OpenDNSSEC-enforcer  2.1.6
keystate_export_cmd.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2011 Surfnet
3  * Copyright (c) 2011 .SE (The Internet Infrastructure Foundation).
4  * Copyright (c) 2011 OpenDNSSEC AB (svb)
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  * notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  * notice, this list of conditions and the following disclaimer in the
14  * documentation and/or other materials provided with the distribution.
15  *
16  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
18  * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19  * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
20  * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
22  * GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
23  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
24  * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
25  * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
26  * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27  *
28  */
29 
30 #include "config.h"
31 #include <getopt.h>
32 
33 #include "cmdhandler.h"
35 #include "daemon/engine.h"
36 #include "file.h"
37 #include "log.h"
38 #include "str.h"
39 #include "clientpipe.h"
40 #include "duration.h"
41 #include "libhsm.h"
42 #include "libhsmdns.h"
43 #include "db/key_data.h"
44 #include "db/db_error.h"
45 
48 
49 static const char *module_str = "keystate_export_cmd";
50 
57 static ldns_rr *
58 get_dnskey(const char *id, const char *zone, const char *keytype, int alg, uint32_t ttl)
59 {
60  libhsm_key_t *key;
61  hsm_sign_params_t *sign_params;
62  ldns_rr *dnskey_rr;
63  /* Code to output the DNSKEY record (stolen from hsmutil) */
64  hsm_ctx_t *hsm_ctx = hsm_create_context();
65  if (!hsm_ctx) {
66  ods_log_error("[%s] Could not connect to HSM", module_str);
67  return NULL;
68  }
69  if (!(key = hsm_find_key_by_id(hsm_ctx, id))) {
70  hsm_destroy_context(hsm_ctx);
71  return NULL;
72  }
73 
74  /* Sign params only need to be kept around
75  * for the hsm_get_dnskey() call. */
76  sign_params = hsm_sign_params_new();
77  sign_params->owner = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, zone);
78  sign_params->algorithm = (ldns_algorithm) alg;
79  sign_params->flags = LDNS_KEY_ZONE_KEY;
80 
81  if (keytype && !strcasecmp(keytype, "KSK"))
82  sign_params->flags = sign_params->flags | LDNS_KEY_SEP_KEY;
83 
84  /* Get the DNSKEY record */
85  dnskey_rr = hsm_get_dnskey(hsm_ctx, key, sign_params);
86 
87  libhsm_key_free(key);
88  hsm_sign_params_free(sign_params);
89  hsm_destroy_context(hsm_ctx);
90 
91  /* Override the TTL in the dnskey rr */
92  if (ttl)
93  ldns_rr_set_ttl(dnskey_rr, ttl);
94 
95  return dnskey_rr;
96 }
97 
108 static int
109 print_ds_from_id(int sockfd, key_data_t *key, const char *zone,
110  const char* state, int bind_style, int print_sha1)
111 {
112  ldns_rr *dnskey_rr;
113  ldns_rr *ds_sha_rr;
114  int ttl = 0;
115  const char *locator;
116  char *rrstr;
117 
118  assert(key);
119  assert(zone);
120 
121  locator = hsm_key_locator(key_data_hsm_key(key));
122  if (!locator)
123  return 1;
124  /* This fetches the states from the DB, I'm only assuming they get
125  * cleaned up when 'key' is cleaned(?) */
126  if (key_data_cache_key_states(key) != DB_OK)
127  return 1;
128 
130 
131  dnskey_rr = get_dnskey(locator, zone, key_data_role_text(key), key_data_algorithm(key), ttl);
132  if (!dnskey_rr)
133  return 1;
134 
135  if (bind_style) {
136  ldns_rr_set_ttl(dnskey_rr, key_state_ttl (key_data_cached_ds(key)));
137  if (print_sha1) {
138  ds_sha_rr = ldns_key_rr2ds(dnskey_rr, LDNS_SHA1);
139  rrstr = ldns_rr2str(ds_sha_rr);
140  ldns_rr_free(ds_sha_rr);
141  /* TODO log error on failure */
142  (void)client_printf(sockfd, ";%s %s DS record (SHA1):\n%s", state, key_data_role_text(key), rrstr);
143  LDNS_FREE(rrstr);
144  } else {
145  ds_sha_rr = ldns_key_rr2ds(dnskey_rr, LDNS_SHA256);
146  rrstr = ldns_rr2str(ds_sha_rr);
147  ldns_rr_free(ds_sha_rr);
148  /* TODO log error on failure */
149  (void)client_printf(sockfd, ";%s %s DS record (SHA256):\n%s", state, key_data_role_text(key), rrstr);
150  LDNS_FREE(rrstr);
151  }
152  } else {
153  rrstr = ldns_rr2str_fmt(ldns_output_format_nocomments, dnskey_rr);
154  /* TODO log error on failure */
155  (void)client_printf(sockfd, "%s", rrstr);
156  LDNS_FREE(rrstr);
157  }
158 
159  ldns_rr_free(dnskey_rr);
160  return 0;
161 }
162 
163 static int
164 perform_keystate_export(int sockfd, db_connection_t *dbconn,
165  const char *zonename, const char *keytype, const char *keystate,
166  int all, int bind_style, int print_sha1)
167 {
168  key_data_list_t *key_list = NULL;
169  key_data_t *key;
170  zone_db_t *zone = NULL;
171  db_clause_list_t* clause_list = NULL;
172  const char *azonename = NULL;
173 
174  /* Find all keys related to zonename */
175  if (all == 0) {
176  if (!(key_list = key_data_list_new(dbconn)) ||
177  !(clause_list = db_clause_list_new()) ||
178  !(zone = zone_db_new_get_by_name(dbconn, zonename)) ||
179  !key_data_zone_id_clause(clause_list, zone_db_id(zone)) ||
180  key_data_list_get_by_clauses(key_list, clause_list))
181  {
182  key_data_list_free(key_list);
183  db_clause_list_free(clause_list);
184  zone_db_free(zone);
185  ods_log_error("[%s] Error fetching from database", module_str);
186  return 1;
187  }
188  db_clause_list_free(clause_list);
189  zone_db_free(zone);
190  }
191  if (all && !(key_list = key_data_list_new_get(dbconn))) {
192  client_printf_err(sockfd, "Unable to get list of keys, memory allocation or database error!\n");
193  return 1;
194  }
195 
196  /* Print data*/
197  while ((key = key_data_list_get_next(key_list))) {
198  if (keytype && strcasecmp(key_data_role_text(key), keytype)) {
199  key_data_free(key);
200  continue;
201  }
202  if (keystate && strcasecmp(map_keystate(key), keystate)) {
203  key_data_free(key);
204  continue;
205  }
206  if (!keytype && !keystate &&
211  {
212  key_data_free(key);
213  continue;
214  }
215 
216  if (all && (!(zone = zone_db_new (dbconn)) || (zone_db_get_by_id(zone, key_data_zone_id(key))) || !(azonename = zone_db_name(zone)))) {
217  ods_log_error("[%s] Error fetching from database", module_str);
218  client_printf_err(sockfd, "Error fetching from database \n");
219  }
220 
221  /* check return code TODO */
222  if (key_data_cache_hsm_key(key) == DB_OK) {
223  if (print_ds_from_id(sockfd, key, (const char*)azonename?azonename:zonename, (const char*)map_keystate(key), bind_style, print_sha1)) {
224  ods_log_error("[%s] Error in print_ds_from_id", module_str);
225  client_printf_err(sockfd, "Error in print_ds_from_id \n");
226  }
227  } else {
228  ods_log_error("[%s] Error fetching from database", module_str);
229  client_printf_err(sockfd, "Error fetching from database \n");
230  }
231  key_data_free(key);
232 
233  if (all)
234  zone_db_free(zone);
235  }
236  key_data_list_free(key_list);
237  return 0;
238 }
239 
240 static void
241 usage(int sockfd)
242 {
243  client_printf(sockfd,
244  "key export\n"
245  " --zone <zone> | --all aka -z | -a \n"
246  " --keystate <state> aka -e\n"
247  " --keytype <type> aka -t \n"
248  " [--ds [--sha1]] aka -d [-s]\n"
249  );
250 }
251 
252 static void
253 help(int sockfd)
254 {
255  client_printf(sockfd,
256  "Export DNSKEY(s) for a given zone or all of them from the database.\n"
257  "If keytype and keystate are not specified, KSKs which are waiting for command ds-submit, ds-seen, ds-retract and ds-gone are shown. Otherwise both keystate and keytype must be given.\n"
258 
259  "\nOptions:\n"
260  "zone|all specify a zone or all of them\n"
261  "keystate limit the output to a given state\n"
262  "keytype limit the output to a given type, can be ZSK, KSK, or CSK\n"
263  "ds export DS in BIND format which can be used for upload to a registry\n"
264  "sha1 When outputting DS print sha1 instead of sha256\n");
265 }
266 
267 static int
268 run(int sockfd, cmdhandler_ctx_type* context, const char *cmd)
269 {
270  #define NARGV 11
271  char buf[ODS_SE_MAXLINE];
272  const char *argv[NARGV];
273  int argc = 0;
274  const char *zonename = NULL;
275  const char* keytype = NULL;
276  const char* keystate = NULL;
277  zone_db_t * zone = NULL;
278  int all = 0;
279  int ds = 0;
280  int bsha1 = 0;
281  int long_index = 0, opt = 0;
282  db_connection_t* dbconn = getconnectioncontext(context);
283 
284  static struct option long_options[] = {
285  {"zone", required_argument, 0, 'z'},
286  {"keytype", required_argument, 0, 't'},
287  {"keystate", required_argument, 0, 'e'},
288  {"all", no_argument, 0, 'a'},
289  {"ds", no_argument, 0, 'd'},
290  {"sha1", no_argument, 0, 's'},
291  {0, 0, 0, 0}
292  };
293 
294  ods_log_debug("[%s] %s command", module_str, key_export_funcblock.cmdname);
295 
296  /* Use buf as an intermediate buffer for the command.*/
297  strncpy(buf, cmd, sizeof(buf));
298  buf[sizeof(buf)-1] = '\0';
299 
300  /* separate the arguments*/
301  argc = ods_str_explode(buf, NARGV, argv);
302  if (argc == -1) {
303  client_printf_err(sockfd, "too many arguments\n");
304  ods_log_error("[%s] too many arguments for %s command",
305  module_str, key_export_funcblock.cmdname);
306  return -1;
307  }
308 
309  optind = 0;
310  while ((opt = getopt_long(argc, (char* const*)argv, "z:t:e:ads", long_options, &long_index)) != -1) {
311  switch (opt) {
312  case 'z':
313  zonename = optarg;
314  break;
315  case 't':
316  keytype = optarg;
317  break;
318  case 'e':
319  keystate = optarg;
320  break;
321  case 'a':
322  all = 1;
323  break;
324  case 'd':
325  ds = 1;
326  break;
327  case 's':
328  bsha1 = 1;
329  break;
330  default:
331  client_printf_err(sockfd, "unknown arguments\n");
332  ods_log_error("[%s] unknown arguments for %s command",
333  module_str, key_export_funcblock.cmdname);
334  return -1;
335  }
336  }
337 
338  if (keytype) {
339  if (strcasecmp(keytype, "KSK") && strcasecmp(keytype, "ZSK") && strcasecmp(keytype, "CSK")) {
340  ods_log_error("[%s] unknown keytype, should be one of KSK, ZSK, or CSK", module_str);
341  client_printf_err(sockfd, "unknown keytype, should be one of KSK, ZSK, or CSK\n");
342  return -1;
343  }
344  }
345 
346  if (keystate) {
347  if (strcasecmp(keystate, "generate") && strcasecmp(keystate, "publish") && strcasecmp(keystate, "ready") && strcasecmp(keystate, "active") && strcasecmp(keystate, "retire") && strcasecmp(keystate, "unknown") && strcasecmp(keystate, "mixed")) {
348  ods_log_error("[%s] unknown keystate", module_str);
349  client_printf_err(sockfd, "unknown keystate\n");
350  return -1;
351  }
352  }
353 
354 
355  if ((!zonename && !all) || (zonename && all)) {
356  ods_log_error("[%s] expected either --zone or --all for %s command", module_str, key_export_funcblock.cmdname);
357  client_printf_err(sockfd, "expected either --zone or --all \n");
358  return -1;
359  }
360  if (zonename && !(zone = zone_db_new_get_by_name(dbconn, zonename))) {
361  ods_log_error("[%s] Unknown zone: %s", module_str, zonename);
362  client_printf_err(sockfd, "Unknown zone: %s\n", zonename);
363  return -1;
364  }
365  free(zone);
366  zone = NULL;
367 
368  /* if no keystate and keytype are given, default values are used.
369  * Default type is KSK, default states are waiting for ds-submit, ds-seen, ds-retract and ds-gone.
370  * Otherwise both keystate and keytype must be specified.
371  */
372  if ((keytype && !keystate) || (!keytype && keystate)) {
373  ods_log_error("[%s] expected both --keystate and --keytype together or none of them", module_str);
374  client_printf_err(sockfd, "expected both --keystate and --keytype together or none of them\n");
375  return -1;
376  }
377 
378  /* perform task immediately */
379  return perform_keystate_export(sockfd, dbconn, zonename, (const char*) keytype, (const char*) keystate, all, ds, bsha1);
380 }
381 
382 struct cmd_func_block key_export_funcblock = {
383  "key export", &usage, &help, NULL, &run
384 };
key_export_funcblock
struct cmd_func_block key_export_funcblock
Definition: keystate_export_cmd.c:382
key_data_list
Definition: key_data.h:477
key_data_cache_hsm_key
int key_data_cache_hsm_key(key_data_t *key_data)
Definition: key_data.c:615
zone_db_id
const db_value_t * zone_db_id(const zone_db_t *zone)
Definition: zone_db.c:728
enforcercommands.h
KEY_DATA_DS_AT_PARENT_SUBMITTED
@ KEY_DATA_DS_AT_PARENT_SUBMITTED
Definition: key_data.h:52
key_data_zone_id_clause
db_clause_t * key_data_zone_id_clause(db_clause_list_t *clause_list, const db_value_t *zone_id)
Definition: key_data.c:976
key_data_cached_ds
const key_state_t * key_data_cached_ds(key_data_t *key_data)
Definition: key_data_ext.c:60
zone_db_new
zone_db_t * zone_db_new(const db_connection_t *connection)
Definition: zone_db.c:287
key_data_list_new
key_data_list_t * key_data_list_new(const db_connection_t *connection)
Definition: key_data.c:1651
zone_db_free
void zone_db_free(zone_db_t *zone)
Definition: zone_db.c:325
key_data_role_text
const char * key_data_role_text(const key_data_t *key_data)
Definition: key_data.c:711
zone_db_new_get_by_name
zone_db_t * zone_db_new_get_by_name(const db_connection_t *connection, const char *name)
Definition: zone_db.c:1569
KEY_DATA_DS_AT_PARENT_RETRACTED
@ KEY_DATA_DS_AT_PARENT_RETRACTED
Definition: key_data.h:55
NARGV
#define NARGV
db_error.h
keystate_list_cmd.h
zone_db_name
const char * zone_db_name(const zone_db_t *zone)
Definition: zone_db.c:782
db_clause_list
Definition: db_clause.h:226
key_data_ds_at_parent
key_data_ds_at_parent
Definition: key_data.h:48
key_data_free
void key_data_free(key_data_t *key_data)
Definition: key_data.c:304
zone_db
Definition: zone_db.h:46
key_data_hsm_key
const hsm_key_t * key_data_hsm_key(const key_data_t *key_data)
Definition: key_data.c:638
key_data_cache_key_states
int key_data_cache_key_states(key_data_t *key_data)
Definition: key_data_ext.c:33
db_clause_list_free
void db_clause_list_free(db_clause_list_t *clause_list)
Definition: db_clause.c:209
getconnectioncontext
db_connection_t * getconnectioncontext(cmdhandler_ctx_type *context)
Definition: enforcercommands.c:110
key_data_list_free
void key_data_list_free(key_data_list_t *key_data_list)
Definition: key_data.c:1694
map_keystate
const char * map_keystate(key_data_t *key)
Definition: keystate_list_cmd.c:113
key_data_zone_id
const db_value_t * key_data_zone_id(const key_data_t *key_data)
Definition: key_data.c:561
key_data_list_get_by_clauses
int key_data_list_get_by_clauses(key_data_list_t *key_data_list, const db_clause_list_t *clause_list)
Definition: key_data.c:2119
keystate_export_cmd.h
KEY_DATA_DS_AT_PARENT_SUBMIT
@ KEY_DATA_DS_AT_PARENT_SUBMIT
Definition: key_data.h:51
db_clause_list_new
db_clause_list_t * db_clause_list_new(void)
Definition: db_clause.c:202
zone_db_get_by_id
int zone_db_get_by_id(zone_db_t *zone, const db_value_t *id)
Definition: zone_db.c:1466
key_data_cached_dnskey
const key_state_t * key_data_cached_dnskey(key_data_t *key_data)
Definition: key_data_ext.c:68
hsm_key_locator
const char * hsm_key_locator(const hsm_key_t *hsm_key)
Definition: hsm_key.c:520
engine.h
KEY_DATA_DS_AT_PARENT_RETRACT
@ KEY_DATA_DS_AT_PARENT_RETRACT
Definition: key_data.h:54
key_data_algorithm
unsigned int key_data_algorithm(const key_data_t *key_data)
Definition: key_data.c:687
db_connection
Definition: db_connection.h:46
DB_OK
#define DB_OK
Definition: db_error.h:36
key_state_ttl
unsigned int key_state_ttl(const key_state_t *key_state)
Definition: key_state.c:409
key_data_list_get_next
key_data_t * key_data_list_get_next(key_data_list_t *key_data_list)
Definition: key_data.c:2425
key_data
Definition: key_data.h:66
key_data.h
key_data_list_new_get
key_data_list_t * key_data_list_new_get(const db_connection_t *connection)
Definition: key_data.c:2102