35 #include "cryptoki_compat/pkcs11.h"
37 static const char* hsm_str =
"hsm";
54 hsm_sign_params_free(key->
params);
59 static const libhsm_key_t*
60 keylookup(hsm_ctx_t* ctx,
const char* locator)
62 const libhsm_key_t* key;
63 key = keycache_lookup(ctx, locator);
65 char* error = hsm_get_error(ctx);
67 ods_log_error(
"[%s] %s", hsm_str, error);
71 ods_log_error(
"[%s] unable to get key: key %s not found", hsm_str, locator);
86 if (!owner || !key_id) {
87 ods_log_error(
"[%s] unable to get key: missing required elements",
89 return ODS_STATUS_ASSERT_ERR;
96 key_id->
params = hsm_sign_params_new();
98 key_id->
params->owner = ldns_rdf_clone(owner);
103 ods_log_error(
"[%s] unable to get key: create params for key %s "
105 return ODS_STATUS_ERR;
108 if (skip_hsm_access)
return ODS_STATUS_OK;
115 error = hsm_get_error(ctx);
117 ods_log_error(
"[%s] %s", hsm_str, error);
119 }
else if (!retries) {
120 lhsm_clear_key_cache(key_id);
122 goto llibhsm_key_start;
124 ods_log_error(
"[%s] unable to get key: hsm failed to create dnskey",
126 return ODS_STATUS_ERR;
128 key_id->
params->keytag = ldns_calc_keytag(key_id->
dnskey);
129 return ODS_STATUS_OK;
139 ldns_rdf* owner, time_t inception, time_t expiration)
142 ldns_rr* result = NULL;
143 hsm_sign_params_t* params = NULL;
145 if (!owner || !key_id || !rrset || !inception || !expiration) {
146 ods_log_error(
"[%s] unable to sign: missing required elements",
150 ods_log_assert(key_id->
dnskey);
151 ods_log_assert(key_id->
params);
153 params = hsm_sign_params_new();
154 params->owner = ldns_rdf_clone(key_id->
params->owner);
156 params->flags = key_id->
flags;
157 params->inception = inception;
158 params->expiration = expiration;
159 params->keytag = key_id->
params->keytag;
160 ods_log_deeebug(
"[%s] sign RRset[%i] with key %s tag %u", hsm_str,
161 ldns_rr_get_type(ldns_rr_list_rr(rrset, 0)),
163 result = hsm_sign_rrset(ctx, rrset, keylookup(ctx, key_id->
locator), params);
164 hsm_sign_params_free(params);
166 error = hsm_get_error(ctx);
168 ods_log_error(
"[%s] %s", hsm_str, error);
171 ods_log_crit(
"[%s] error signing rrset with libhsm", hsm_str);