curve for EC keygen (e.g. P-256)" },
+	[LWS_SW_TYPE]	= { "--type",          "Set key type (EC or RSA, default EC)" },
+	[LWS_SW_BITS]	= { "--bits",          "Set key size for RSA keygen (e.g. 2048)" },
+	[LWS_SW_DURATION]	= { "--duration",      "Set signature validity duration in hours" },
+	[LWS_SW_HASH]	= { "--hash",          "Set hash type for DS record (e.g. SHA256)" },
 	[LWS_SW_D]	= { "-d",              "Debug logs (e.g. -d 15)" },
-	[LWS_SW_HELP]	= { "--help",		"Show this help information" },
+	[LWS_SW_P]	= { "-p",              "Extra plugin dir" },
+	[LWS_SW_HELP]	= { "--help",		"Show this help information (-h, --help)" },
 };
 
 int main(int argc, const char **argv)
@@ -44,37 +46,60 @@ int main(int argc, const char **argv)
 	const struct lws_dht_dnssec_ops *ops;
 	struct lws_vhost *vh;
 
-	if ((argc == 1) || lws_cmdline_option(argc, argv, switches[LWS_SW_HELP].sw)) {
-		lws_switches_print_help(argv[0], switches, LWS_ARRAY_SIZE(switches));
-		return 0;
-	}
-
 	if ((p = lws_cmdline_option(argc, argv, switches[LWS_SW_D].sw)))
 		logs = atoi(p);
 
 	lws_set_log_level(logs, NULL);
+
+	if ((argc == 1) || lws_cmdline_option(argc, argv, "-h") || lws_cmdline_option(argc, argv, switches[LWS_SW_HELP].sw)) {
+		lwsl_user("Usage: %s <keygen|dsfromkey|signzone> [args...]\n\n", argv[0]);
+		lwsl_user("  keygen    [--type <RSA|EC>] [--bits <size>] [--curve <curve>] <domain>\n");
+		lwsl_user("            Outputs: <domain>.[ksk|zsk].key & <domain>.[ksk|zsk].private.jwk\n");
+		lwsl_user("  dsfromkey [--hash <hash>] <domain>\n");
+		lwsl_user("            Inputs : <domain>.ksk.key  Outputs: Base64 DS Record to stdout\n");
+		lwsl_user("  signzone  [--duration <hours>] <domain>\n");
+		lwsl_user("            Inputs : <domain>.zone, <domain>.ksk.private.jwk, <domain>.zsk.private.jwk\n");
+		lwsl_user("            Outputs: <domain>.zone.signed and <domain>.zone.signed.jws\n\n");
+		lws_switches_print_help(argv[0], switches, LWS_ARRAY_SIZE(switches));
+		return 0;
+	}
+
 	lwsl_user("LWS DNSSEC Crypto Utility (DHT Plugin Wrapper)\n");
 
 	if (argc < 2) {
 		lwsl_err("Usage: lws-crypto-dnssec <keygen|dsfromkey|signzone> [args...]\n");
 		return 1;
 	}
 
+#if 0
 	static const char * const pdirs[] = {
 		"./lib",
 		"../lib",
+		"./plugins",
+		"../plugins",
 		"./build/lib",
 		"../build/lib",
 		"../../lib",
 		NULL
 	};
+	static const char * dynamic_pdirs[3];
+#endif
 
 	memset(&info, 0, sizeof info);
 #if defined(LWS_WITH_NETWORK)
 	info.port = CONTEXT_PORT_NO_LISTEN;
 #endif
 	info.options = 0;
-	info.plugin_dirs = pdirs;
+
+#if 0
+	if ((p = lws_cmdline_option(argc, argv, switches[LWS_SW_P].sw))) {
+		dynamic_pdirs[0] = p;
+		dynamic_pdirs[1] = NULL;
+		info.plugin_dirs = dynamic_pdirs;
+	} else {
+		info.plugin_dirs = pdirs;
+	}
+#endif
 
 	context = lws_create_context(&info);
 	if (!context) {
@@ -104,24 +129,37 @@ int main(int argc, const char **argv)
 	}
 
 	const char *mode = argv[1];
+	int n = argc - 1;
+
+	/* move back 1 arg each time the candidate begins with '-' */
+	while (n > 1 && argv[n][0] == '-')
+		n--;
+
+	if (n < 2) {
+		lwsl_err("Missing domain argument\n");
+		lws_context_destroy(context);
+		return 1;
+	}
 
 	if (!strcmp(mode, "keygen")) {
 		struct lws_dht_dnssec_keygen_args kg_args;
 		memset(&kg_args, 0, sizeof(kg_args));
 
-		if (lws_cmdline_option(argc, argv, switches[LWS_SW_KSK].sw))
-			kg_args.is_ksk = 1;
 		if ((p = lws_cmdline_option(argc, argv, switches[LWS_SW_CURVE].sw)))
 			kg_args.curve = p;
+		if ((p = lws_cmdline_option(argc, argv, switches[LWS_SW_TYPE].sw)))
+			kg_args.type = p;
+		if ((p = lws_cmdline_option(argc, argv, switches[LWS_SW_BITS].sw)))
+			kg_args.bits = atoi(p);
 
-		kg_args.domain = argv[argc - 1];
+		kg_args.domain = argv[n];
 
 		if (ops->keygen) result = ops->keygen(context, &kg_args);
 	} else if (!strcmp(mode, "dsfromkey")) {
 		struct lws_dht_dnssec_dsfromkey_args ds_args;
 		memset(&ds_args, 0, sizeof(ds_args));
 
-		ds_args.key_file = argv[argc - 1];
+		ds_args.domain = argv[n];
 		if ((p = lws_cmdline_option(argc, argv, switches[LWS_SW_HASH].sw)))
 			ds_args.hash = p;
 
@@ -130,18 +168,10 @@ int main(int argc, const char **argv)
 		struct lws_dht_dnssec_signzone_args sz_args;
 		memset(&sz_args, 0, sizeof(sz_args));
 
-		if ((p = lws_cmdline_option(argc, argv, switches[LWS_SW_ZSK].sw)))
-			sz_args.zsk_jwk_filepath = p;
-		if ((p = lws_cmdline_option(argc, argv, switches[LWS_SW_KSK].sw)))
-			sz_args.ksk_jwk_filepath = p;
 		if ((p = lws_cmdline_option(argc, argv, switches[LWS_SW_DURATION].sw)))
 			sz_args.sign_validity_duration = (uint32_t)atoi(p);
 
-		if (argc >= 4 && argv[argc - 3][0] != '-' && argv[argc - 2][0] != '-' && argv[argc - 1][0] != '-') {
-			sz_args.input_filepath = argv[argc - 3];
-			sz_args.output_filepath = argv[argc - 2];
-			sz_args.jws_filepath = argv[argc - 1];
-		}
+		sz_args.domain = argv[n];
 
 		if (ops->signzone) result = ops->signzone(context, &sz_args);
 	} else {

minimal-examples-lowlevel/crypto/minimal-crypto-jwe/main.c

@@ -19,12 +19,12 @@ enum {
 };
 
 static const struct lws_switches switches[] = {
-	[LWS_SW_C]	= { "-c",              "Client connections" },
+	[LWS_SW_C]	= { "-c",              "Output in C array format" },
 	[LWS_SW_D]	= { "-d",              "Debug logs (e.g. -d 15)" },
-	[LWS_SW_E]	= { "-e",              "Enable -e feature" },
-	[LWS_SW_F]	= { "-f",              "Enable -f feature" },
-	[LWS_SW_K]	= { "-k",              "Key or cert path" },
-	[LWS_SW_HELP]	= { "--help",		"Show this help information" },
+	[LWS_SW_E]	= { "-e",              "Encrypt using <alg> <enc> format (e.g. 'RSA1_5 A128CBC-HS256')" },
+	[LWS_SW_F]	= { "-f",              "Output in flattened representation" },
+	[LWS_SW_K]	= { "-k",              "Path to the JWK key file" },
+	[LWS_SW_HELP]	= { "--help",		"Show this help information (-h, --help)" },
 };
 
 #include <sys/types.h>
@@ -111,7 +111,7 @@ int main(int argc, const char **argv)
 	const char *p;
 	(void)switches;
 
-	if ((argc == 1) || lws_cmdline_option(argc, argv, switches[LWS_SW_HELP].sw)) {
+	if ((argc == 1) || lws_cmdline_option(argc, argv, "-h") || lws_cmdline_option(argc, argv, switches[LWS_SW_HELP].sw)) {
 		lws_switches_print_help(argv[0], switches, LWS_ARRAY_SIZE(switches));
 		return 0;
 	}

minimal-examples-lowlevel/crypto/minimal-crypto-jwk/main.c

@@ -25,18 +25,18 @@ enum {
 };
 
 static const struct lws_switches switches[] = {
-	[LWS_SW_ALG]	= { "--alg",           "Enable --alg feature" },
-	[LWS_SW_CURVE]	= { "--curve",         "Enable --curve feature" },
-	[LWS_SW_KEY_OPS]	= { "--key-ops",       "Enable --key-ops feature" },
-	[LWS_SW_KID]	= { "--kid",           "Enable --kid feature" },
-	[LWS_SW_PUBLIC]	= { "--public",        "Enable --public feature" },
-	[LWS_SW_USE]	= { "--use",           "Enable --use feature" },
-	[LWS_SW_B]	= { "-b",              "Enable -b feature" },
-	[LWS_SW_C]	= { "-c",              "Client connections" },
+	[LWS_SW_ALG]	= { "--alg",           "Set the 'alg' JWS algorithm (e.g. RS256)" },
+	[LWS_SW_CURVE]	= { "--curve",         "Set the EC curve (e.g. P-256)" },
+	[LWS_SW_KEY_OPS]	= { "--key-ops",       "Set the 'key_ops' (e.g. sign, verify)" },
+	[LWS_SW_KID]	= { "--kid",           "Set the 'kid' Key ID" },
+	[LWS_SW_PUBLIC]	= { "--public",        "Output public key only to specified file" },
+	[LWS_SW_USE]	= { "--use",           "Set the 'use' intended usage (e.g. sig)" },
+	[LWS_SW_B]	= { "-b",              "Number of bits to generate (e.g. 2048, 4096)" },
+	[LWS_SW_C]	= { "-c",              "Format output as C array for header files" },
 	[LWS_SW_D]	= { "-d",              "Debug logs (e.g. -d 15)" },
-	[LWS_SW_T]	= { "-t",              "Test flag" },
-	[LWS_SW_V]	= { "-v",              "Set retry and idle policy" },
-	[LWS_SW_HELP]	= { "--help",		"Show this help information" },
+	[LWS_SW_T]	= { "-t",              "Key type to generate (RSA, EC, OCT)" },
+	[LWS_SW_V]	= { "-v",              "Alias for --curve" },
+	[LWS_SW_HELP]	= { "--help",		"Show this help information (-h, --help)" },
 };
 
 #include <sys/types.h>
@@ -109,7 +109,7 @@ int main(int argc, const char **argv)
 	int vl = sizeof(key);
 	(void)switches;
 
-	if ((argc == 1) || lws_cmdline_option(argc, argv, switches[LWS_SW_HELP].sw)) {
+	if ((argc == 1) || lws_cmdline_option(argc, argv, "-h") || lws_cmdline_option(argc, argv, switches[LWS_SW_HELP].sw)) {
 		lws_switches_print_help(argv[0], switches, LWS_ARRAY_SIZE(switches));
 		return 0;
 	}

minimal-examples-lowlevel/crypto/minimal-crypto-jws/main.c

@@ -19,10 +19,10 @@ enum {
 
 static const struct lws_switches switches[] = {
 	[LWS_SW_D]	= { "-d",              "Debug logs (e.g. -d 15)" },
-	[LWS_SW_F]	= { "-f",              "Enable -f feature" },
-	[LWS_SW_K]	= { "-k",              "Key or cert path" },
-	[LWS_SW_S]	= { "-s",              "Use TLS / https" },
-	[LWS_SW_HELP]	= { "--help",		"Show this help information" },
+	[LWS_SW_F]	= { "-f",              "Output JWS in flattened format" },
+	[LWS_SW_K]	= { "-k",              "Path to the JWK key file" },
+	[LWS_SW_S]	= { "-s",              "Sign plaintext from stdin using provided algorithm (e.g. RS256)" },
+	[LWS_SW_HELP]	= { "--help",		"Show this help information (-h, --help)" },
 };
 
 #include <sys/types.h>
@@ -46,7 +46,7 @@ int main(int argc, const char **argv)
 	const char *p;
 	(void)switches;
 
-	if ((argc == 1) || lws_cmdline_option(argc, argv, switches[LWS_SW_HELP].sw)) {
+	if ((argc == 1) || lws_cmdline_option(argc, argv, "-h") || lws_cmdline_option(argc, argv, switches[LWS_SW_HELP].sw)) {
 		lws_switches_print_help(argv[0], switches, LWS_ARRAY_SIZE(switches));
 		return 0;
 	}