OpenDNSSEC-enforcer 2.1.13
keystate_export_cmd.c
Go to the documentation of this file.
1/*
2 * Copyright (c) 2011 Surfnet
3 * Copyright (c) 2011 .SE (The Internet Infrastructure Foundation).
4 * Copyright (c) 2011 OpenDNSSEC AB (svb)
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
18 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
20 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
22 * GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
23 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
24 * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
25 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
26 * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 *
28 */
29
30#include "config.h"
31#include <getopt.h>
32
33#include "cmdhandler.h"
35#include "daemon/engine.h"
36#include "file.h"
37#include "log.h"
38#include "str.h"
39#include "clientpipe.h"
40#include "longgetopt.h"
41#include "duration.h"
42#include "libhsm.h"
43#include "libhsmdns.h"
44#include "db/key_data.h"
45#include "db/db_error.h"
46
49
50static const char *module_str = "keystate_export_cmd";
51
58static ldns_rr *
59get_dnskey(const char *id, const char *zone, const char *keytype, int alg, uint32_t ttl)
60{
61 libhsm_key_t *key;
62 hsm_sign_params_t *sign_params;
63 ldns_rr *dnskey_rr;
64 /* Code to output the DNSKEY record (stolen from hsmutil) */
65 hsm_ctx_t *hsm_ctx = hsm_create_context();
66 if (!hsm_ctx) {
67 ods_log_error("[%s] Could not connect to HSM", module_str);
68 return NULL;
69 }
70 if (!(key = hsm_find_key_by_id(hsm_ctx, id))) {
71 hsm_destroy_context(hsm_ctx);
72 return NULL;
73 }
74
75 /* Sign params only need to be kept around
76 * for the hsm_get_dnskey() call. */
77 sign_params = hsm_sign_params_new();
78 sign_params->owner = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, zone);
79 sign_params->algorithm = (ldns_algorithm) alg;
80 sign_params->flags = LDNS_KEY_ZONE_KEY;
81
82 if (keytype && (!strcasecmp(keytype, "KSK") || !strcasecmp(keytype, "CSK")))
83 sign_params->flags = sign_params->flags | LDNS_KEY_SEP_KEY;
84
85 /* Get the DNSKEY record */
86 dnskey_rr = hsm_get_dnskey(hsm_ctx, key, sign_params);
87
88 libhsm_key_free(key);
89 hsm_sign_params_free(sign_params);
90 hsm_destroy_context(hsm_ctx);
91
92 /* Override the TTL in the dnskey rr */
93 if (ttl)
94 ldns_rr_set_ttl(dnskey_rr, ttl);
95
96 return dnskey_rr;
97}
98
109static int
110print_ds_from_id(int sockfd, key_data_t *key, const char *zone,
111 const char* state, int bind_style, int print_sha1)
112{
113 ldns_rr *dnskey_rr;
114 ldns_rr *ds_sha_rr;
115 int ttl = 0;
116 const char *locator;
117 char *rrstr;
118
119 assert(key);
120 assert(zone);
121
122 locator = hsm_key_locator(key_data_hsm_key(key));
123 if (!locator)
124 return 1;
125 /* This fetches the states from the DB, I'm only assuming they get
126 * cleaned up when 'key' is cleaned(?) */
128 return 1;
129
131
132 dnskey_rr = get_dnskey(locator, zone, key_data_role_text(key), key_data_algorithm(key), ttl);
133 if (!dnskey_rr)
134 return 1;
135
136 if (bind_style) {
137 ldns_rr_set_ttl(dnskey_rr, key_state_ttl (key_data_cached_ds(key)));
138 if (print_sha1) {
139 ds_sha_rr = ldns_key_rr2ds(dnskey_rr, LDNS_SHA1);
140 rrstr = ldns_rr2str(ds_sha_rr);
141 ldns_rr_free(ds_sha_rr);
142 /* TODO log error on failure */
143 (void)client_printf(sockfd, ";%s %s DS record (SHA1):\n%s", state, key_data_role_text(key), rrstr);
144 LDNS_FREE(rrstr);
145 } else {
146 ds_sha_rr = ldns_key_rr2ds(dnskey_rr, LDNS_SHA256);
147 rrstr = ldns_rr2str(ds_sha_rr);
148 ldns_rr_free(ds_sha_rr);
149 /* TODO log error on failure */
150 (void)client_printf(sockfd, ";%s %s DS record (SHA256):\n%s", state, key_data_role_text(key), rrstr);
151 LDNS_FREE(rrstr);
152 }
153 } else {
154 rrstr = ldns_rr2str_fmt(ldns_output_format_nocomments, dnskey_rr);
155 /* TODO log error on failure */
156 (void)client_printf(sockfd, "%s", rrstr);
157 LDNS_FREE(rrstr);
158 }
159
160 ldns_rr_free(dnskey_rr);
161 return 0;
162}
163
164static int
165perform_keystate_export(int sockfd, db_connection_t *dbconn,
166 const char *zonename, const char *keytype, const char *keystate,
167 const hsm_key_t *hsmkey, int all, int bind_style, int print_sha1)
168{
169 key_data_list_t *key_list = NULL;
170 key_data_t *key;
171 zone_db_t *zone = NULL;
172 db_clause_list_t* clause_list = NULL;
173 const char *azonename = NULL;
174
175 /* Find all keys related to zonename */
176 if (all == 0) {
177 if (!(key_list = key_data_list_new(dbconn)) ||
178 !(clause_list = db_clause_list_new()) ||
179 !(zone = zone_db_new_get_by_name(dbconn, zonename)) ||
180 !key_data_zone_id_clause(clause_list, zone_db_id(zone)) ||
181 (hsmkey && !key_data_hsm_key_id_clause(clause_list, hsm_key_id(hsmkey))) ||
182 key_data_list_get_by_clauses(key_list, clause_list))
183 {
184 key_data_list_free(key_list);
185 db_clause_list_free(clause_list);
186 zone_db_free(zone);
187 ods_log_error("[%s] Error fetching from database", module_str);
188 return 1;
189 }
190 db_clause_list_free(clause_list);
191 zone_db_free(zone);
192 } else {
193 if (!(key_list = key_data_list_new_get(dbconn)) ||
194 !(clause_list = db_clause_list_new()) ||
195 (hsmkey && !key_data_hsm_key_id_clause(clause_list, hsm_key_id(hsmkey))) ||
196 key_data_list_get_by_clauses(key_list, clause_list))
197 {
198 key_data_list_free(key_list);
199 db_clause_list_free(clause_list);
200 ods_log_error("[%s] Error fetching from database", module_str);
201 return 1;
202 }
203 db_clause_list_free(clause_list);
204 }
205
206 /* Print data*/
207 while ((key = key_data_list_get_next(key_list))) {
208 if (keytype && strcasecmp(key_data_role_text(key), keytype)) {
209 key_data_free(key);
210 continue;
211 }
212 if (keystate && strcasecmp(map_keystate(key), keystate)) {
213 key_data_free(key);
214 continue;
215 }
216 if (!keytype && !keystate && !hsmkey &&
221 {
222 key_data_free(key);
223 continue;
224 }
225
226 if (all && (!(zone = zone_db_new (dbconn)) || (zone_db_get_by_id(zone, key_data_zone_id(key))) || !(azonename = zone_db_name(zone)))) {
227 ods_log_error("[%s] Error fetching from database", module_str);
228 client_printf_err(sockfd, "Error fetching from database \n");
229 }
230
231 /* check return code TODO */
232 if (key_data_cache_hsm_key(key) == DB_OK) {
233 if (print_ds_from_id(sockfd, key, (const char*)azonename?azonename:zonename, (const char*)map_keystate(key), bind_style, print_sha1)) {
234 ods_log_error("[%s] Error in print_ds_from_id", module_str);
235 client_printf_err(sockfd, "Error in print_ds_from_id \n");
236 }
237 } else {
238 ods_log_error("[%s] Error fetching from database", module_str);
239 client_printf_err(sockfd, "Error fetching from database \n");
240 }
241 key_data_free(key);
242
243 if (all)
244 zone_db_free(zone);
245 }
246 key_data_list_free(key_list);
247 return 0;
248}
249
250static void
251usage(int sockfd)
252{
253 client_printf(sockfd,
254 "key export\n"
255 " --zone <zone> | --all aka -z | -a \n"
256 " --keystate <state> aka -e\n"
257 " --keytype <type> aka -t \n"
258 " --cka_id <CKA_ID> aka -k \n"
259 " [--ds [--sha1]] aka -d [-s]\n"
260 );
261}
262
263static void
264help(int sockfd)
265{
266 client_printf(sockfd,
267 "Export DNSKEY(s) for a given zone or all of them from the database.\n"
268 "If keytype and keystate are not specified, KSKs which are waiting for command ds-submit, ds-seen, ds-retract and ds-gone are shown. Otherwise both keystate and keytype must be given.\n"
269 "If cka_id is specified then that key is output for the specified zones.\n"
270
271 "\nOptions:\n"
272 "zone|all specify a zone or all of them\n"
273 "keystate limit the output to a given state\n"
274 "keytype limit the output to a given type, can be ZSK, KSK, or CSK\n"
275 "cka_id limit the output to the given key locator\n"
276 "ds export DS in BIND format which can be used for upload to a registry\n"
277 "sha1 When outputting DS print sha1 instead of sha256\n");
278}
279
280static int
281run(cmdhandler_ctx_type* context, int argc, char* argv[])
282{
283 int sockfd = context->sockfd;
284 struct longgetopt optctx;
285 const char *zonename = NULL;
286 const char* keytype = NULL;
287 const char* keystate = NULL;
288 const char* cka_id = NULL;
289 zone_db_t * zone = NULL;
290 hsm_key_t *hsmkey = NULL;
291 int all = 0;
292 int ds = 0;
293 int bsha1 = 0;
294 int long_index = 0, opt = 0;
295 db_connection_t* dbconn = getconnectioncontext(context);
296
297 static struct option long_options[] = {
298 {"zone", required_argument, 0, 'z'},
299 {"keytype", required_argument, 0, 't'},
300 {"keystate", required_argument, 0, 'e'},
301 {"cka_id", required_argument, 0, 'k'},
302 {"all", no_argument, 0, 'a'},
303 {"ds", no_argument, 0, 'd'},
304 {"sha1", no_argument, 0, 's'},
305 {0, 0, 0, 0}
306 };
307
308 for(opt = longgetopt(argc, argv, "z:t:e:k:ads", long_options, &long_index, &optctx); opt != -1;
309 opt = longgetopt(argc, argv, NULL, long_options, &long_index, &optctx)) {
310 switch (opt) {
311 case 'z':
312 zonename = optctx.optarg;
313 break;
314 case 't':
315 keytype = optctx.optarg;
316 break;
317 case 'e':
318 keystate = optctx.optarg;
319 break;
320 case 'k':
321 cka_id = optctx.optarg;
322 break;
323 case 'a':
324 all = 1;
325 break;
326 case 'd':
327 ds = 1;
328 break;
329 case 's':
330 bsha1 = 1;
331 break;
332 default:
333 client_printf_err(sockfd, "unknown arguments\n");
334 ods_log_error("[%s] unknown arguments for key export command", module_str);
335 return -1;
336 }
337 }
338
339 if (keytype) {
340 if (strcasecmp(keytype, "KSK") && strcasecmp(keytype, "ZSK") && strcasecmp(keytype, "CSK")) {
341 ods_log_error("[%s] unknown keytype, should be one of KSK, ZSK, or CSK", module_str);
342 client_printf_err(sockfd, "unknown keytype, should be one of KSK, ZSK, or CSK\n");
343 return -1;
344 }
345 }
346
347 if (keystate) {
348 if (strcasecmp(keystate, "generate") && strcasecmp(keystate, "publish") && strcasecmp(keystate, "ready") && strcasecmp(keystate, "active") && strcasecmp(keystate, "retire") && strcasecmp(keystate, "unknown") && strcasecmp(keystate, "mixed")) {
349 ods_log_error("[%s] unknown keystate", module_str);
350 client_printf_err(sockfd, "unknown keystate\n");
351 return -1;
352 }
353 }
354
355
356 if ((!zonename && !all) || (zonename && all)) {
357 ods_log_error("[%s] expected either --zone or --all for key export command", module_str);
358 client_printf_err(sockfd, "expected either --zone or --all \n");
359 return -1;
360 }
361 if (zonename && !(zone = zone_db_new_get_by_name(dbconn, zonename))) {
362 ods_log_error("[%s] Unknown zone: %s", module_str, zonename);
363 client_printf_err(sockfd, "Unknown zone: %s\n", zonename);
364 return -1;
365 }
366 free(zone);
367 zone = NULL;
368
369 /* if no keystate and keytype are given, default values are used.
370 * Default type is KSK, default states are waiting for ds-submit, ds-seen, ds-retract and ds-gone.
371 * Otherwise both keystate and keytype must be specified.
372 */
373 if ((keytype && !keystate) || (!keytype && keystate)) {
374 ods_log_error("[%s] expected both --keystate and --keytype together or none of them", module_str);
375 client_printf_err(sockfd, "expected both --keystate and --keytype together or none of them\n");
376 return -1;
377 }
378
379 if (cka_id && !(hsmkey = hsm_key_new_get_by_locator(dbconn, cka_id))) {
380 client_printf_err(sockfd, "CKA_ID %s can not be found!\n", cka_id);
381 return -1;
382 }
383
384 /* perform task immediately */
385 return perform_keystate_export(sockfd, dbconn, zonename, (const char*) keytype, (const char*) keystate, hsmkey, all, ds, bsha1);
386}
387
388struct cmd_func_block key_export_funcblock = {
389 "key export", &usage, &help, NULL, NULL, &run, NULL
390};
db_clause_list_t * db_clause_list_new(void)
Definition: db_clause.c:202
void db_clause_list_free(db_clause_list_t *clause_list)
Definition: db_clause.c:209
#define DB_OK
Definition: db_error.h:36
db_connection_t * getconnectioncontext(cmdhandler_ctx_type *context)
const char * hsm_key_locator(const hsm_key_t *hsm_key)
Definition: hsm_key.c:520
hsm_key_t * hsm_key_new_get_by_locator(const db_connection_t *connection, const char *locator)
Definition: hsm_key.c:1205
const db_value_t * hsm_key_id(const hsm_key_t *hsm_key)
Definition: hsm_key.c:504
void key_data_free(key_data_t *key_data)
Definition: key_data.c:304
const hsm_key_t * key_data_hsm_key(const key_data_t *key_data)
Definition: key_data.c:638
db_clause_t * key_data_hsm_key_id_clause(db_clause_list_t *clause_list, const db_value_t *hsm_key_id)
Definition: key_data.c:1003
key_data_list_t * key_data_list_new_get(const db_connection_t *connection)
Definition: key_data.c:2102
int key_data_list_get_by_clauses(key_data_list_t *key_data_list, const db_clause_list_t *clause_list)
Definition: key_data.c:2119
const char * key_data_role_text(const key_data_t *key_data)
Definition: key_data.c:711
void key_data_list_free(key_data_list_t *key_data_list)
Definition: key_data.c:1694
key_data_t * key_data_list_get_next(key_data_list_t *key_data_list)
Definition: key_data.c:2425
int key_data_cache_hsm_key(key_data_t *key_data)
Definition: key_data.c:615
key_data_list_t * key_data_list_new(const db_connection_t *connection)
Definition: key_data.c:1651
unsigned int key_data_algorithm(const key_data_t *key_data)
Definition: key_data.c:687
db_clause_t * key_data_zone_id_clause(db_clause_list_t *clause_list, const db_value_t *zone_id)
Definition: key_data.c:976
const db_value_t * key_data_zone_id(const key_data_t *key_data)
Definition: key_data.c:561
key_data_ds_at_parent
Definition: key_data.h:50
@ KEY_DATA_DS_AT_PARENT_SUBMITTED
Definition: key_data.h:54
@ KEY_DATA_DS_AT_PARENT_RETRACT
Definition: key_data.h:56
@ KEY_DATA_DS_AT_PARENT_SUBMIT
Definition: key_data.h:53
@ KEY_DATA_DS_AT_PARENT_RETRACTED
Definition: key_data.h:57
int key_data_cache_key_states(key_data_t *key_data)
Definition: key_data_ext.c:33
const key_state_t * key_data_cached_dnskey(key_data_t *key_data)
Definition: key_data_ext.c:68
const key_state_t * key_data_cached_ds(key_data_t *key_data)
Definition: key_data_ext.c:60
unsigned int key_state_ttl(const key_state_t *key_state)
Definition: key_state.c:409
struct cmd_func_block key_export_funcblock
const char * map_keystate(key_data_t *key)
void zone_db_free(zone_db_t *zone)
Definition: zone_db.c:325
const char * zone_db_name(const zone_db_t *zone)
Definition: zone_db.c:782
int zone_db_get_by_id(zone_db_t *zone, const db_value_t *id)
Definition: zone_db.c:1466
zone_db_t * zone_db_new(const db_connection_t *connection)
Definition: zone_db.c:287
const db_value_t * zone_db_id(const zone_db_t *zone)
Definition: zone_db.c:728
zone_db_t * zone_db_new_get_by_name(const db_connection_t *connection, const char *name)
Definition: zone_db.c:1569