60 #include <libhsmdns.h> 61 #include <ldns/ldns.h> 63 #include <libxml/tree.h> 64 #include <libxml/parser.h> 65 #include <libxml/xpointer.h> 66 #include <libxml/xpath.h> 67 #include <libxml/xpathInternals.h> 68 #include <libxml/relaxng.h> 69 #include <libxml/xmlreader.h> 70 #include <libxml/xmlsave.h> 72 #define MAX(a, b) ((a) > (b) ? (a) : (b)) 76 #define DURATION_TYPE 1 80 #define ROLLOVER_TYPE 5 81 #define INT_TYPE_NO_FREE 6 84 # define MAXPATHLEN 4096 89 #define DEFAULT_LOG_FACILITY LOG_DAEMON 91 #define DEFAULT_LOG_FACILITY LOG_USER 97 char *
config = (
char *) OPENDNSSEC_CONFIG_FILE;
118 static int all_flag = 0;
119 static int auto_accept_flag = 0;
120 static int ds_flag = 0;
121 static int retire_flag = 1;
122 static int notify_flag = 1;
123 static int verbose_flag = 0;
124 static int xml_flag = 1;
125 static int td_flag = 0;
126 static int force_flag = 0;
127 static int hsm_flag = 1;
128 static int check_repository_flag = 0;
129 static int rfc5011_flag = 0;
131 static int restart_enforcerd(
void);
138 #if defined(HAVE_SYSLOG_R) && defined(HAVE_OPENLOG_R) && defined(HAVE_CLOSELOG_R) 139 struct syslog_data sdata = SYSLOG_DATA_INIT;
142 #undef HAVE_OPENLOG_R 143 #undef HAVE_CLOSELOG_R 151 " --version aka -V\n");
159 "\tImport config into a database (deletes current contents)\n");
166 " start|stop|notify\n" 167 "\tStart, stop or SIGHUP the ods-enforcerd\n");
178 "\tUpdate database from config\n");
186 "\t--zone <zone> aka -z\n" 187 "\t[--policy <policy>] aka -p\n" 188 "\t[--signerconf <signerconf.xml>] aka -s\n" 189 "\t[--input <input>] aka -i\n" 190 "\t[--in-type <input type>] aka -j\n" 191 "\t[--output <output>] aka -o\n" 192 "\t[--out-type <output type>] aka -q\n" 193 "\t[--no-xml] aka -m\n");
201 "\t--zone <zone> | --all aka -z / -a\n" 202 "\t[--no-xml] aka -m\n");
216 "usage: %s [-c <config> | --config <config>] zone \n\n",
227 " repository list\n");
235 "\t--policy [policy_name] | --all aka -p / -a\n");
263 "usage: %s [-c <config> | --config <config>] \n\n",
276 "\t[--verbose] aka -v\n" 277 "\t[--zone <zone>] aka -z\n" 278 "\t[--keystate <state>| --all] aka -e / -a\n" 279 "\t[--keytype <type>] aka -t\n" 288 "\t--zone <zone> | --all aka -z / -a\n" 289 "\t[--keystate <state>] aka -e\n" 290 "\t[--keytype <type>] aka -t\n" 291 "\t[--ds] aka -d\n");
299 "\t--cka_id <CKA_ID> aka -k\n" 300 "\t--repository <repository> aka -r\n" 301 "\t--zone <zone> aka -z\n" 302 "\t--bits <size> aka -b\n" 303 "\t--algorithm <algorithm> aka -g\n" 304 "\t--keystate <state> aka -e\n" 305 "\t--keytype <type> aka -t\n" 306 "\t--time <time> aka -w\n" 307 "\t[--check-repository] aka -C\n" 308 "\t[--retire <retire>] aka -y\n");
316 "\t--zone zone aka -z\n" 317 "\t--keytype <type> | --all aka -t / -a\n" 319 "\t--policy policy aka -p\n" 320 "\t--keytype <type> | --all aka -t / -a\n");
328 "\t--zone <zone> aka -z\n" 330 "\t--policy <policy> aka -p\n");
338 "\t--policy <policy> aka -p\n" 339 "\t--interval <interval> aka -n\n" 340 "\t[--zonetotal <total no. of zones>] aka -Z\n" 341 "\t--auto-accept aka -A\n");
349 "\t--zone <zone> aka -z\n" 350 "\t--keytag <keytag> | --cka_id <CKA_ID> aka -x / -k\n" 351 "\t[--tdead <Tdead>] aka -Y\n");
358 "\t--zone <zone> aka -z\n" 359 "\t--keytag <keytag> | --cka_id <CKA_ID> aka -x / -k\n");
368 "\t--zone <zone> aka -z\n" 369 "\t--keytag <keytag> | --cka_id <CKA_ID> aka -x / -k\n" 370 "\t[--no-notify|-l] aka -l\n" 371 "\t[--no-retire|-f] aka -f\n");
379 "\t--cka_id <CKA_ID> aka -k\n" 387 "usage: %s [-c <config> | --config <config>] \n\n",
406 "\t--repository <repository> aka -r\n" 408 "\t--repository <repository> aka -r\n" 410 "\t--repository <repository> aka -r\n" 412 "\t--repository <repository> aka -r\n" 414 "\t--repository <repository> aka -r\n" 416 "\t[NOTE: backup done is deprecated]\n");
424 "\t[--zone <zone>]\n");
432 "\t[--output <output>] aka -o\n");
440 " zonelist import\n");
447 "usage: %s [-c <config> | --config <config>] command [options]\n\n",
483 "\n\tAllowed date/time strings are of the form:\n" 485 "\tYYYYMMDD[HH[MM[SS]]] (all numeric)\n" 487 "\tor D-MMM-YYYY[:| ]HH[:MM[:SS]] (alphabetic month)\n" 488 "\tor DD-MMM-YYYY[:| ]HH[:MM[:SS]] (alphabetic month)\n" 489 "\tor YYYY-MMM-DD[:| ]HH[:MM[:SS]] (alphabetic month)\n" 491 "\tD-MM-YYYY[:| ]HH[:MM[:SS]] (numeric month)\n" 492 "\tDD-MM-YYYY[:| ]HH[:MM[:SS]] (numeric month)\n" 493 "\tor YYYY-MM-DD[:| ]HH[:MM[:SS]] (numeric month)\n" 495 "\t... and the distinction between them is given by the location of the\n" 503 "key states: GENERATE|PUBLISH|READY|ACTIVE|RETIRE|DEAD\n");
510 "key types: KSK|ZSK\n");
520 exist_file(
const char* filename) {
522 FILE *file = fopen(filename,
"r");
537 FILE* lock_fd = NULL;
538 char* zone_list_filename;
543 char *dbschema = NULL;
547 char *password = NULL;
552 char* setup_command = NULL;
553 char* lock_filename = NULL;
556 printf(
"*WARNING* This will erase all data in the database; are you sure? [y/N] ");
558 user_certain = getchar();
559 if (user_certain !=
'y' && user_certain !=
'Y') {
560 printf(
"Okay, quitting...\n");
567 status =
get_db_details(&dbschema, &host, &port, &user, &password);
586 lock_fd = fopen(lock_filename,
"w");
589 printf(
"Error getting db lock\n");
590 if (lock_fd != NULL) {
611 if (system(setup_command) != 0)
613 printf(
"Could not call db setup command:\n\t%s\n", setup_command);
629 printf(
"Couldn't fix permissions on file %s\n", dbschema);
630 printf(
"Will coninue with setup, but you may need to manually change ownership\n");
639 printf(
"Failed to connect to database, username too long.\n");
650 if (password != NULL) {
653 printf(
"Failed to connect to database, password too long.\n");
676 if (password != NULL) {
678 StrAppend(&setup_command, quoted_password);
686 if (system(setup_command) != 0)
688 printf(
"Could not call db setup command:\n\t%s\n", setup_command);
701 status =
DbConnect(&dbhandle, dbschema, host, password, user, port);
703 printf(
"Failed to connect to database\n");
728 printf(
"Failed to read conf.xml\n");
739 printf(
"Failed to update repositories\n");
752 printf(
"Failed to update policies\n");
753 printf(
"SETUP FAILED\n");
769 printf(
"Failed to update zones\n");
792 FILE* lock_fd = NULL;
793 char* zone_list_filename = NULL;
794 char* kasp_filename = NULL;
796 int done_something = 0;
801 printf(
"Failed to connect to database\n");
810 if (strncmp(qualifier,
"ZONELIST", 8) == 0 ||
811 strncmp(qualifier,
"KASP", 4) == 0 ||
812 strncmp(qualifier,
"ALL", 3) == 0) {
816 printf(
"Failed to read conf.xml\n");
826 if (strncmp(qualifier,
"CONF", 4) == 0 ||
827 strncmp(qualifier,
"ALL", 3) == 0) {
830 printf(
"Failed to update repositories\n");
832 if (strncmp(qualifier,
"ALL", 3) == 0) {
845 if (strncmp(qualifier,
"KASP", 4) == 0 ||
846 strncmp(qualifier,
"ALL", 3) == 0) {
849 printf(
"Failed to update policies\n");
862 if (strncmp(qualifier,
"ZONELIST", 8) == 0 ||
863 strncmp(qualifier,
"ALL", 3) == 0) {
866 printf(
"Failed to update zones\n");
878 if (done_something == 0) {
879 printf(
"Unrecognised command update %s. Please specify one of:\n", qualifier);
883 if (restart_enforcerd() != 0)
885 fprintf(stderr,
"Could not HUP ods-enforcerd\n");
894 if (kasp_filename != NULL) {
897 if (zone_list_filename != NULL) {
916 FILE* lock_fd = NULL;
917 char* zonelist_filename = NULL;
918 char* backup_filename = NULL;
920 char* sig_conf_name = NULL;
921 char* input_name = NULL;
922 char* output_name = NULL;
923 char* input_type = NULL;
924 char* output_type = NULL;
931 xmlDocPtr doc = NULL;
937 printf(
"Couldn't malloc path: %s\n", strerror(errno));
943 printf(
"Please specify a zone with the --zone option\n");
956 StrAppend(&sig_conf_name, OPENDNSSEC_STATE_DIR);
975 printf(
"Error: Unrecognised in-type %s; should be one of DNS or File\n",
o_in_type);
981 if(strcmp(input_type,
"DNS")==0){
982 StrAppend(&input_name, OPENDNSSEC_CONFIG_DIR);
985 StrAppend(&input_name, OPENDNSSEC_STATE_DIR);
1003 printf(
"Error: Unrecognised out-type %s; should be one of DNS or File\n",
o_out_type);
1011 if(strcmp(output_type,
"DNS") == 0){
1012 StrAppend(&output_name, OPENDNSSEC_CONFIG_DIR);
1015 StrAppend(&output_name, OPENDNSSEC_STATE_DIR);
1031 if(!exist_file(input_name)){
1032 fprintf(stdout,
"WARNING: The input file %s for zone %s does not currently exist. The zone will been added to the database anyway. \n",input_name,
o_zone);
1035 if(strcmp(output_type,
"DNS") == 0 && !exist_file(output_name)){
1036 fprintf(stdout,
"WARNING: The output file %s for zone %s does not currently exist. \n",output_name,
o_zone);
1044 printf(
"couldn't read zonelist\n");
1055 StrAppend(&backup_filename, zonelist_filename);
1057 if (xml_flag == 1) {
1058 if (access(backup_filename, F_OK) == 0){
1059 if (access(backup_filename, W_OK)){
1060 printf(
"ERROR: The backup file %s can not be written.\n",backup_filename);
1071 if (access(OPENDNSSEC_CONFIG_DIR, W_OK)){
1072 printf(
"ERROR: The backup file %s can not be written.\n",backup_filename);
1091 printf(
"Failed to connect to database\n");
1106 printf(
"Error, can't find policy : %s\n",
o_policy);
1107 printf(
"Failed to update zones\n");
1118 status =
KsmImportZone(
o_zone, policy_id, 1, &new_zone, sig_conf_name, input_name, output_name, input_type, output_type);
1121 printf(
"Failed to Import zone %s; it already exists\n",
o_zone);
1122 }
else if (status == -3) {
1123 printf(
"Failed to Import zone %s; it already exists both with and without a trailing dot\n",
o_zone);
1125 printf(
"Failed to Import zone\n");
1142 printf(
"Can't retrieve shared-keys parameter for policy\n");
1155 printf(
"Can't retrieve shared-keys parameter for policy\n");
1169 if (data.
value == 1) {
1172 printf(
"Failed to Link Keys to zone\n");
1193 if (xml_flag == 1) {
1196 xmlKeepBlanksDefault(0);
1197 xmlTreeIndentString =
"\t";
1207 printf(
"Error: Couldn't add our new node in memory\n");
1214 status =
backup_file(zonelist_filename, backup_filename);
1216 printf(
"Error: Backup %s FAILED, please backup %s manually and run \"ods-ksmutil zonelist export\" to update zonelist.xml\n", backup_filename, backup_filename);
1223 status = xmlSaveFormatFile(zonelist_filename, doc, 1);
1228 printf(
"Error: couldn't save zonelist, please run \"ods-ksmutil zonelist export\" to update zonelist.xml\n");
1245 if (xml_flag == 0) {
1246 printf(
"Imported zone: %s into database only, please run \"ods-ksmutil zonelist export\" to update zonelist.xml\n",
o_zone);
1248 printf(
"Imported zone: %s\n",
o_zone);
1263 char* zonelist_filename = NULL;
1264 char* backup_filename = NULL;
1269 xmlDocPtr doc = NULL;
1276 FILE* lock_fd = NULL;
1279 if (all_flag &&
o_zone != NULL) {
1280 printf(
"can not use --all with --zone\n");
1283 else if (!all_flag &&
o_zone == NULL) {
1284 printf(
"please specify either --zone <zone> or --all\n");
1289 if (all_flag == 1) {
1290 printf(
"*WARNING* This will remove all zones from OpenDNSSEC; are you sure? [y/N] ");
1292 user_certain = getchar();
1293 if (user_certain !=
'y' && user_certain !=
'Y') {
1294 printf(
"Okay, quitting...\n");
1302 printf(
"Failed to connect to database\n");
1315 if (xml_flag == 1) {
1319 printf(
"couldn't read zonelist\n");
1344 StrAppend(&backup_filename, zonelist_filename);
1346 status =
backup_file(zonelist_filename, backup_filename);
1355 status = xmlSaveFormatFile(zonelist_filename, doc, 1);
1359 printf(
"Could not save %s\n", zonelist_filename);
1370 if (all_flag == 0) {
1373 printf(
"Couldn't find zone %s\n",
o_zone);
1382 printf(
"Error: failed to mark keys as dead in database\n");
1391 printf(
"Error: failed to remove zone%s from database\n", (all_flag == 1) ?
"s" :
"");
1397 if (all_flag == 0) {
1398 if (system(SIGNER_CLI_UPDATE) != 0)
1400 printf(
"Could not call signer engine\n");
1407 if (xml_flag == 0) {
1408 printf(
"Deleted zone: %s from database only, please run \"ods-ksmutil zonelist export\" to update zonelist.xml\n",
o_zone);
1422 FILE* lock_fd = NULL;
1424 char* zonelist_filename = NULL;
1427 xmlTextReaderPtr reader = NULL;
1429 char* tag_name = NULL;
1431 int file_zone_count = 0;
1437 char* temp_name = NULL;
1444 printf(
"couldn't read zonelist\n");
1445 if (zonelist_filename != NULL) {
1454 printf(
"Failed to connect to database\n");
1460 reader = xmlNewTextReaderFilename(zonelist_filename);
1461 if (reader != NULL) {
1462 ret = xmlTextReaderRead(reader);
1464 tag_name = (
char*) xmlTextReaderLocalName(reader);
1466 if (strncmp(tag_name,
"Zone", 4) == 0
1467 && strncmp(tag_name,
"ZoneList", 8) != 0
1468 && xmlTextReaderNodeType(reader) == 1) {
1472 ret = xmlTextReaderRead(reader);
1475 xmlFreeTextReader(reader);
1477 printf(
"%s : failed to parse\n", zonelist_filename);
1480 printf(
"Unable to open %s\n", zonelist_filename);
1484 zone_ids =
MemMalloc(file_zone_count *
sizeof(
int));
1490 if (file_zone_count != 0) {
1491 StrAppend(&sql,
"select name from zones where id not in (");
1492 for (j = 0; j < file_zone_count; ++j) {
1496 snprintf(buffer,
sizeof(buffer),
"%d", zone_ids[j]);
1501 StrAppend(&sql,
"select name from zones");
1507 while (status == 0) {
1511 printf(
"Found zone %s in DB but not zonelist.\n", temp_name);
1528 if (file_zone_count == 0) {
1529 printf(
"No zones in DB or zonelist.\n");
1557 int prev_zone_id = -1;
1559 char *case_keytype = NULL;
1560 char *case_keystate = NULL;
1561 char *zone_name = NULL;
1564 hsm_key_t *key = NULL;
1565 ldns_rr *dnskey_rr = NULL;
1566 ldns_rr *ds_sha1_rr = NULL;
1567 ldns_rr *ds_sha256_rr = NULL;
1568 hsm_sign_params_t *sign_params = NULL;
1581 int done_something = 0;
1589 if (strncmp(case_keystate,
"KEYPUBLISH", 10) == 0 || strncmp(
o_keystate,
"10", 2) == 0) {
1592 else if (strncmp(case_keystate,
"GENERATE", 8) == 0 || strncmp(
o_keystate,
"1", 1) == 0) {
1595 else if (strncmp(case_keystate,
"PUBLISH", 7) == 0 || strncmp(
o_keystate,
"2", 1) == 0) {
1598 else if (strncmp(case_keystate,
"READY", 5) == 0 || strncmp(
o_keystate,
"3", 1) == 0) {
1601 else if (strncmp(case_keystate,
"ACTIVE", 6) == 0 || strncmp(
o_keystate,
"4", 1) == 0) {
1604 else if (strncmp(case_keystate,
"RETIRE", 6) == 0 || strncmp(
o_keystate,
"5", 1) == 0) {
1607 else if (strncmp(case_keystate,
"DEAD", 4) == 0 || strncmp(
o_keystate,
"6", 1) == 0) {
1610 else if (strncmp(case_keystate,
"DSSUB", 5) == 0 || strncmp(
o_keystate,
"7", 1) == 0) {
1613 else if (strncmp(case_keystate,
"DSPUBLISH", 9) == 0 || strncmp(
o_keystate,
"8", 1) == 0) {
1616 else if (strncmp(case_keystate,
"DSREADY", 7) == 0 || strncmp(
o_keystate,
"9", 1) == 0) {
1620 printf(
"Error: Unrecognised state %s; should be one of GENERATE, PUBLISH, READY, ACTIVE, RETIRE, DEAD, DSSUB, DSPUBLISH, DSREADY or KEYPUBLISH\n",
o_keystate);
1632 if (strncmp(case_keytype,
"KSK", 3) == 0 || strncmp(
o_keytype,
"257", 3) == 0) {
1635 else if (strncmp(case_keytype,
"ZSK", 3) == 0 || strncmp(
o_keytype,
"256", 3) == 0) {
1639 printf(
"Error: Unrecognised keytype %s; should be one of KSK or ZSK\n",
o_keytype);
1650 printf(
"Failed to connect to database\n");
1662 printf(
"Error: unable to find a zone named \"%s\" in database\n",
o_zone);
1668 status = hsm_open(
config, hsm_prompt_pin);
1670 hsm_print_error(NULL);
1673 ctx = hsm_create_context();
1676 if (state_id != -1) {
1679 nchar = snprintf(buffer,
sizeof(buffer),
"(%d, %d, %d, %d, %d, %d)",
1682 if (nchar >=
sizeof(buffer)) {
1684 hsm_destroy_context(ctx);
1692 if (zone_id != -1) {
1700 status =
KsmKey(result, &data);
1701 while (status == 0) {
1703 if (ds_flag == 1 && data.
zone_id != prev_zone_id) {
1705 if (red_seen == 0 && act_seen == 0) {
1706 printf(
"\nWARNING: No active or ready keys seen for this zone. Do not load any DS records to the parent unless you understand the possible consequences.\n");
1707 }
else if (red_seen == 1 && act_seen == 1) {
1708 printf(
"\nWARNING: BOTH ready and active keys seen for this zone. Probably a key rollover is happening and you may only want the ready key to be submitted.\n");
1722 key = hsm_find_key_by_id(ctx, data.
location);
1725 printf(
"Key %s in DB but not repository\n", data.
location);
1726 hsm_destroy_context(ctx);
1731 sign_params = hsm_sign_params_new();
1733 if (zone_id == -1) {
1736 printf(
"Error: unable to find zone name for id %d\n", zone_id);
1737 hsm_sign_params_free(sign_params);
1738 hsm_destroy_context(ctx);
1742 sign_params->owner = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, zone_name);
1746 sign_params->owner = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME,
o_zone);
1749 sign_params->algorithm = data.
algorithm;
1750 sign_params->flags = LDNS_KEY_ZONE_KEY;
1752 sign_params->flags += LDNS_KEY_SEP_KEY;
1754 dnskey_rr = hsm_get_dnskey(ctx, key, sign_params);
1755 sign_params->keytag = ldns_calc_keytag(dnskey_rr);
1771 ldns_rr_set_ttl(dnskey_rr, rrttl);
1776 ldns_rr_print(stdout, dnskey_rr);
1788 ldns_rr_set_ttl(dnskey_rr, rrttl);
1793 ds_sha1_rr = ldns_key_rr2ds(dnskey_rr, LDNS_SHA1);
1794 ldns_rr_print(stdout, ds_sha1_rr);
1797 ds_sha256_rr = ldns_key_rr2ds(dnskey_rr, LDNS_SHA256);
1798 ldns_rr_print(stdout, ds_sha256_rr);
1803 hsm_sign_params_free(sign_params);
1805 status =
KsmKey(result, &data);
1815 if (ds_flag == 1 && red_seen == 0 && act_seen == 0) {
1816 printf(
"\nWARNING: No active or ready keys seen for this zone. Do not load any DS records to the parent unless you understand the possible consequences.\n");
1817 }
else if (ds_flag == 1 && red_seen == 1 && act_seen == 1) {
1818 printf(
"\nWARNING: BOTH ready and active keys seen for this zone. Probably a key rollover is happening and you may only want the ready key to be submitted.\n");
1822 if (!done_something) {
1823 if (state_id != -1) {
1826 printf(
"No keys in READY state or higher to export.\n");
1832 if (dnskey_rr != NULL) {
1833 ldns_rr_free(dnskey_rr);
1835 if (ds_sha1_rr != NULL) {
1836 ldns_rr_free(ds_sha1_rr);
1838 if (ds_sha256_rr != NULL) {
1839 ldns_rr_free(ds_sha256_rr);
1842 hsm_destroy_context(ctx);
1860 xmlDocPtr doc = xmlNewDoc((
const xmlChar *)
"1.0");
1867 if (all_flag &&
o_policy != NULL) {
1868 printf(
"can not use --all with --policy\n");
1871 else if (!all_flag &&
o_policy == NULL) {
1872 printf(
"please specify either --policy <policy> or --all\n");
1879 printf(
"Failed to connect to database\n");
1885 if (policy == NULL) {
1886 fprintf(stderr,
"Malloc for policy struct failed\n");
1901 policy->
zone == NULL || policy->
parent == NULL ||
1902 policy->
keys == NULL ||
1903 policy->
ksk == NULL || policy->
zsk == NULL ||
1905 fprintf(stderr,
"Malloc for policy struct failed\n");
1910 xmlKeepBlanksDefault(0);
1911 xmlTreeIndentString =
" ";
1912 root = xmlNewDocNode(doc, NULL, (
const xmlChar *)
"KASP", NULL);
1913 (void) xmlDocSetRootElement(doc, root);
1922 while (status == 0) {
1932 xmlSaveFormatFile(
"-", doc, 1);
1953 xmlDocPtr doc = xmlNewDoc((
const xmlChar *)
"1.0");
1956 int prev_policy_id = -1;
1963 printf(
"Failed to connect to database\n");
1970 fprintf(stderr,
"Malloc for zone struct failed\n");
1975 xmlKeepBlanksDefault(0);
1976 xmlTreeIndentString =
" ";
1977 root = xmlNewDocNode(doc, NULL, (
const xmlChar *)
"ZoneList", NULL);
1978 (void) xmlDocSetRootElement(doc, root);
1984 status =
KsmZone(result, zone);
1986 while (status == 0) {
1987 if (zone->
policy_id != prev_policy_id) {
1991 fprintf(stderr,
"Couldn't get name for policy with ID: %d, exiting...\n", zone->
policy_id);
1998 status =
KsmZone(result, zone);
2003 xmlSaveFormatFile(
"-", doc, 1);
2021 FILE* lock_fd = NULL;
2043 printf(
"Failed to connect to database\n");
2054 printf(
"Error, can't find zone : %s\n",
o_zone);
2074 if (data.
value == 1) {
2075 printf(
"*WARNING* This zone shares keys with others, all instances of the active key on this zone will be retired; are you sure? [y/N] ");
2077 user_certain = getchar();
2078 if (user_certain !=
'y' && user_certain !=
'Y') {
2079 printf(
"Okay, quitting...\n");
2085 status =
keyRoll(zone_id, -1, key_type);
2092 snprintf(logmsg, 256,
"Manual key rollover for key type %s on zone %s initiated" , (
o_keytype == NULL) ?
"all" :
o_keytype,
o_zone);
2093 printf(
"\n%s\n", logmsg);
2096 #ifdef HAVE_OPENLOG_R 2101 #ifdef HAVE_SYSLOG_R 2102 syslog_r(LOG_INFO, &sdata,
"%s", logmsg);
2104 syslog(LOG_INFO,
"%s", logmsg);
2106 #ifdef HAVE_CLOSELOG_R 2116 if (restart_enforcerd() != 0)
2118 fprintf(stderr,
"Could not HUP ods-enforcerd\n");
2134 FILE* lock_fd = NULL;
2138 int zone_count = -1;
2157 printf(
"Failed to connect to database\n");
2164 printf(
"Error, can't find policy : %s\n",
o_policy);
2170 printf(
"*WARNING* This will roll all keys on the policy; are you sure? [y/N] ");
2172 user_certain = getchar();
2173 if (user_certain !=
'y' && user_certain !=
'Y') {
2174 printf(
"Okay, quitting...\n");
2189 if (zone_count == 0) {
2190 printf(
"No zones on policy; nothing to roll\n");
2195 printf(
"Couldn't count zones on policy; quitting...\n");
2200 status =
keyRoll(-1, policy_id, key_type);
2207 snprintf(logmsg, 256,
"Manual key rollover for key type %s on policy %s initiated" , (
o_keytype == NULL) ?
"all" :
o_keytype,
o_policy);
2208 printf(
"%s\n", logmsg);
2211 #ifdef HAVE_OPENLOG_R 2216 #ifdef HAVE_SYSLOG_R 2217 syslog_r(LOG_INFO, &sdata,
"%s", logmsg);
2219 syslog(LOG_INFO,
"%s", logmsg);
2221 #ifdef HAVE_CLOSELOG_R 2231 if (restart_enforcerd() != 0)
2233 fprintf(stderr,
"Could not HUP ods-enforcerd\n");
2254 FILE* lock_fd = NULL;
2259 printf(
"Failed to connect to database\n");
2268 printf(
"Error: unable to find a policy named \"%s\" in database\n",
o_policy);
2282 printf(
"Error: unable to find a zone named \"%s\" in database\n",
o_zone);
2292 printf(
"Error: failed to purge dead keys\n");
2318 FILE* lock_fd = NULL;
2323 if (datetime == NULL) {
2324 printf(
"Couldn't turn \"now\" into a date, quitting...\n");
2329 if ( strncmp(qualifier,
"DONE", 4) == 0 ) {
2330 printf(
"*WARNING* One-step backups are deprecated in favour of a two-step process; see the documentation on key management for the explanation.\n");
2333 if (force_flag == 0) {
2334 printf(
"Do you wish to continue? [y/N] ");
2336 user_certain = getchar();
2337 if (user_certain !=
'y' && user_certain !=
'Y') {
2338 printf(
"Okay, quitting...\n");
2347 printf(
"Failed to connect to database\n");
2357 printf(
"Error: unable to find a repository named \"%s\" in database\n",
o_repository);
2365 if (strncmp(qualifier,
"PREPARE", 7) == 0 ||
2366 strncmp(qualifier,
"DONE", 4) == 0 ) {
2369 printf(
"There were no keys to mark\n");
2371 else if (status != 0) {
2372 printf(
"Error: failed to mark pre_backup as done\n");
2377 if (strncmp(qualifier,
"PREPARE", 7) == 0) {
2379 printf(
"Marked repository %s as pre-backed up at %s\n",
o_repository, datetime);
2381 printf(
"Marked all repositories as pre-backed up at %s\n", datetime);
2388 if (strncmp(qualifier,
"COMMIT", 6) == 0 ||
2389 strncmp(qualifier,
"DONE", 4) == 0 ) {
2392 printf(
"There were no keys to mark\n");
2394 else if (status != 0) {
2395 printf(
"Error: failed to mark backup as done\n");
2401 printf(
"Marked repository %s as backed up at %s\n",
o_repository, datetime);
2403 printf(
"Marked all repositories as backed up at %s\n", datetime);
2409 if (strncmp(qualifier,
"ROLLBACK", 6) == 0 ) {
2412 printf(
"There were no keys to rollback\n");
2414 else if (status != 0) {
2415 printf(
"Error: failed to mark backup as done\n");
2421 printf(
"Rolled back pre-backup of repository %s\n",
o_repository);
2423 printf(
"Rolled back pre-backup of all repositories\n");
2445 int qualifier_id = -1;
2449 FILE* lock_fd = NULL;
2454 printf(
"Failed to connect to database\n");
2467 printf(
"Error: unable to find a zone named \"%s\" in database\n",
o_zone);
2474 printf(
"Rollovers:\n");
2479 printf(
"Error: failed to list rollovers\n");
2488 if (verbose_flag && ds_count > 0) {
2490 status =
ListDS(qualifier_id);
2493 printf(
"Error: failed to list DS records\n");
2514 int qualifier_id = -1;
2518 FILE* lock_fd = NULL;
2523 printf(
"Failed to connect to database\n");
2532 printf(
"Error: unable to find a repository named \"%s\" in database\n",
o_repository);
2538 printf(
"Backups:\n");
2542 printf(
"Error: failed to list backups\n");
2565 FILE* lock_fd = NULL;
2570 printf(
"Failed to connect to database\n");
2575 printf(
"Repositories:\n");
2580 printf(
"Error: failed to list repositories\n");
2581 if (lock_fd != NULL) {
2606 FILE* lock_fd = NULL;
2611 printf(
"Failed to connect to database\n");
2616 printf(
"Policies:\n");
2621 printf(
"Error: failed to list policies\n");
2642 int qualifier_id = -1;
2646 FILE* lock_fd = NULL;
2651 printf(
"Failed to connect to database\n");
2664 printf(
"Error: unable to find a zone named \"%s\" in database\n",
o_zone);
2676 printf(
"Error: failed to list keys\n");
2703 int keytag_int = -1;
2704 int temp_key_state = -1;
2705 int temp_keypair_id = -1;
2706 char* temp_cka_id = NULL;
2711 FILE* lock_fd = NULL;
2716 if (datetime == NULL) {
2717 printf(
"Couldn't turn \"now\" into a date, quitting...\n");
2723 printf(
"*WARNING* This will retire the currently active KSK; are you sure? [y/N] ");
2725 user_certain = getchar();
2726 if (user_certain !=
'y' && user_certain !=
'Y') {
2727 printf(
"Okay, quitting...\n");
2734 printf(
"Failed to connect to database\n");
2748 printf(
"Error: unable to find a zone named \"%s\" in database\n",
o_zone);
2761 printf(
"Error: Unable to convert keytag \"%s\"; to an integer\n",
o_keytag);
2767 printf(
"Error: keytag \"%s\"; should be numeric only\n",
o_keytag);
2777 printf(
"Please provide a zone or details of the key to roll\n");
2786 printf(
"Error: failed to count active keys\n");
2793 if (key_count < 2) {
2794 printf(
"Error: completing this action would leave no active keys on zone, quitting...\n");
2803 printf(
"Error: failed to find policy for zone\n");
2812 printf(
"Old key retired\n");
2814 printf(
"Old key NOT retired\n");
2822 status =
CountKeys(&zone_id, keytag_int,
o_cka_id, &key_count, &temp_cka_id, &temp_key_state, &temp_keypair_id);
2824 printf(
"Error: failed to count keys\n");
2831 if (key_count > 1) {
2832 printf(
"More than one key matched your parameters, please include more information from the above keys\n");
2840 printf(
"No keys in the ACTIVE state matched your parameters, please check the parameters\n");
2848 printf(
"Error: failed to count active keys\n");
2855 if (key_count < 2) {
2856 printf(
"Error: completing this action would leave no active keys on zone, quitting...\n");
2865 printf(
"Error: failed to find policy for zone\n");
2876 printf(
"Key %s retired\n", temp_cka_id);
2903 int keytag_int = -1;
2904 int temp_key_state = -1;
2905 int temp_keypair_id = -1;
2906 char* temp_cka_id = NULL;
2912 FILE* lock_fd = NULL;
2917 printf(
"Failed to connect to database\n");
2930 printf(
"Error: unable to find a zone named \"%s\" in database\n",
o_zone);
2942 printf(
"Error: Unable to convert keytag \"%s\"; to an integer\n",
o_keytag);
2947 printf(
"Error: keytag \"%s\"; should be numeric only\n",
o_keytag);
2956 status =
DtNow(&datetime);
2959 printf(
"Error parsing time, quitting...\n");
2965 datetime.tm_mday += 30;
2966 (void)mktime(&datetime);
2969 "%4.4d-%2.2d-%2.2d %2.2d:%2.2d:%2.2d",
2970 datetime.tm_year + 1900, datetime.tm_mon + 1,
2971 datetime.tm_mday, datetime.tm_hour, datetime.tm_min,
2977 printf(
"Please provide a zone or details of the key to roll\n");
2985 printf(
"Error: failed to count retired keys\n");
2991 if (key_count < 1) {
2992 printf(
"Error: Could not find a key to retire, quitting...\n");
3000 printf(
"Error: failed to find policy for zone\n");
3005 status =
RevokeOldKey(zone_id, policy_id, time_buffer);
3008 printf(
"Old key revoked\n");
3010 printf(
"Old key NOT revoked\n");
3019 status =
CountKeys(&zone_id, keytag_int,
o_cka_id, &key_count, &temp_cka_id, &temp_key_state, &temp_keypair_id);
3021 printf(
"Error: failed to count keys\n");
3027 if (key_count > 1) {
3028 printf(
"More than one key matched your parameters, please include more information from the above keys\n");
3035 printf(
"No keys in the RETIRE state matched your parameters, please check the parameters\n");
3042 printf(
"Error: failed to count revoked keys\n");
3048 if (key_count < 1) {
3049 printf(
"Error: Could not find a key to revoke, quitting...\n");
3057 printf(
"Error: failed to find policy for zone\n");
3099 printf(
"Key %s revoked\n", temp_cka_id);
3108 if (restart_enforcerd() != 0) {
3109 fprintf(stderr,
"Could not HUP ods-enforcerd\n");
3111 fprintf(stdout,
"Performed a HUP ods-enforcerd\n");
3129 int retired_count = -1;
3130 int keytag_int = -1;
3131 int temp_key_state = -1;
3132 int temp_keypair_id = -1;
3133 char* temp_cka_id = NULL;
3138 FILE* lock_fd = NULL;
3145 if (datetime == NULL) {
3146 printf(
"Couldn't turn \"now\" into a date, quitting...\n");
3153 printf(
"Please provide a keytag or a CKA_ID for the key (CKA_ID will be used if both are provided\n");
3161 printf(
"*WARNING* This will retire the currently active KSK; are you sure? [y/N] ");
3163 user_certain = getchar();
3164 if (user_certain !=
'y' && user_certain !=
'Y') {
3165 printf(
"Okay, quitting...\n");
3172 printf(
"Failed to connect to database\n");
3183 printf(
"Please specify a zone using the --zone flag\n");
3189 else if (
o_zone != NULL) {
3196 printf(
"Error: unable to find a zone named \"%s\" in database\n",
o_zone);
3203 else if (all_flag) {
3204 printf(
"*WARNING* This will act on every zone where this key is in use; are you sure? [y/N] ");
3206 user_certain = getchar();
3207 if (user_certain !=
'y' && user_certain !=
'Y') {
3208 printf(
"Okay, quitting...\n");
3220 printf(
"Error: Unable to convert keytag \"%s\"; to an integer\n",
o_keytag);
3226 printf(
"Error: keytag \"%s\"; should be numeric only\n",
o_keytag);
3237 status =
CountKeys(&zone_id, keytag_int,
o_cka_id, &key_count, &temp_cka_id, &temp_key_state, &temp_keypair_id);
3239 printf(
"Error: failed to count keys\n");
3246 if (key_count > 1) {
3247 printf(
"More than one key matched your parameters, please include more information from the above keys\n");
3255 printf(
"Key is already active\n");
3262 if (key_count == 0) {
3263 printf(
"No keys in the READY state matched your parameters, please check the parameters\n");
3272 printf(
"Error: failed to find policy for zone\n");
3279 status =
MarkDSSeen(temp_keypair_id, zone_id, policy_id, datetime, temp_key_state);
3283 snprintf(logmsg, 256,
"Key %s made %s", temp_cka_id, (temp_key_state ==
KSM_STATE_READY) ?
"active" :
"into standby");
3284 printf(
"%s\n", logmsg);
3287 #ifdef HAVE_OPENLOG_R 3292 #ifdef HAVE_SYSLOG_R 3293 syslog_r(LOG_INFO, &sdata,
"%s", logmsg);
3295 syslog(LOG_INFO,
"%s", logmsg);
3297 #ifdef HAVE_CLOSELOG_R 3307 if (retire_flag == 1) {
3312 printf(
"Error: failed to count active keys\n");
3319 if (key_count < 2) {
3323 printf(
"Error: failed to count retired keys\n");
3332 if (retired_count != 0) {
3333 printf(
"Error: retiring a key would leave no active keys on zone, skipping...\n");
3338 if (notify_flag == 1) {
3339 if (restart_enforcerd() != 0) {
3340 fprintf(stderr,
"Could not HUP ods-enforcerd\n");
3342 fprintf(stdout,
"Performed a HUP ods-enforcerd\n");
3345 fprintf(stdout,
"No HUP ods-enforcerd was performed as the '--no-notify' flag was specified.\n");
3346 fprintf(stdout,
"Warning: The enforcer must be manually notified or the changes will not take full effect until the next scheduled enforcer run.\n");
3356 printf(
"Old key retired\n");
3358 printf(
"Old key NOT retired\n");
3361 printf(
"Old key NOT retired\n");
3365 if (notify_flag == 1) {
3366 if (restart_enforcerd() != 0) {
3367 fprintf(stderr,
"Could not HUP ods-enforcerd\n");
3369 fprintf(stdout,
"Performed a HUP ods-enforcerd\n");
3372 fprintf(stdout,
"No HUP ods-enforcerd was performed as the '--no-notify' flag was specified.\n");
3373 fprintf(stdout,
"Warning: The enforcer must be manually notified or the changes will not take full effect until the next scheduled enforcer run.\n");
3395 char* case_keytype = NULL;
3396 char* case_algorithm = NULL;
3397 char* case_state = NULL;
3402 int cka_id_exists = -1;
3403 int keytype_id = -1;
3410 DB_ID keypair_id = 0;
3419 FILE* lock_fd = NULL;
3426 hsm_key_t *key = NULL;
3432 printf(
"Error: please specify a CKA_ID with the --cka_id <CKA_ID>\n");
3436 printf(
"Error: please specify a repository with the --repository <repository>\n");
3440 printf(
"Error: please specify a zone with the --zone <zone>\n");
3444 printf(
"Error: please specify the number of bits with the --bits <size>\n");
3448 printf(
"Error: please specify the algorithm with the --algorithm <algorithm>\n");
3452 printf(
"Error: please specify the state with the --keystate <state>\n");
3456 printf(
"Error: please specify a keytype, KSK or ZSK, with the --keytype <type>\n");
3460 printf(
"Error: please specify the time of when the key entered the given state with the --time <time>\n");
3465 status = hsm_open(
config, hsm_prompt_pin);
3467 hsm_print_error(NULL);
3470 ctx = hsm_create_context();
3471 key = hsm_find_key_by_id(ctx,
o_cka_id);
3472 hsm_destroy_context(ctx);
3475 if(check_repository_flag){
3476 fprintf(stderr,
"Error: No key with the CKA_ID %-33s exists in the repository %s. When the option [--check-repository] is used the key MUST exist in the repository for the key to be imported. \n",
o_cka_id,
o_repository);
3479 fprintf(stdout,
"Warning: No key with the CKA_ID %-33s exists in the repository %s. The key will be imported into the database anyway. \n",
o_cka_id,
o_repository);
3488 printf(
"Failed to connect to database\n");
3496 printf(
"Error: unable to find a repository named \"%s\" in database\n",
o_repository);
3508 printf(
"Error: unable to find a zone named \"%s\" in database\n",
o_zone);
3520 if (cka_id_exists == 1) {
3521 printf(
"Error: key with CKA_ID \"%s\" already exists in database\n",
o_cka_id);
3529 if (strncmp(case_keytype,
"KSK", 3) == 0 || strncmp(
o_keytype,
"257", 3) == 0) {
3532 else if (strncmp(case_keytype,
"ZSK", 3) == 0 || strncmp(
o_keytype,
"256", 3) == 0) {
3536 printf(
"Error: Unrecognised keytype %s; should be one of KSK or ZSK\n",
o_keytype);
3548 printf(
"Error: Unable to convert bits \"%s\"; to an integer\n",
o_size);
3553 printf(
"Error: Bits \"%s\"; should be numeric only\n",
o_size);
3571 if (status != 0 || algo_id == 0 || hsm_supported_algorithm(algo_id) != 0) {
3572 printf(
"Error: Key algorithm %s not supported; try one of RSASHA1, RSASHA1-NSEC3-SHA1 or RSASHA256\n",
o_algo);
3580 if (strncmp(case_state,
"GENERATE", 8) == 0 || strncmp(
o_keystate,
"1", 1) == 0) {
3583 else if (strncmp(case_state,
"PUBLISH", 7) == 0 || strncmp(
o_keystate,
"2", 1) == 0) {
3586 else if (strncmp(case_state,
"READY", 5) == 0 || strncmp(
o_keystate,
"3", 1) == 0) {
3589 else if (strncmp(case_state,
"ACTIVE", 6) == 0 || strncmp(
o_keystate,
"4", 1) == 0) {
3592 else if (strncmp(case_state,
"RETIRE", 6) == 0 || strncmp(
o_keystate,
"5", 1) == 0) {
3596 printf(
"Error: Unrecognised state %s; should be one of GENERATE, PUBLISH, READY, ACTIVE or RETIRE\n",
o_keystate);
3607 printf(
"Error: unable to convert \"%s\" into a date\n",
o_time);
3614 snprintf(form_time,
KSM_TIME_LENGTH,
"%4.4d-%2.2d-%2.2d %2.2d:%2.2d:%2.2d",
3615 datetime.tm_year + 1900, datetime.tm_mon + 1, datetime.tm_mday,
3616 datetime.tm_hour, datetime.tm_min, datetime.tm_sec);
3617 printf(
"Converted time is %s\n", form_time);
3623 printf(
"Error: unable to specify retire time for a key in state \"%s\"\n",
o_keystate);
3630 printf(
"Error: unable to convert retire time \"%s\" into a date\n",
o_retire);
3637 snprintf(form_opt_time,
KSM_TIME_LENGTH,
"%4.4d-%2.2d-%2.2d %2.2d:%2.2d:%2.2d",
3638 datetime.tm_year + 1900, datetime.tm_mon + 1, datetime.tm_mday,
3639 datetime.tm_hour, datetime.tm_min, datetime.tm_sec);
3643 form_opt_time[0] =
'\0';
3660 if (data.
value == 1) {
3661 printf(
"*WARNING* This zone shares keys with others, the key will be added to all; are you sure? [y/N] ");
3663 user_certain = getchar();
3664 if (user_certain !=
'y' && user_certain !=
'Y') {
3665 printf(
"Okay, quitting...\n");
3672 status =
KsmImportKeyPair(policy_id,
o_cka_id, repo_id, size_int, algo_id, state_id, form_time, fix_time, &keypair_id);
3674 printf(
"Error: couldn't import key\n");
3684 status =
KsmDnssecKeyCreate(zone_id, (
int) keypair_id, keytype_id, state_id, rfc5011_flag, form_time, form_opt_time, &ignore);
3687 printf(
"Error: couldn't allocate key to zone(s)\n");
3692 printf(
"Key imported into zone(s)\n");
3708 FILE* lock_fd = NULL;
3711 char *dbschema = NULL;
3715 char *password = NULL;
3719 char* backup_filename = NULL;
3720 char* lock_filename;
3722 char *path = getenv(
"PWD");
3725 printf(
"Sorry, currently this utility can only backup a sqlite database file\n");
3730 status =
get_db_details(&dbschema, &host, &port, &user, &password);
3741 lock_filename = NULL;
3745 lock_fd = fopen(lock_filename,
"w");
3748 printf(
"Error getting db lock\n");
3749 if (lock_fd != NULL) {
3799 char* kasp_filename = NULL;
3800 char* zonelist_filename = NULL;
3801 char* backup_filename = NULL;
3804 FILE* lock_fd = NULL;
3813 int zone_count = -1;
3815 xmlDocPtr doc = NULL;
3818 printf(
"*WARNING* This feature is experimental and has not been fully tested; are you sure? [y/N] ");
3820 user_certain = getchar();
3821 if (user_certain !=
'y' && user_certain !=
'Y') {
3822 printf(
"Okay, quitting...\n");
3829 printf(
"Failed to read conf.xml\n");
3835 StrAppend(&backup_filename, kasp_filename);
3837 status =
backup_file(kasp_filename, backup_filename);
3847 if ((test = fopen(kasp_filename,
"ab"))==NULL) {
3848 printf(
"Cannot open kasp.xml for writing: %s\n", strerror(errno));
3859 printf(
"Failed to connect to database\n");
3880 if (policy == NULL) {
3881 printf(
"Malloc for policy struct failed\n");
3890 while (status == 0) {
3900 if (zone_count == 0) {
3901 printf(
"No zones on policy %s; purging...\n", policy->
name);
3903 size = snprintf(sql,
KSM_SQL_SIZE,
"update dnsseckeys set state = %d where keypair_id in (select id from keypairs where policy_id = %d)",
KSM_STATE_DEAD, policy->
id);
3907 printf(
"Couldn't construct SQL to kill orphaned keys\n");
3930 printf(
"Key purge failed for policy %s\n", policy->
name);
3939 sql2 =
DdsInit(
"parameters_policies");
3983 status = xmlSaveFormatFile(kasp_filename, doc, 1);
3986 printf(
"Could not save %s\n", kasp_filename);
3996 printf(
"Couldn't count zones on policy; quitting...\n");
4034 char* ods_control_cmd = NULL;
4035 char* ptr = command;
4040 *ptr = tolower((
int) *ptr);
4046 StrAppend(&ods_control_cmd, ODS_EN_CONTROL);
4049 status = system(ods_control_cmd);
4052 fprintf(stderr,
"Couldn't run %s\n", ods_control_cmd);
4068 char* case_command = NULL;
4069 char* case_verb = NULL;
4071 int option_index = 0;
4072 static struct option long_options[] =
4074 {
"all", no_argument, 0,
'a'},
4075 {
"auto-accept", no_argument, 0,
'A'},
4076 {
"bits", required_argument, 0,
'b'},
4077 {
"rfc5011", no_argument, 0,
'5'},
4078 {
"config", required_argument, 0,
'c'},
4079 {
"check-repository", no_argument, 0,
'C'},
4080 {
"ds", no_argument, 0,
'd'},
4081 {
"keystate", required_argument, 0,
'e'},
4082 {
"no-retire", no_argument, 0,
'f'},
4083 {
"force", no_argument, 0,
'F'},
4084 {
"algorithm", required_argument, 0,
'g'},
4085 {
"help", no_argument, 0,
'h'},
4086 {
"input", required_argument, 0,
'i'},
4087 {
"in-type", required_argument, 0,
'j'},
4088 {
"cka_id", required_argument, 0,
'k'},
4089 {
"no-notify", no_argument, 0,
'l'},
4090 {
"no-xml", no_argument, 0,
'm'},
4091 {
"no-hsm", no_argument, 0,
'M'},
4092 {
"interval", required_argument, 0,
'n'},
4093 {
"output", required_argument, 0,
'o'},
4094 {
"policy", required_argument, 0,
'p'},
4095 {
"out-type", required_argument, 0,
'q'},
4096 {
"repository", required_argument, 0,
'r'},
4097 {
"signerconf", required_argument, 0,
's'},
4098 {
"keytype", required_argument, 0,
't'},
4099 {
"time", required_argument, 0,
'w'},
4100 {
"verbose", no_argument, 0,
'v'},
4101 {
"version", no_argument, 0,
'V'},
4102 {
"keytag", required_argument, 0,
'x'},
4103 {
"retire", required_argument, 0,
'y'},
4104 {
"tdead", required_argument, 0,
'Y'},
4105 {
"zone", required_argument, 0,
'z'},
4106 {
"zonetotal", required_argument, 0,
'Z'},
4112 while ((ch = getopt_long(argc, argv,
"aAb:Cc:de:fFg:hi:j:k:mMln:o:p:q:r:s:t:vVw:x:y:Y:z:Z:5", long_options, &option_index)) != -1) {
4118 auto_accept_flag = 1;
4130 check_repository_flag = 1;
4194 printf(
"%s version %s\n", PACKAGE_NAME, PACKAGE_VERSION);
4255 if (!strncmp(case_command,
"SETUP", 5)) {
4259 }
else if (!strncmp(case_command,
"UPDATE", 6)) {
4263 }
else if (!strncmp(case_command,
"START", 5) ||
4264 !strncmp(case_command,
"STOP", 4) ||
4265 !strncmp(case_command,
"NOTIFY", 6)) {
4269 }
else if (!strncmp(case_command,
"ZONE", 4) && strlen(case_command) == 4) {
4274 if (!strncmp(case_verb,
"ADD", 3)) {
4276 }
else if (!strncmp(case_verb,
"DELETE", 6)) {
4278 }
else if (!strncmp(case_verb,
"LIST", 4)) {
4281 printf(
"Unknown command: zone %s\n", case_verb);
4285 }
else if (!strncmp(case_command,
"REPOSITORY", 10)) {
4289 if (!strncmp(case_verb,
"LIST", 4)) {
4292 printf(
"Unknown command: repository %s\n", case_verb);
4296 }
else if (!strncmp(case_command,
"POLICY", 6)) {
4300 if (!strncmp(case_verb,
"EXPORT", 6)) {
4302 }
else if (!strncmp(case_verb,
"IMPORT", 6)) {
4304 }
else if (!strncmp(case_verb,
"LIST", 4)) {
4306 }
else if (!strncmp(case_verb,
"PURGE", 5)) {
4309 printf(
"Unknown command: policy %s\n", case_verb);
4313 }
else if (!strncmp(case_command,
"KEY", 3)) {
4317 if (!strncmp(case_verb,
"LIST", 4)) {
4320 else if (!strncmp(case_verb,
"EXPORT", 6)) {
4323 else if (!strncmp(case_verb,
"IMPORT", 6)) {
4326 else if (!strncmp(case_verb,
"ROLLOVER", 8)) {
4328 if (all_flag == 0 &&
o_keytype == NULL) {
4329 printf(
"Please specify either a keytype, KSK or ZSK, with the --keytype <type> option or use the --all option\n");
4342 printf(
"Please provide either a zone OR a policy to rollover\n");
4348 else if (!strncmp(case_verb,
"PURGE", 5)) {
4354 printf(
"Please provide either a zone OR a policy to key purge\n");
4359 else if (!strncmp(case_verb,
"GENERATE", 8)) {
4362 else if (!strncmp(case_verb,
"KSK-RETIRE", 10)) {
4365 else if (!strncmp(case_verb,
"KSK-REVOKE", 10)) {
4368 else if (!strncmp(case_verb,
"DS-SEEN", 7)) {
4370 }
else if (!strncmp(case_verb,
"DELETE", 6)) {
4373 printf(
"Unknown command: key %s\n", case_verb);
4377 }
else if (!strncmp(case_command,
"BACKUP", 6)) {
4381 if (!strncmp(case_verb,
"DONE", 4) ||
4382 !strncmp(case_verb,
"PREPARE", 7) ||
4383 !strncmp(case_verb,
"COMMIT", 6) ||
4384 !strncmp(case_verb,
"ROLLBACK", 8)) {
4387 else if (!strncmp(case_verb,
"LIST", 4)) {
4390 printf(
"Unknown command: backup %s\n", case_verb);
4394 }
else if (!strncmp(case_command,
"ROLLOVER", 8)) {
4397 if (!strncmp(case_verb,
"LIST", 4)) {
4400 printf(
"Unknown command: rollover %s\n", case_verb);
4404 }
else if (!strncmp(case_command,
"DATABASE", 8)) {
4408 if (!strncmp(case_verb,
"BACKUP", 6)) {
4411 printf(
"Unknown command: database %s\n", case_verb);
4415 }
else if (!strncmp(case_command,
"ZONELIST", 8)) {
4419 if (!strncmp(case_verb,
"EXPORT", 6)) {
4422 else if (!strncmp(case_verb,
"IMPORT", 6)) {
4425 printf(
"Unknown command: zonelist %s\n", case_verb);
4430 printf(
"Unknown command: %s\n", argv[0]);
4442 xmlCleanupGlobals();
4443 xmlCleanupThreads();
4465 char *dbschema = NULL;
4469 char *password = NULL;
4473 char* backup_filename = NULL;
4474 char* lock_filename;
4477 status =
get_db_details(&dbschema, &host, &port, &user, &password);
4493 if (lock_fd != NULL) {
4494 lock_filename = NULL;
4498 *lock_fd = fopen(lock_filename,
"w");
4501 printf(
"Error getting db lock\n");
4502 if (*lock_fd != NULL) {
4526 if (lock_fd != NULL) {
4541 status =
DbConnect(dbhandle, dbschema, host, password, user, port);
4563 if (lock_fd != NULL) {
4566 printf(
"Error releasing db lock");
4588 if (lock_fd == NULL) {
4589 printf(
"%s could not be opened\n", lock_filename);
4593 memset(&fl, 0,
sizeof(
struct flock));
4594 fl.l_type = F_WRLCK;
4595 fl.l_whence = SEEK_SET;
4596 fl.l_pid = getpid();
4598 while (fcntl(fileno(lock_fd), F_SETLK, &fl) == -1) {
4600 printf(
"couldn't get lock on %s; %s\n", lock_filename, strerror(errno));
4603 if (errno == EACCES || errno == EAGAIN) {
4604 printf(
"%s already locked, sleep\n", lock_filename);
4609 select(0, NULL, NULL, NULL, &tv);
4614 printf(
"couldn't get lock on %s; %s\n", lock_filename, strerror(errno));
4627 if (lock_fd == NULL) {
4631 memset(&fl, 0,
sizeof(
struct flock));
4632 fl.l_type = F_UNLCK;
4633 fl.l_whence = SEEK_SET;
4635 if (fcntl(fileno(lock_fd), F_SETLK, &fl) == -1) {
4648 xmlTextReaderPtr reader = NULL;
4649 xmlDocPtr doc = NULL;
4650 xmlXPathContextPtr xpathCtx = NULL;
4651 xmlXPathObjectPtr xpathObj = NULL;
4653 char* tag_name = NULL;
4654 char* temp_char = NULL;
4656 xmlChar *zonelist_expr = (
unsigned char*)
"//Common/ZoneListFile";
4657 xmlChar *kaspfile_expr = (
unsigned char*)
"//Common/PolicyFile";
4660 reader = xmlNewTextReaderFilename(
config);
4661 if (reader != NULL) {
4662 ret = xmlTextReaderRead(reader);
4664 tag_name = (
char*) xmlTextReaderLocalName(reader);
4666 if (strncmp(tag_name,
"Common", 6) == 0
4667 && xmlTextReaderNodeType(reader) == 1) {
4670 xmlTextReaderExpand(reader);
4671 doc = xmlTextReaderCurrentDoc(reader);
4673 printf(
"Error: can not read Common section\n");
4675 ret = xmlTextReaderRead(reader);
4679 xpathCtx = xmlXPathNewContext(doc);
4680 if(xpathCtx == NULL) {
4681 printf(
"Error: can not create XPath context for Common section\n");
4683 ret = xmlTextReaderRead(reader);
4688 xpathObj = xmlXPathEvalExpression(zonelist_expr, xpathCtx);
4689 if(xpathObj == NULL) {
4690 printf(
"Error: unable to evaluate xpath expression: %s\n", zonelist_expr);
4692 ret = xmlTextReaderRead(reader);
4695 *zone_list_filename = NULL;
4696 temp_char = (
char*) xmlXPathCastToString(xpathObj);
4697 StrAppend(zone_list_filename, temp_char);
4699 xmlXPathFreeObject(xpathObj);
4700 printf(
"zonelist filename set to %s.\n", *zone_list_filename);
4703 xpathObj = xmlXPathEvalExpression(kaspfile_expr, xpathCtx);
4704 xmlXPathFreeContext(xpathCtx);
4705 if(xpathObj == NULL) {
4706 printf(
"Error: unable to evaluate xpath expression: %s\n", kaspfile_expr);
4708 ret = xmlTextReaderRead(reader);
4711 *kasp_filename = NULL;
4712 if (xpathObj->nodesetval != NULL && xpathObj->nodesetval->nodeNr > 0) {
4716 temp_char = (
char*) xmlXPathCastToString(xpathObj);
4724 StrAppend(kasp_filename, OPENDNSSEC_CONFIG_DIR);
4727 printf(
"kasp filename set to %s.\n", *kasp_filename);
4729 xmlXPathFreeObject(xpathObj);
4732 ret = xmlTextReaderRead(reader);
4736 xmlFreeTextReader(reader);
4738 printf(
"%s : failed to parse\n",
config);
4742 printf(
"Unable to open %s\n",
config);
4759 xmlDocPtr doc = NULL;
4760 xmlXPathContextPtr xpathCtx = NULL;
4761 xmlXPathObjectPtr xpathObj = NULL;
4763 char* repo_name = NULL;
4764 char* repo_capacity = NULL;
4765 int require_backup = 0;
4768 xmlChar *node_expr = (
unsigned char*)
"//Configuration/RepositoryList/Repository";
4772 doc = xmlParseFile(
config);
4774 printf(
"Unable to open %s\n",
config);
4779 xpathCtx = xmlXPathNewContext(doc);
4780 if(xpathCtx == NULL) {
4786 xpathObj = xmlXPathEvalExpression(node_expr, xpathCtx);
4787 if(xpathObj == NULL) {
4788 xmlXPathFreeContext(xpathCtx);
4793 if (xpathObj->nodesetval) {
4794 for (i = 0; i < xpathObj->nodesetval->nodeNr; i++) {
4799 curNode = xpathObj->nodesetval->nodeTab[i]->xmlChildrenNode;
4800 repo_name = (
char *) xmlGetProp(xpathObj->nodesetval->nodeTab[i],
4801 (
const xmlChar *)
"name");
4803 if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Capacity")) {
4804 repo_capacity = (
char *) xmlNodeGetContent(curNode);
4806 if (xmlStrEqual(curNode->name, (
const xmlChar *)
"RequireBackup")) {
4810 curNode = curNode->next;
4813 if (strlen(repo_name) != 0) {
4815 printf(
"Repository %s found\n", repo_name);
4816 if (strlen(repo_capacity) == 0) {
4817 printf(
"No Maximum Capacity set.\n");
4823 printf(
"Capacity set to %s.\n", repo_capacity);
4829 if (require_backup == 0) {
4830 printf(
"RequireBackup NOT set; please make sure that you know the potential problems of using keys which are not recoverable\n");
4832 printf(
"RequireBackup set.\n");
4836 printf(
"Error Importing Repository %s", repo_name);
4840 printf(
"WARNING: Repository found with NULL name, skipping...\n");
4848 xmlXPathFreeObject(xpathObj);
4851 xmlXPathFreeContext(xpathCtx);
4866 char *policy_name = NULL;
4867 char *policy_description = NULL;
4870 xmlDocPtr doc = NULL;
4871 xmlDocPtr pol_doc = NULL;
4872 xmlDocPtr rngdoc = NULL;
4875 xmlNode *childNode2;
4876 xmlNode *childNode3;
4877 xmlChar *opt_out_flag = (xmlChar *)
"N";
4878 xmlChar *nsec3param_ttl = NULL ;
4879 xmlChar *share_keys_flag = (xmlChar *)
"N";
4880 xmlChar *man_roll_flag = (xmlChar *)
"N";
4881 xmlChar *rfc5011_flag = (xmlChar *)
"N";
4882 int standby_keys_flag = 0;
4883 xmlXPathContextPtr xpathCtx = NULL;
4884 xmlXPathObjectPtr xpathObj = NULL;
4885 xmlRelaxNGParserCtxtPtr rngpctx = NULL;
4886 xmlRelaxNGValidCtxtPtr rngctx = NULL;
4887 xmlRelaxNGPtr schema = NULL;
4890 xmlChar *node_expr = (
unsigned char*)
"//Policy";
4896 int algo_change = 0;
4898 char* changes_made = NULL;
4903 const char* rngfilename = OPENDNSSEC_SCHEMA_DIR
"/kasp.rng";
4904 char* kaspcheck_cmd = NULL;
4905 char* kaspcheck_cmd_version = NULL;
4907 StrAppend(&kaspcheck_cmd, ODS_EN_KASPCHECK);
4911 StrAppend(&kaspcheck_cmd_version, ODS_EN_KASPCHECK);
4912 StrAppend(&kaspcheck_cmd_version,
" --version > /dev/null");
4915 status = system(kaspcheck_cmd_version);
4918 status = system(kaspcheck_cmd);
4921 fprintf(stderr,
"ods-kaspcheck returned an error, please check your policy\n");
4923 StrFree(kaspcheck_cmd_version);
4929 fprintf(stderr,
"Couldn't run ods-kaspcheck, will carry on\n");
4933 StrFree(kaspcheck_cmd_version);
4936 doc = xmlParseFile(kasp_filename);
4938 printf(
"Error: unable to parse file \"%s\"\n", kasp_filename);
4943 rngdoc = xmlParseFile(rngfilename);
4944 if (rngdoc == NULL) {
4945 printf(
"Error: unable to parse file \"%s\"\n", rngfilename);
4950 rngpctx = xmlRelaxNGNewDocParserCtxt(rngdoc);
4951 if (rngpctx == NULL) {
4952 printf(
"Error: unable to create XML RelaxNGs parser context\n");
4957 schema = xmlRelaxNGParse(rngpctx);
4958 if (schema == NULL) {
4959 printf(
"Error: unable to parse a schema definition resource\n");
4964 rngctx = xmlRelaxNGNewValidCtxt(schema);
4965 if (rngctx == NULL) {
4966 printf(
"Error: unable to create RelaxNGs validation context based on the schema\n");
4971 status = xmlRelaxNGValidateDoc(rngctx,doc);
4973 printf(
"Error validating file \"%s\"\n", kasp_filename);
4979 if (policy == NULL) {
4980 printf(
"Malloc for policy struct failed");
4985 xpathCtx = xmlXPathNewContext(doc);
4986 if(xpathCtx == NULL) {
4993 xpathObj = xmlXPathEvalExpression(node_expr, xpathCtx);
4994 if(xpathObj == NULL) {
4995 xmlXPathFreeContext(xpathCtx);
5001 if (xpathObj->nodesetval) {
5007 for (i = 0; i < xpathObj->nodesetval->nodeNr; i++) {
5009 curNode = xpathObj->nodesetval->nodeTab[i]->xmlChildrenNode;
5010 policy_name = (
char *) xmlGetProp(xpathObj->nodesetval->nodeTab[i], (
const xmlChar *)
"name");
5011 if (strlen(policy_name) == 0) {
5013 printf(
"Error extracting policy name from %s\n", kasp_filename);
5026 printf(
"Error: unable to read policy %s; skipping\n", policy_name);
5031 if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Keys")) {
5032 childNode = curNode->children;
5034 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"KSK")) {
5035 childNode2 = childNode->children;
5037 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Algorithm")) {
5040 status =
StrStrtoi((
char *)xmlNodeGetContent(childNode2), &value);
5042 printf(
"Error extracting KSK algorithm for policy %s, exiting...", policy_name);
5048 printf(
"\n\nAlgorithm change attempted... details:\n");
5049 StrAppend(&changes_made,
"Algorithm changes made, details:");
5052 size = snprintf(tmp_change,
KSM_MSG_LENGTH,
"Policy: %s, KSK algorithm changed from %d to %d.", policy_name, policy->
ksk->
algorithm, value);
5055 printf(
"Error constructing log message for policy %s, exiting...", policy_name);
5058 printf(
"%s\n", tmp_change);
5064 childNode2 = childNode2->next;
5069 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"ZSK")) {
5070 childNode2 = childNode->children;
5072 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Algorithm")) {
5075 status =
StrStrtoi((
char *)xmlNodeGetContent(childNode2), &value);
5077 printf(
"Error extracting ZSK algorithm for policy %s, exiting...", policy_name);
5083 printf(
"\n\nAlgorithm change attempted... details:\n");
5084 StrAppend(&changes_made,
"Algorithm changes made, details:");
5087 size = snprintf(tmp_change,
KSM_MSG_LENGTH,
"Policy: %s, ZSK algorithm changed from %d to %d.", policy_name, policy->
zsk->
algorithm, value);
5090 printf(
"Error constructing log message for policy %s, exiting...", policy_name);
5093 printf(
"%s\n", tmp_change);
5099 childNode2 = childNode2->next;
5104 childNode = childNode->next;
5107 curNode = curNode->next;
5119 if (algo_change == 1 && force_flag == 0) {
5120 printf(
"*WARNING* This will change the algorithms used as noted above. Algorithm rollover is _not_ supported by OpenDNSSEC and zones may break. Are you sure? [y/N] ");
5122 user_certain = getchar();
5123 if (user_certain !=
'y' && user_certain !=
'Y') {
5124 printf(
"\nOkay, quitting...\n");
5125 xmlXPathFreeContext(xpathCtx);
5138 #ifdef HAVE_OPENLOG_R 5143 #ifdef HAVE_SYSLOG_R 5144 syslog_r(LOG_INFO, &sdata,
"%s", changes_made);
5146 syslog(LOG_INFO,
"%s", changes_made);
5148 #ifdef HAVE_CLOSELOG_R 5159 for (i = 0; i < xpathObj->nodesetval->nodeNr; i++) {
5161 curNode = xpathObj->nodesetval->nodeTab[i]->xmlChildrenNode;
5162 policy_name = (
char *) xmlGetProp(xpathObj->nodesetval->nodeTab[i], (
const xmlChar *)
"name");
5163 if (strlen(policy_name) == 0) {
5165 printf(
"Error extracting policy name from %s\n", kasp_filename);
5169 printf(
"Policy %s found\n", policy_name);
5171 if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Description")) {
5172 policy_description = (
char *) xmlNodeGetContent(curNode);
5182 printf(
"Error: unable to read policy %s; skipping\n", policy_name);
5183 curNode = curNode->next;
5191 printf(
"Error: unable to update policy description for %s; skipping\n", policy_name);
5193 curNode = curNode->next;
5202 printf(
"Error: unable to insert policy %s; skipping\n", policy_name);
5204 curNode = curNode->next;
5210 printf(
"Error: unable to get policy id for %s; skipping\n", policy_name);
5211 curNode = curNode->next;
5217 else if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Signatures")) {
5218 childNode = curNode->children;
5220 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"Resign")) {
5223 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"Refresh")) {
5226 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"Validity")) {
5227 childNode2 = childNode->children;
5229 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Default")) {
5232 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Denial")) {
5235 childNode2 = childNode2->next;
5238 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"Jitter")) {
5241 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"InceptionOffset")) {
5244 childNode = childNode->next;
5247 else if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Denial")) {
5248 opt_out_flag = (xmlChar *)
"N";
5249 childNode = curNode->children;
5251 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"NSEC3")) {
5255 printf(
"Error: unable to insert/update %s for policy\n",
"Denial version");
5257 childNode2 = childNode->children;
5259 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"OptOut")) {
5260 opt_out_flag = (xmlChar *)
"Y";
5262 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Resalt")) {
5265 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"TTL")) {
5266 nsec3param_ttl = xmlNodeGetContent(childNode2);
5268 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Hash")) {
5269 childNode3 = childNode2->children;
5271 if (xmlStrEqual(childNode3->name, (
const xmlChar *)
"Algorithm")) {
5274 else if (xmlStrEqual(childNode3->name, (
const xmlChar *)
"Iterations")) {
5277 else if (xmlStrEqual(childNode3->name, (
const xmlChar *)
"Salt")) {
5280 childNode3 = childNode3->next;
5284 childNode2 = childNode2->next;
5288 if (nsec3param_ttl == NULL)
5289 nsec3param_ttl = (xmlChar *)
StrStrdup(
"PT0S");
5291 nsec3param_ttl = NULL;
5293 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"NSEC")) {
5296 printf(
"Error: unable to insert/update %s for policy\n",
"Denial version");
5299 childNode = childNode->next;
5302 else if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Keys")) {
5303 share_keys_flag = (xmlChar *)
"N";
5304 childNode = curNode->children;
5306 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"TTL")) {
5309 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"RetireSafety")) {
5312 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"PublishSafety")) {
5315 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"ShareKeys")) {
5316 share_keys_flag = (xmlChar *)
"Y";
5318 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"Purge")) {
5322 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"KSK")) {
5323 man_roll_flag = (xmlChar *)
"N";
5324 rfc5011_flag = (xmlChar *)
"N";
5325 childNode2 = childNode->children;
5327 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Algorithm")) {
5332 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Lifetime")) {
5335 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Repository")) {
5337 printf(
"Please either add the repository to conf.xml or remove the reference to it from kasp.xml\n");
5339 xmlFreeDoc(pol_doc);
5340 xmlXPathFreeContext(xpathCtx);
5341 xmlRelaxNGFree(schema);
5342 xmlRelaxNGFreeValidCtxt(rngctx);
5343 xmlRelaxNGFreeParserCtxt(rngpctx);
5351 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Standby")) {
5353 standby_keys_flag = 1;
5355 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"ManualRollover")) {
5356 man_roll_flag = (xmlChar *)
"Y";
5358 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"RFC5011")) {
5359 rfc5011_flag = (xmlChar *)
"Y";
5364 childNode2 = childNode2->next;
5369 if (standby_keys_flag == 0) {
5372 standby_keys_flag = 0;
5376 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"ZSK")) {
5377 man_roll_flag = (xmlChar *)
"N";
5378 childNode2 = childNode->children;
5380 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Algorithm")) {
5385 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Lifetime")) {
5388 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Repository")) {
5390 printf(
"Please either add the repository to conf.xml or remove the reference to it from kasp.xml\n");
5392 xmlFreeDoc(pol_doc);
5393 xmlXPathFreeContext(xpathCtx);
5394 xmlRelaxNGFree(schema);
5395 xmlRelaxNGFreeValidCtxt(rngctx);
5396 xmlRelaxNGFreeParserCtxt(rngpctx);
5404 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Standby")) {
5406 standby_keys_flag = 1;
5408 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"ManualRollover")) {
5409 man_roll_flag = (xmlChar *)
"Y";
5411 childNode2 = childNode2->next;
5417 childNode = childNode->next;
5421 if (standby_keys_flag == 0) {
5424 standby_keys_flag = 0;
5429 else if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Zone")) {
5430 childNode = curNode->children;
5432 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"PropagationDelay")) {
5435 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"SOA")) {
5436 childNode2 = childNode->children;
5438 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"TTL")) {
5441 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Minimum")) {
5444 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Serial")) {
5447 childNode2 = childNode2->next;
5450 childNode = childNode->next;
5454 else if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Parent")) {
5455 childNode = curNode->children;
5457 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"PropagationDelay")) {
5460 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"DS")) {
5461 childNode2 = childNode->children;
5463 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"TTL")) {
5466 childNode2 = childNode2->next;
5469 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"SOA")) {
5470 childNode2 = childNode->children;
5472 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"TTL")) {
5475 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Minimum")) {
5478 childNode2 = childNode2->next;
5481 childNode = childNode->next;
5485 curNode = curNode->next;
5496 xmlXPathFreeContext(xpathCtx);
5497 xmlRelaxNGFree(schema);
5498 xmlRelaxNGFreeValidCtxt(rngctx);
5499 xmlRelaxNGFreeParserCtxt(rngpctx);
5513 xmlDocPtr doc = NULL;
5514 xmlDocPtr rngdoc = NULL;
5517 xmlNode *childNode2;
5518 xmlXPathContextPtr xpathCtx = NULL;
5519 xmlXPathObjectPtr xpathObj = NULL;
5520 xmlRelaxNGParserCtxtPtr rngpctx = NULL;
5521 xmlRelaxNGValidCtxtPtr rngctx = NULL;
5522 xmlRelaxNGPtr schema = NULL;
5524 char* zone_name = NULL;
5525 char* policy_name = NULL;
5526 char* current_policy = NULL;
5527 char* current_signconf = NULL;
5528 char* current_input = NULL;
5529 char* current_output = NULL;
5530 char* current_in_type = NULL;
5531 char* current_out_type = NULL;
5534 int file_zone_count = 0;
5535 int db_zone_count = 0;
5549 xmlChar *node_expr = (
unsigned char*)
"//Zone";
5550 const char* rngfilename = OPENDNSSEC_SCHEMA_DIR
"/zonelist.rng";
5553 doc = xmlParseFile(zone_list_filename);
5555 printf(
"Error: unable to parse file \"%s\"\n", zone_list_filename);
5560 rngdoc = xmlParseFile(rngfilename);
5561 if (rngdoc == NULL) {
5562 printf(
"Error: unable to parse file \"%s\"\n", rngfilename);
5567 rngpctx = xmlRelaxNGNewDocParserCtxt(rngdoc);
5568 if (rngpctx == NULL) {
5569 printf(
"Error: unable to create XML RelaxNGs parser context\n");
5574 schema = xmlRelaxNGParse(rngpctx);
5575 if (schema == NULL) {
5576 printf(
"Error: unable to parse a schema definition resource\n");
5581 rngctx = xmlRelaxNGNewValidCtxt(schema);
5582 if (rngctx == NULL) {
5583 printf(
"Error: unable to create RelaxNGs validation context based on the schema\n");
5588 status = xmlRelaxNGValidateDoc(rngctx,doc);
5590 printf(
"Error validating file \"%s\"\n", zone_list_filename);
5595 xpathCtx = xmlXPathNewContext(doc);
5596 if(xpathCtx == NULL) {
5602 xpathObj = xmlXPathEvalExpression(node_expr, xpathCtx);
5603 if(xpathObj == NULL) {
5604 xmlXPathFreeContext(xpathCtx);
5609 if (xpathObj->nodesetval) {
5610 file_zone_count = xpathObj->nodesetval->nodeNr;
5612 printf(
"Error extracting zone count from %s\n", zone_list_filename);
5613 xmlXPathFreeContext(xpathCtx);
5619 zone_ids =
MemMalloc(file_zone_count *
sizeof(
int));
5621 if (xpathObj->nodesetval) {
5622 for (i = 0; i < file_zone_count; i++) {
5624 curNode = xpathObj->nodesetval->nodeTab[i]->xmlChildrenNode;
5625 zone_name = (
char *) xmlGetProp(xpathObj->nodesetval->nodeTab[i], (
const xmlChar *)
"name");
5626 if (strlen(zone_name) == 0) {
5628 printf(
"Error extracting zone name from %s\n", zone_list_filename);
5641 printf(
"Zone %s found; ", zone_name);
5644 if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Policy")) {
5645 current_policy = (
char *) xmlNodeGetContent(curNode);
5647 printf(
"policy set to %s\n", current_policy);
5650 if (policy_name == NULL || strcmp(current_policy, policy_name) != 0) {
5652 StrAppend(&policy_name, current_policy);
5656 printf(
"ERROR, can't find policy %s.\n", policy_name);
5663 else if (xmlStrEqual(curNode->name, (
const xmlChar *)
"SignerConfiguration")) {
5664 current_signconf = (
char *) xmlNodeGetContent(curNode);
5667 else if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Adapters")) {
5668 childNode = curNode->children;
5671 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"Input")) {
5672 childNode2 = childNode->children;
5674 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Adapter")) {
5675 current_input = (
char *) xmlNodeGetContent(childNode2);
5676 current_in_type = (
char *) xmlGetProp(childNode2, (
const xmlChar *)
"type");
5678 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"File")) {
5679 current_input = (
char *) xmlNodeGetContent(childNode2);
5680 current_in_type = (
char *) childNode2->name;
5682 childNode2 = childNode2->next;
5686 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"Output")) {
5687 childNode2 = childNode->children;
5689 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Adapter")) {
5690 current_output = (
char *) xmlNodeGetContent(childNode2);
5691 current_out_type = (
char *) xmlGetProp(childNode2, (
const xmlChar *)
"type");
5693 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"File")) {
5694 current_output = (
char *) xmlNodeGetContent(childNode2);
5695 current_out_type = (
char *) childNode2->name;
5697 childNode2 = childNode2->next;
5700 childNode = childNode->next;
5703 curNode = curNode->next;
5709 status =
KsmImportZone(zone_name, policy_id, 0, &new_zone, current_signconf, current_input, current_output, current_in_type, current_out_type);
5712 printf(
"Error Importing zone %s; it already exists both with and without a trailing dot\n", zone_name);
5714 printf(
"Error Importing Zone %s\n", zone_name);
5720 if (new_zone == 1) {
5721 printf(
"Added zone %s to database\n", zone_name);
5727 printf(
"Error: unable to find a zone named \"%s\" in database\n", zone_name);
5728 printf(
"Error: Possibly two domains differ only by having a trailing dot or not?\n");
5734 zone_ids[i] = temp_id;
5742 xmlXPathFreeContext(xpathCtx);
5743 xmlRelaxNGFree(schema);
5744 xmlRelaxNGFreeValidCtxt(rngctx);
5745 xmlRelaxNGFreeParserCtxt(rngpctx);
5758 if (file_zone_count == db_zone_count) {
5763 else if (file_zone_count > db_zone_count) {
5764 printf(
"Failed to add all zones from zonelist\n");
5780 while (status == 0) {
5781 DbInt(row, 0, &temp_id);
5783 DbInt(row, 2, &policy_id);
5786 for (i = 0; i < db_zone_count; ++i) {
5787 if (temp_id == zone_ids[i]) {
5793 if (seen_zone == 0) {
5796 printf(
"Removing zone %s from database\n", zone_name);
5798 status =
KsmParameterInit(&result2,
"zones_share_keys",
"keys", policy_id);
5824 if ((shared.
value == 1 && temp_count == 1) || shared.
value == 0) {
5827 printf(
"Error: failed to mark keys as dead in database\n");
5862 int SetParamOnPolicy(
const xmlChar* new_value,
const char* name,
const char* category,
int current_value,
int policy_id,
int value_type)
5866 char* temp_char = (
char *)new_value;
5870 if (strlen(temp_char) != 0) {
5873 printf(
"Error: unable to convert interval %s to seconds, error: %i\n", temp_char, status);
5877 else if (status == -1) {
5878 printf(
"Info: converting %s to seconds; M interpreted as 31 days, Y interpreted as 365 days\n", temp_char);
5887 if (strncmp(temp_char,
"Y", 1) == 0) {
5897 printf(
"Error: unable to find repository %s\n", temp_char);
5907 printf(
"Error: unable to find serial type %s\n", temp_char);
5917 printf(
"Error: unable to find rollover scheme %s\n", temp_char);
5926 printf(
"Error: unable to convert %s to int\n", temp_char);
5936 if (value != current_value || current_value == 0) {
5939 printf(
"Error: unable to insert/update %s for policy\n", name);
5940 printf(
"Error: Is your database schema up to date?\n");
5946 if (strncmp(name,
"saltlength", 10) == 0) {
5949 printf(
"Error: unable to insert/update %s for policy\n", name);
5950 printf(
"Error: Is your database schema up to date?\n");
5961 if (policy == NULL) {
5962 printf(
"Error, no policy provided");
5999 policy->
ksk->
sm = 0;
6011 policy->
zsk->
sm = 0;
6048 if((from = fopen( orig_file,
"rb"))==NULL) {
6049 if (errno == ENOENT) {
6050 printf(
"File %s does not exist, nothing to backup\n", orig_file);
6054 printf(
"Cannot open source file.\n");
6060 if((to = fopen(backup_file,
"wb"))==NULL) {
6061 printf(
"Cannot open destination file, will not make backup.\n");
6067 while(!feof(from)) {
6070 printf(
"Error reading source file.\n");
6075 if(!feof(from)) fputc(ch, to);
6077 printf(
"Error writing destination file.\n");
6084 if(fclose(from)==EOF) {
6085 printf(
"Error closing source file.\n");
6090 if(fclose(to)==EOF) {
6091 printf(
"Error closing destination file.\n");
6109 get_db_details(
char** dbschema,
char** host,
char** port,
char** user,
char** password)
6114 xmlXPathContextPtr xpathCtx;
6115 xmlXPathObjectPtr xpathObj;
6116 xmlRelaxNGParserCtxtPtr rngpctx;
6117 xmlRelaxNGValidCtxtPtr rngctx;
6118 xmlRelaxNGPtr schema;
6119 xmlChar *litexpr = (
unsigned char*)
"//Configuration/Enforcer/Datastore/SQLite";
6120 xmlChar *mysql_host = (
unsigned char*)
"//Configuration/Enforcer/Datastore/MySQL/Host";
6121 xmlChar *mysql_port = (
unsigned char*)
"//Configuration/Enforcer/Datastore/MySQL/Host/@port";
6122 xmlChar *mysql_db = (
unsigned char*)
"//Configuration/Enforcer/Datastore/MySQL/Database";
6123 xmlChar *mysql_user = (
unsigned char*)
"//Configuration/Enforcer/Datastore/MySQL/Username";
6124 xmlChar *mysql_pass = (
unsigned char*)
"//Configuration/Enforcer/Datastore/MySQL/Password";
6128 char* temp_char = NULL;
6131 const char* rngfilename = OPENDNSSEC_SCHEMA_DIR
"/conf.rng";
6134 doc = xmlParseFile(
config);
6136 printf(
"Error: unable to parse file \"%s\"\n",
config);
6141 rngdoc = xmlParseFile(rngfilename);
6142 if (rngdoc == NULL) {
6143 printf(
"Error: unable to parse file \"%s\"\n", rngfilename);
6149 rngpctx = xmlRelaxNGNewDocParserCtxt(rngdoc);
6151 if (rngpctx == NULL) {
6152 printf(
"Error: unable to create XML RelaxNGs parser context\n");
6158 schema = xmlRelaxNGParse(rngpctx);
6159 xmlRelaxNGFreeParserCtxt(rngpctx);
6160 if (schema == NULL) {
6161 printf(
"Error: unable to parse a schema definition resource\n");
6167 rngctx = xmlRelaxNGNewValidCtxt(schema);
6168 if (rngctx == NULL) {
6169 printf(
"Error: unable to create RelaxNGs validation context based on the schema\n");
6170 xmlRelaxNGFree(schema);
6176 status = xmlRelaxNGValidateDoc(rngctx,doc);
6177 xmlRelaxNGFreeValidCtxt(rngctx);
6178 xmlRelaxNGFree(schema);
6180 printf(
"Error validating file \"%s\"\n",
config);
6187 xpathCtx = xmlXPathNewContext(doc);
6188 if(xpathCtx == NULL) {
6189 printf(
"Error: unable to create new XPath context\n");
6195 xpathObj = xmlXPathEvalExpression(litexpr, xpathCtx);
6196 if(xpathObj == NULL) {
6197 printf(
"Error: unable to evaluate xpath expression: %s\n", litexpr);
6198 xmlXPathFreeContext(xpathCtx);
6202 if(xpathObj->nodesetval != NULL && xpathObj->nodesetval->nodeNr > 0) {
6204 temp_char = (
char *)xmlXPathCastToString(xpathObj);
6208 fprintf(stderr,
"SQLite database set to: %s\n", *dbschema);
6211 xmlXPathFreeObject(xpathObj);
6213 if (db_found == 0) {
6218 xpathObj = xmlXPathEvalExpression(mysql_host, xpathCtx);
6219 if(xpathObj == NULL) {
6220 printf(
"Error: unable to evaluate xpath expression: %s\n", mysql_host);
6221 xmlXPathFreeContext(xpathCtx);
6225 if(xpathObj->nodesetval != NULL && xpathObj->nodesetval->nodeNr > 0) {
6226 temp_char = (
char *)xmlXPathCastToString(xpathObj);
6230 fprintf(stderr,
"MySQL database host set to: %s\n", *host);
6233 xmlXPathFreeObject(xpathObj);
6236 xpathObj = xmlXPathEvalExpression(mysql_port, xpathCtx);
6237 if(xpathObj == NULL) {
6238 printf(
"Error: unable to evaluate xpath expression: %s\n", mysql_port);
6239 xmlXPathFreeContext(xpathCtx);
6243 if(xpathObj->nodesetval != NULL && xpathObj->nodesetval->nodeNr > 0) {
6244 temp_char = (
char *)xmlXPathCastToString(xpathObj);
6248 fprintf(stderr,
"MySQL database port set to: %s\n", *port);
6251 xmlXPathFreeObject(xpathObj);
6254 xpathObj = xmlXPathEvalExpression(mysql_db, xpathCtx);
6255 if(xpathObj == NULL) {
6256 printf(
"Error: unable to evaluate xpath expression: %s\n", mysql_db);
6257 xmlXPathFreeContext(xpathCtx);
6261 if(xpathObj->nodesetval != NULL && xpathObj->nodesetval->nodeNr > 0) {
6262 temp_char = (
char *)xmlXPathCastToString(xpathObj);
6266 fprintf(stderr,
"MySQL database schema set to: %s\n", *dbschema);
6271 xmlXPathFreeObject(xpathObj);
6274 xpathObj = xmlXPathEvalExpression(mysql_user, xpathCtx);
6275 if(xpathObj == NULL) {
6276 printf(
"Error: unable to evaluate xpath expression: %s\n", mysql_user);
6277 xmlXPathFreeContext(xpathCtx);
6281 if(xpathObj->nodesetval != NULL && xpathObj->nodesetval->nodeNr > 0) {
6282 temp_char = (
char *)xmlXPathCastToString(xpathObj);
6286 fprintf(stderr,
"MySQL database user set to: %s\n", *user);
6291 xmlXPathFreeObject(xpathObj);
6294 xpathObj = xmlXPathEvalExpression(mysql_pass, xpathCtx);
6295 if(xpathObj == NULL) {
6296 printf(
"Error: unable to evaluate xpath expression: %s\n", mysql_pass);
6297 xmlXPathFreeContext(xpathCtx);
6302 temp_char = (
char *)xmlXPathCastToString(xpathObj);
6305 xmlXPathFreeObject(xpathObj);
6308 fprintf(stderr,
"MySQL database password set\n");
6313 xmlXPathFreeContext(xpathCtx);
6318 printf(
"Error: unable to find complete database connection expression\n");
6324 printf(
"Error: Config file %s specifies database type %s but system is compiled to use %s\n",
config, (db_found==1) ?
"MySQL" :
"sqlite3", (db_found==2) ?
"MySQL" :
"sqlite3");
6338 xmlTextReaderPtr reader = NULL;
6339 xmlDocPtr doc = NULL;
6340 xmlXPathContextPtr xpathCtx = NULL;
6341 xmlXPathObjectPtr xpathObj = NULL;
6343 char* temp_char = NULL;
6344 char* tag_name = NULL;
6346 xmlChar *zonelist_expr = (
unsigned char*)
"//Common/ZoneListFile";
6349 reader = xmlNewTextReaderFilename(
config);
6350 if (reader != NULL) {
6351 ret = xmlTextReaderRead(reader);
6353 tag_name = (
char*) xmlTextReaderLocalName(reader);
6355 if (strncmp(tag_name,
"Common", 6) == 0
6356 && xmlTextReaderNodeType(reader) == 1) {
6359 xmlTextReaderExpand(reader);
6360 doc = xmlTextReaderCurrentDoc(reader);
6362 printf(
"Error: can not read Common section\n");
6364 ret = xmlTextReaderRead(reader);
6368 xpathCtx = xmlXPathNewContext(doc);
6369 if(xpathCtx == NULL) {
6370 printf(
"Error: can not create XPath context for Common section\n");
6372 ret = xmlTextReaderRead(reader);
6377 xpathObj = xmlXPathEvalExpression(zonelist_expr, xpathCtx);
6378 if(xpathObj == NULL) {
6379 printf(
"Error: unable to evaluate xpath expression: %s\n", zonelist_expr);
6381 ret = xmlTextReaderRead(reader);
6384 *zone_list_filename = NULL;
6385 temp_char = (
char *)xmlXPathCastToString(xpathObj);
6386 xmlXPathFreeObject(xpathObj);
6387 StrAppend(zone_list_filename, temp_char);
6389 printf(
"zonelist filename set to %s.\n", *zone_list_filename);
6392 ret = xmlTextReaderRead(reader);
6395 xmlFreeTextReader(reader);
6397 printf(
"%s : failed to parse\n",
config);
6401 printf(
"Unable to open %s\n",
config);
6405 xmlXPathFreeContext(xpathCtx);
6415 const char *zone_name,
6416 const char *policy_name,
6417 const char *sig_conf_name,
6418 const char *input_name,
6419 const char *output_name,
6420 const char *input_type,
6421 const char *output_type)
6425 xmlNodePtr newzonenode;
6426 xmlNodePtr newadaptnode;
6427 xmlNodePtr newinputnode;
6428 xmlNodePtr newinadnode;
6429 xmlNodePtr newoutputnode;
6430 xmlNodePtr newoutadnode;
6431 doc = xmlParseFile(docname);
6433 fprintf(stderr,
"Document not parsed successfully. \n");
6436 cur = xmlDocGetRootElement(doc);
6438 fprintf(stderr,
"empty document\n");
6442 if (xmlStrcmp(cur->name, (
const xmlChar *)
"ZoneList")) {
6443 fprintf(stderr,
"document of the wrong type, root node != %s",
"ZoneList");
6447 newzonenode = xmlNewTextChild(cur, NULL, (
const xmlChar *)
"Zone", NULL);
6448 (void) xmlNewProp(newzonenode, (
const xmlChar *)
"name", (
const xmlChar *)zone_name);
6450 (void) xmlNewTextChild (newzonenode, NULL, (
const xmlChar *)
"Policy", (
const xmlChar *)policy_name);
6452 (void) xmlNewTextChild (newzonenode, NULL, (
const xmlChar *)
"SignerConfiguration", (
const xmlChar *)sig_conf_name);
6454 newadaptnode = xmlNewChild (newzonenode, NULL, (
const xmlChar *)
"Adapters", NULL);
6456 newinputnode = xmlNewChild (newadaptnode, NULL, (
const xmlChar *)
"Input", NULL);
6458 newinadnode = xmlNewTextChild (newinputnode, NULL, (
const xmlChar *)
"Adapter", (
const xmlChar *)input_name);
6459 (void) xmlNewProp(newinadnode, (
const xmlChar *)
"type", (
const xmlChar *)input_type);
6461 newoutputnode = xmlNewChild (newadaptnode, NULL, (
const xmlChar *)
"Output", NULL);
6463 newoutadnode = xmlNewTextChild (newoutputnode, NULL, (
const xmlChar *)
"Adapter", (
const xmlChar *)output_name);
6464 (void) xmlNewProp(newoutadnode, (
const xmlChar *)
"type", (
const xmlChar *)output_type);
6470 const char *zone_name)
6476 doc = xmlParseFile(docname);
6478 fprintf(stderr,
"Document not parsed successfully. \n");
6481 root = xmlDocGetRootElement(doc);
6483 fprintf(stderr,
"empty document\n");
6487 if (xmlStrcmp(root->name, (
const xmlChar *)
"ZoneList")) {
6488 fprintf(stderr,
"document of the wrong type, root node != %s",
"ZoneList");
6494 if (all_flag == 1) {
6495 cur = root->children;
6501 cur = root->children;
6507 for(cur = root->children; cur != NULL; cur = cur->next)
6510 if (xmlStrcmp( xmlGetProp(cur, (xmlChar *)
"name"), (
const xmlChar *) zone_name) == 0)
6514 cur = root->children;
6529 xmlChar *polChar = NULL;
6530 xmlChar *propChar = NULL;
6536 doc = xmlParseFile(docname);
6538 fprintf(stderr,
"Document not parsed successfully. \n");
6541 root = xmlDocGetRootElement(doc);
6543 fprintf(stderr,
"empty document\n");
6547 if (xmlStrcmp(root->name, (
const xmlChar *)
"ZoneList")) {
6548 fprintf(stderr,
"document of the wrong type, root node != %s",
"ZoneList");
6554 for(cur = root->children; cur != NULL; cur = cur->next)
6556 if (xmlStrcmp( cur->name, (
const xmlChar *)
"Zone") == 0) {
6557 propChar = xmlGetProp(cur, (xmlChar *)
"name");
6558 printf(
"Found Zone: %s", propChar);
6564 printf(
" (zone not in database)");
6567 zone_ids[i] = temp_id;
6572 for(pol = cur->children; pol != NULL; pol = pol->next)
6574 if (xmlStrcmp( pol->name, (
const xmlChar *)
"Policy") == 0)
6576 polChar = xmlNodeGetContent(pol);
6577 printf(
"; on policy %s\n", polChar);
6596 xmlNodePtr policy_node;
6597 xmlNodePtr signatures_node;
6598 xmlNodePtr validity_node;
6599 xmlNodePtr denial_node;
6600 xmlNodePtr nsec_node;
6601 xmlNodePtr hash_node;
6602 xmlNodePtr salt_node;
6603 xmlNodePtr keys_node;
6604 xmlNodePtr ksk_node;
6605 xmlNodePtr ksk_alg_node;
6606 xmlNodePtr zsk_node;
6607 xmlNodePtr zsk_alg_node;
6608 xmlNodePtr zone_node;
6609 xmlNodePtr zone_soa_node;
6610 xmlNodePtr parent_node;
6611 xmlNodePtr parent_ds_node;
6612 xmlNodePtr parent_soa_node;
6616 root = xmlDocGetRootElement(doc);
6618 fprintf(stderr,
"empty document\n");
6621 if (xmlStrcmp(root->name, (
const xmlChar *)
"KASP")) {
6622 fprintf(stderr,
"document of the wrong type, root node != %s",
"KASP");
6626 policy_node = xmlNewTextChild(root, NULL, (
const xmlChar *)
"Policy", NULL);
6627 (void) xmlNewProp(policy_node, (
const xmlChar *)
"name", (
const xmlChar *)policy->
name);
6628 (void) xmlNewTextChild(policy_node, NULL, (
const xmlChar *)
"Description", (
const xmlChar *)policy->
description);
6631 signatures_node = xmlNewTextChild(policy_node, NULL, (
const xmlChar *)
"Signatures", NULL);
6633 (void) xmlNewTextChild(signatures_node, NULL, (
const xmlChar *)
"Resign", (
const xmlChar *)temp_time);
6635 (void) xmlNewTextChild(signatures_node, NULL, (
const xmlChar *)
"Refresh", (
const xmlChar *)temp_time);
6636 validity_node = xmlNewTextChild(signatures_node, NULL, (
const xmlChar *)
"Validity", NULL);
6638 (void) xmlNewTextChild(validity_node, NULL, (
const xmlChar *)
"Default", (
const xmlChar *)temp_time);
6640 (void) xmlNewTextChild(validity_node, NULL, (
const xmlChar *)
"Denial", (
const xmlChar *)temp_time);
6641 snprintf(temp_time, 32,
"PT%dS", policy->
signer->
jitter);
6642 (void) xmlNewTextChild(signatures_node, NULL, (
const xmlChar *)
"Jitter", (
const xmlChar *)temp_time);
6644 (void) xmlNewTextChild(signatures_node, NULL, (
const xmlChar *)
"InceptionOffset", (
const xmlChar *)temp_time);
6647 denial_node = xmlNewTextChild(policy_node, NULL, (
const xmlChar *)
"Denial", NULL);
6650 (void) xmlNewTextChild(denial_node, NULL, (
const xmlChar *)
"NSEC", NULL);
6654 nsec_node = xmlNewTextChild(denial_node, NULL, (
const xmlChar *)
"NSEC3", NULL);
6656 snprintf(temp_time, 32,
"PT%dS", policy->
denial->
ttl);
6657 (void) xmlNewTextChild(nsec_node, NULL, (
const xmlChar *)
"TTL", (
const xmlChar *)temp_time);
6661 (void) xmlNewTextChild(nsec_node, NULL, (
const xmlChar *)
"OptOut", NULL);
6663 snprintf(temp_time, 32,
"PT%dS", policy->
denial->
resalt);
6664 (void) xmlNewTextChild(nsec_node, NULL, (
const xmlChar *)
"Resalt", (
const xmlChar *)temp_time);
6665 hash_node = xmlNewTextChild(nsec_node, NULL, (
const xmlChar *)
"Hash", NULL);
6667 (void) xmlNewTextChild(hash_node, NULL, (
const xmlChar *)
"Algorithm", (
const xmlChar *)temp_time);
6669 (void) xmlNewTextChild(hash_node, NULL, (
const xmlChar *)
"Iterations", (
const xmlChar *)temp_time);
6671 salt_node = xmlNewTextChild(hash_node, NULL, (
const xmlChar *)
"Salt", NULL);
6672 (void) xmlNewProp(salt_node, (
const xmlChar *)
"length", (
const xmlChar *)temp_time);
6676 keys_node = xmlNewTextChild(policy_node, NULL, (
const xmlChar *)
"Keys", NULL);
6677 snprintf(temp_time, 32,
"PT%dS", policy->
keys->
ttl);
6678 (void) xmlNewTextChild(keys_node, NULL, (
const xmlChar *)
"TTL", (
const xmlChar *)temp_time);
6680 (void) xmlNewTextChild(keys_node, NULL, (
const xmlChar *)
"RetireSafety", (
const xmlChar *)temp_time);
6682 (void) xmlNewTextChild(keys_node, NULL, (
const xmlChar *)
"PublishSafety", (
const xmlChar *)temp_time);
6685 (void) xmlNewTextChild(keys_node, NULL, (
const xmlChar *)
"ShareKeys", NULL);
6688 snprintf(temp_time, 32,
"PT%dS", policy->
keys->
purge);
6689 (void) xmlNewTextChild(keys_node, NULL, (
const xmlChar *)
"Purge", (
const xmlChar *)temp_time);
6693 ksk_node = xmlNewTextChild(keys_node, NULL, (
const xmlChar *)
"KSK", NULL);
6695 ksk_alg_node = xmlNewTextChild(ksk_node, NULL, (
const xmlChar *)
"Algorithm", (
const xmlChar *)temp_time);
6696 snprintf(temp_time, 32,
"%d", policy->
ksk->
bits);
6697 (void) xmlNewProp(ksk_alg_node, (
const xmlChar *)
"length", (
const xmlChar *)temp_time);
6698 snprintf(temp_time, 32,
"PT%dS", policy->
ksk->
lifetime);
6699 (void) xmlNewTextChild(ksk_node, NULL, (
const xmlChar *)
"Lifetime", (
const xmlChar *)temp_time);
6700 (void) xmlNewTextChild(ksk_node, NULL, (
const xmlChar *)
"Repository", (
const xmlChar *)policy->
ksk->
sm_name);
6702 (void) xmlNewTextChild(ksk_node, NULL, (
const xmlChar *)
"Standby", (
const xmlChar *)temp_time);
6705 (void) xmlNewTextChild(ksk_node, NULL, (
const xmlChar *)
"ManualRollover", NULL);
6709 (void) xmlNewTextChild(ksk_node, NULL, (
const xmlChar *)
"RFC5011", NULL);
6717 zsk_node = xmlNewTextChild(keys_node, NULL, (
const xmlChar *)
"ZSK", NULL);
6719 zsk_alg_node = xmlNewTextChild(zsk_node, NULL, (
const xmlChar *)
"Algorithm", (
const xmlChar *)temp_time);
6720 snprintf(temp_time, 32,
"%d", policy->
zsk->
bits);
6721 (void) xmlNewProp(zsk_alg_node, (
const xmlChar *)
"length", (
const xmlChar *)temp_time);
6722 snprintf(temp_time, 32,
"PT%dS", policy->
zsk->
lifetime);
6723 (void) xmlNewTextChild(zsk_node, NULL, (
const xmlChar *)
"Lifetime", (
const xmlChar *)temp_time);
6724 (void) xmlNewTextChild(zsk_node, NULL, (
const xmlChar *)
"Repository", (
const xmlChar *)policy->
zsk->
sm_name);
6726 (void) xmlNewTextChild(zsk_node, NULL, (
const xmlChar *)
"Standby", (
const xmlChar *)temp_time);
6729 (void) xmlNewTextChild(zsk_node, NULL, (
const xmlChar *)
"ManualRollover", NULL);
6733 zone_node = xmlNewTextChild(policy_node, NULL, (
const xmlChar *)
"Zone", NULL);
6735 (void) xmlNewTextChild(zone_node, NULL, (
const xmlChar *)
"PropagationDelay", (
const xmlChar *)temp_time);
6736 zone_soa_node = xmlNewTextChild(zone_node, NULL, (
const xmlChar *)
"SOA", NULL);
6737 snprintf(temp_time, 32,
"PT%dS", policy->
zone->
soa_ttl);
6738 (void) xmlNewTextChild(zone_soa_node, NULL, (
const xmlChar *)
"TTL", (
const xmlChar *)temp_time);
6739 snprintf(temp_time, 32,
"PT%dS", policy->
zone->
soa_min);
6740 (void) xmlNewTextChild(zone_soa_node, NULL, (
const xmlChar *)
"Minimum", (
const xmlChar *)temp_time);
6744 parent_node = xmlNewTextChild(policy_node, NULL, (
const xmlChar *)
"Parent", NULL);
6746 (void) xmlNewTextChild(parent_node, NULL, (
const xmlChar *)
"PropagationDelay", (
const xmlChar *)temp_time);
6747 parent_ds_node = xmlNewTextChild(parent_node, NULL, (
const xmlChar *)
"DS", NULL);
6748 snprintf(temp_time, 32,
"PT%dS", policy->
parent->
ds_ttl);
6749 (void) xmlNewTextChild(parent_ds_node, NULL, (
const xmlChar *)
"TTL", (
const xmlChar *)temp_time);
6750 parent_soa_node = xmlNewTextChild(parent_node, NULL, (
const xmlChar *)
"SOA", NULL);
6752 (void) xmlNewTextChild(parent_soa_node, NULL, (
const xmlChar *)
"TTL", (
const xmlChar *)temp_time);
6754 (void) xmlNewTextChild(parent_soa_node, NULL, (
const xmlChar *)
"Minimum", (
const xmlChar *)temp_time);
6763 const char *policy_name)
6769 doc = xmlParseFile(docname);
6771 fprintf(stderr,
"Document not parsed successfully. \n");
6774 root = xmlDocGetRootElement(doc);
6776 fprintf(stderr,
"empty document\n");
6780 if (xmlStrcmp(root->name, (
const xmlChar *)
"KASP")) {
6781 fprintf(stderr,
"document of the wrong type, root node != %s",
"KASP");
6788 for(cur = root->children; cur != NULL; cur = cur->next)
6791 if (xmlStrcmp( xmlGetProp(cur, (xmlChar *)
"name"), (
const xmlChar *) policy_name) == 0)
6795 cur = root->children;
6811 fprintf(stdout,
"KSK:");
6815 fprintf(stdout,
"ZSK:");
6817 fprintf(stdout,
" %s Retired\n", key_data->
location);
6829 fprintf(stderr,
"%s\n", format);
6856 char* temp_zone = NULL;
6859 char* temp_publish = NULL;
6860 char* temp_ready = NULL;
6861 char* temp_active = NULL;
6862 char* temp_retire = NULL;
6863 char* temp_dead = NULL;
6864 char* temp_loc = NULL;
6865 char* temp_hsm = NULL;
6868 int temp_rfc5011 = 0;
6869 int temp_revoked = 0;
6871 bool bool_temp_zone =
false;
6874 char *case_keystate = NULL;
6875 char *case_keytype = NULL;
6878 hsm_key_t *key = NULL;
6879 ldns_rr *dnskey_rr = NULL;
6880 hsm_sign_params_t *sign_params = NULL;
6885 status = hsm_open(
config, hsm_prompt_pin);
6886 ctx = hsm_create_context();
6888 hsm_print_error(NULL);
6895 printf(
"Error: --keystate and --all option cannot be given together\n");
6900 StrAppend(&sql,
"select z.name, k.keytype, k.state, k.ready, k.active, k.retire, k.dead, k.location, s.name, k.algorithm, k.size, k.publish, k.rfc5011, k.revoked from securitymodules s, KEYDATA_VIEW k left join zones z on k.zone_id = z.id where s.id = k.securitymodule_id ");
6901 if (zone_id != -1) {
6911 if (strncmp(case_keystate,
"GENERATE", 8) == 0 || strncmp(
o_keystate,
"1", 1) == 0) {
6914 else if (strncmp(case_keystate,
"KEYPUBLISH", 10) == 0 || strncmp(
o_keystate,
"10", 2) == 0) {
6917 else if (strncmp(case_keystate,
"PUBLISH", 7) == 0 || strncmp(
o_keystate,
"2", 1) == 0) {
6920 else if (strncmp(case_keystate,
"READY", 5) == 0 || strncmp(
o_keystate,
"3", 1) == 0) {
6923 else if (strncmp(case_keystate,
"ACTIVE", 6) == 0 || strncmp(
o_keystate,
"4", 1) == 0) {
6926 else if (strncmp(case_keystate,
"RETIRE", 6) == 0 || strncmp(
o_keystate,
"5", 1) == 0) {
6929 else if (strncmp(case_keystate,
"DEAD", 4) == 0 || strncmp(
o_keystate,
"6", 1) == 0) {
6932 else if (strncmp(case_keystate,
"DSSUB", 5) == 0 || strncmp(
o_keystate,
"7", 1) == 0) {
6935 else if (strncmp(case_keystate,
"DSPUBLISH", 9) == 0 || strncmp(
o_keystate,
"8", 1) == 0) {
6938 else if (strncmp(case_keystate,
"DSREADY", 7) == 0 || strncmp(
o_keystate,
"9", 1) == 0) {
6942 printf(
"Error: Unrecognised state %s; should be one of GENERATE, PUBLISH, READY, ACTIVE, RETIRE, DEAD, DSSUB, DSPUBLISH, DSREADY or KEYPUBLISH\n",
o_keystate);
6948 if (state_id != -1){
6967 if (strncmp(case_keytype,
"KSK", 3) == 0 || strncmp(
o_keytype,
"257", 3) == 0) {
6970 else if (strncmp(case_keytype,
"ZSK", 3) == 0 || strncmp(
o_keytype,
"256", 3) == 0) {
6974 printf(
"Error: Unrecognised keytype %s; should be one of KSK or ZSK\n",
o_keytype);
6989 if (verbose_flag == 1) {
6990 printf(
"Zone: Keytype: State: Date of next transition (to): Size: Algorithm: CKA_ID: Repository: Keytag:\n");
6993 printf(
"Zone: Keytype: State: Date of next transition:\n");
6995 while (status == 0) {
6998 DbInt(row, 1, &temp_type);
6999 DbInt(row, 2, &temp_state);
7006 DbInt(row, 9, &temp_alg);
7007 DbInt(row, 10, &temp_size);
7009 DbInt(row, 12, &temp_rfc5011);
7010 DbInt(row, 13, &temp_revoked);
7011 if (temp_zone == NULL){
7012 bool_temp_zone =
true;
7013 temp_zone =
"NOT ALLOCATED";
7015 bool_temp_zone =
false;
7021 printf(
"%-31s %-13s %-9s %-20s", temp_zone,
"",
"generate",
"(not scheduled)");
7023 printf(
"(publish) ");
7030 printf(
"%-31s %-13s %-9s %-20s", temp_zone, (temp_type ==
KSM_TYPE_KSK) ?
"KSK" :
"ZSK",
KsmKeywordStateValueToName(temp_state), (temp_publish== NULL) ?
"(not scheduled)" : temp_publish);
7032 printf(
"(publish) ");
7040 if (!temp_rfc5011) {
7043 printf(
"(active) ");
7051 printf(
"(active) ");
7056 printf(
"%-31s %-13s %-9s %-20s", temp_zone, (temp_type ==
KSM_TYPE_KSK) ?
"KSK" :
"ZSK",
KsmKeywordStateValueToName(temp_state), (temp_retire == NULL) ?
"(not scheduled)" : temp_retire);
7058 printf(
"(retire) ");
7064 printf(
"%-31s %-13s %-9s %-20s", temp_zone, (temp_type ==
KSM_TYPE_KSK) ?
"KSK" :
"ZSK", state, (temp_dead == NULL) ?
"(not scheduled)" : temp_dead);
7074 printf(
"(deleted) ");
7087 printf(
"%-31s %-13s %-9s %-20s", temp_zone,
"KSK",
KsmKeywordStateValueToName(temp_state), (temp_ready == NULL) ?
"(not scheduled)" : temp_ready);
7089 printf(
"(dsready) ");
7096 printf(
"(keypub) ");
7101 printf(
"%-31s %-13s %-9s %-20s", temp_zone,
"KSK",
KsmKeywordStateValueToName(temp_state), (temp_active == NULL) ?
"(not scheduled)" : temp_active);
7103 printf(
"(active) ");
7108 if (done_row == 1 && verbose_flag == 1) {
7109 printf(
"%-7d %-12d", temp_size, temp_alg);
7110 key = hsm_find_key_by_id(ctx, temp_loc);
7112 printf(
"%-33s %s NOT IN repository\n", temp_loc, temp_hsm);
7113 }
else if (bool_temp_zone ==
true){
7114 printf(
"%-33s %s\n",temp_loc,temp_hsm);
7116 sign_params = hsm_sign_params_new();
7117 sign_params->owner = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, temp_zone);
7118 sign_params->algorithm = temp_alg;
7119 sign_params->flags = LDNS_KEY_ZONE_KEY;
7121 sign_params->flags += LDNS_KEY_SEP_KEY;
7122 if (temp_revoked) sign_params->flags |= 1<<7;
7124 dnskey_rr = hsm_get_dnskey(ctx, key, sign_params);
7125 sign_params->keytag = ldns_calc_keytag(dnskey_rr);
7127 printf(
"%-33s %-33s %d\n", temp_loc, temp_hsm, sign_params->keytag);
7129 hsm_sign_params_free(sign_params);
7133 else if (done_row == 1) {
7151 if (bool_temp_zone ==
false){
7161 if (dnskey_rr != NULL) {
7162 ldns_rr_free(dnskey_rr);
7166 hsm_destroy_context(ctx);
7205 char* temp_loc = NULL;
7208 int done_something = 0;
7211 hsm_key_t *key = NULL;
7214 if ((zone_id == -1 && policy_id == -1) ||
7215 (zone_id != -1 && policy_id != -1)){
7216 printf(
"Please provide either a zone OR a policy to key purge\n");
7222 status = hsm_open(
config, hsm_prompt_pin);
7224 hsm_print_error(NULL);
7227 ctx = hsm_create_context();
7230 StrAppend(&sql,
"select distinct id, location from KEYDATA_VIEW where state = 6 ");
7231 if (zone_id != -1) {
7236 if (policy_id != -1) {
7247 while (status == 0) {
7249 DbInt(row, 0, &temp_id);
7265 hsm_destroy_context(ctx);
7288 hsm_destroy_context(ctx);
7306 hsm_destroy_context(ctx);
7312 key = hsm_find_key_by_id(ctx, temp_loc);
7315 printf(
"Key not found: %s\n", temp_loc);
7319 hsm_destroy_context(ctx);
7324 status = hsm_remove_key(ctx, key);
7329 printf(
"Key remove successful: %s\n", temp_loc);
7331 printf(
"Key remove failed: %s\n", temp_loc);
7335 hsm_destroy_context(ctx);
7354 if (done_something == 0) {
7355 printf(
"No keys to purge.\n");
7363 hsm_destroy_context(ctx);
7381 hsm_key_t *key = NULL;
7382 char *hsm_error_message = NULL;
7384 int ksks_needed = 0;
7385 int zsks_needed = 0;
7386 int ksks_in_queue = 0;
7387 int zsks_in_queue = 0;
7390 unsigned int current_count = 0;
7396 int ksks_created = 0;
7400 FILE* lock_fd = NULL;
7408 printf(
"Failed to connect to database\n");
7414 if (policy == NULL) {
7415 printf(
"Malloc for policy struct failed\n");
7421 printf(
"Please provide a policy name with the --policy option\n");
7427 printf(
"Please provide an interval with the --interval option\n");
7440 printf(
"Error: unable to read policy %s from database\n",
o_policy);
7446 printf(
"Error: policy %s doesn't exist in database\n",
o_policy);
7453 printf(
"Key sharing is On\n");
7455 printf(
"Key sharing is Off\n");
7460 printf(
"Error: unable to convert Interval %s to seconds, error: ",
o_interval);
7463 printf(
"invalid interval-type.\n");
7466 printf(
"unable to translate string.\n");
7469 printf(
"interval too long to be an int. E.g. Maximum is ~68 years on a system with 32-bit integers.\n");
7472 printf(
"invalid pointers or text string NULL.\n");
7475 printf(
"unknown\n");
7481 else if (status == -1) {
7482 printf(
"Info: converting %s to seconds; M interpreted as 31 days, Y interpreted as 365 days\n",
o_interval);
7486 status = hsm_open(
config, hsm_prompt_pin);
7488 hsm_error_message = hsm_get_error(NULL);
7489 if (hsm_error_message) {
7490 printf(
"%s\n", hsm_error_message);
7491 free(hsm_error_message);
7497 printf(
"hsm_open() result: HSM error\n");
7499 case HSM_PIN_INCORRECT:
7500 printf(
"hsm_open() result: incorrect PIN\n");
7502 case HSM_CONFIG_FILE_ERROR:
7503 printf(
"hsm_open() result: config file error\n");
7505 case HSM_REPOSITORY_NOT_FOUND:
7506 printf(
"hsm_open() result: repository not found\n");
7508 case HSM_NO_REPOSITORIES:
7509 printf(
"hsm_open() result: no repositories\n");
7512 printf(
"hsm_open() result: %d", status);
7519 printf(
"HSM opened successfully.\n");
7520 ctx = hsm_create_context();
7525 if (rightnow == NULL) {
7526 printf(
"Couldn't turn \"now\" into a date, quitting...\n");
7529 hsm_destroy_context(ctx);
7548 printf(
"Could not count zones on policy %s\n", policy->
name);
7550 hsm_destroy_context(ctx);
7555 printf(
"Info: %d zone(s) found on policy \"%s\"\n", zone_count, policy->
name);
7564 printf(
"Error: Unable to convert zonetotal \"%s\"; to an integer\n",
o_zonetotal);
7567 hsm_destroy_context(ctx);
7572 printf(
"Error: zonetotal \"%s\"; should be numeric only\n",
o_zonetotal);
7575 hsm_destroy_context(ctx);
7580 if (zone_count < 1) {
7581 printf(
"Error: zonetotal parameter value of %d is invalid - the value must be greater than 0\n", zone_count);
7584 hsm_destroy_context(ctx);
7588 printf(
"Info: Keys will actually be generated for a total of %d zone(s) as specified by zone total parameter\n", zone_count);
7592 if (zone_count == 0) {
7593 printf(
"No zones on policy %s, skipping...\n", policy->
name);
7595 hsm_destroy_context(ctx);
7605 printf(
"Could not predict ksk requirement for next interval for %s\n", policy->
name);
7606 hsm_destroy_context(ctx);
7615 printf(
"Could not count current ksk numbers for policy %s\n", policy->
name);
7616 hsm_destroy_context(ctx);
7624 new_ksks = ksks_needed - ksks_in_queue;
7625 printf(
"%d new KSK(s) (%d bits) need to be created for policy %s: keys_to_generate(%d) = keys_needed(%d) - keys_available(%d).\n", new_ksks, policy->
ksk->
bits, policy->
name, new_ksks, ksks_needed, ksks_in_queue);
7631 printf(
"Could not predict zsk requirement for next interval for %s\n", policy->
name);
7632 hsm_destroy_context(ctx);
7641 printf(
"Could not count current zsk numbers for policy %s\n", policy->
name);
7642 hsm_destroy_context(ctx);
7653 if (new_ksks >= 0) {
7658 zsks_in_queue -= ksks_needed;
7662 new_zsks = zsks_needed - zsks_in_queue;
7663 printf(
"%d new ZSK(s) (%d bits) need to be created for policy %s: keys_to_generate(%d) = keys_needed(%d) - keys_available(%d).\n", new_zsks, policy->
zsk->
bits, policy->
name, new_zsks, zsks_needed, zsks_in_queue);
7669 if (policy->
ksk->
sm_capacity != 0 && (new_ksks + new_zsks) > 0) {
7670 current_count = hsm_count_keys_repository(ctx, policy->
ksk->
sm_name);
7672 printf(
"Repository %s is full, cannot create more keys for policy %s\n", policy->
ksk->
sm_name, policy->
name);
7676 printf(
"Repository %s is nearly full, will create %lu KSKs for policy %s (reduced from %d)\n", policy->
ksk->
sm_name, policy->
ksk->
sm_capacity - current_count, policy->
name, new_ksks);
7679 else if (current_count + new_ksks + new_zsks > policy->
ksk->
sm_capacity) {
7680 printf(
"Repository %s is nearly full, will create %lu ZSKs for policy %s (reduced from %d)\n", policy->
ksk->
sm_name, policy->
ksk->
sm_capacity - current_count, policy->
name, new_ksks);
7689 current_count = hsm_count_keys_repository(ctx, policy->
ksk->
sm_name);
7691 printf(
"Repository %s is full, cannot create more KSKs for policy %s\n", policy->
ksk->
sm_name, policy->
name);
7695 printf(
"Repository %s is nearly full, will create %lu KSKs for policy %s (reduced from %d)\n", policy->
ksk->
sm_name, policy->
ksk->
sm_capacity - current_count, policy->
name, new_ksks);
7702 current_count = hsm_count_keys_repository(ctx, policy->
zsk->
sm_name);
7704 printf(
"Repository %s is full, cannot create more ZSKs for policy %s\n", policy->
zsk->
sm_name, policy->
name);
7708 printf(
"Repository %s is nearly full, will create %lu ZSKs for policy %s (reduced from %d)\n", policy->
zsk->
sm_name, policy->
zsk->
sm_capacity - current_count, policy->
name, new_zsks);
7715 if (new_ksks <= 0 && new_zsks <= 0) {
7716 printf(
"No keys need to be created, quitting...\n");
7718 hsm_destroy_context(ctx);
7720 printf(
"all done!\n");
7727 if (!auto_accept_flag) {
7728 printf(
"*WARNING* This will create %d KSKs (%d bits) and %d ZSKs (%d bits)\nAre you sure? [y/N] \n", new_ksks >= 0 ? new_ksks : 0, policy->
ksk->
bits, new_zsks >= 0 ? new_zsks : 0, policy->
zsk->
bits);
7730 user_certain = getchar();
7731 if (user_certain !=
'y' && user_certain !=
'Y') {
7732 printf(
"Okay, quitting...\n");
7734 hsm_destroy_context(ctx);
7736 printf(
"all done!\n");
7744 for (i=new_ksks ; i > 0 ; i--){
7745 if (hsm_supported_algorithm(policy->
ksk->
algorithm) == 0) {
7750 printf(
"Created key in repository %s\n", policy->
ksk->
sm_name);
7753 printf(
"Error creating key in repository %s\n", policy->
ksk->
sm_name);
7754 hsm_error_message = hsm_get_error(ctx);
7755 if (hsm_error_message) {
7756 printf(
"%s\n", hsm_error_message);
7757 free(hsm_error_message);
7761 hsm_destroy_context(ctx);
7765 id = hsm_get_key_id(ctx, key);
7769 printf(
"Error creating key in Database\n");
7770 hsm_error_message = hsm_get_error(ctx);
7771 if (hsm_error_message) {
7772 printf(
"%s\n", hsm_error_message);
7773 free(hsm_error_message);
7777 hsm_destroy_context(ctx);
7781 printf(
"Created KSK size: %i, alg: %i with id: %s in repository: %s and database.\n", policy->
ksk->
bits,
7785 printf(
"Key algorithm %d unsupported by libhsm.\n", policy->
ksk->
algorithm);
7788 hsm_destroy_context(ctx);
7793 ksks_created = new_ksks;
7796 for (i = new_zsks ; i > 0 ; i--) {
7797 if (hsm_supported_algorithm(policy->
zsk->
algorithm) == 0) {
7802 printf(
"Created key in repository %s\n", policy->
zsk->
sm_name);
7805 printf(
"Error creating key in repository %s\n", policy->
zsk->
sm_name);
7806 hsm_error_message = hsm_get_error(ctx);
7807 if (hsm_error_message) {
7808 printf(
"%s\n", hsm_error_message);
7809 free(hsm_error_message);
7813 hsm_destroy_context(ctx);
7817 id = hsm_get_key_id(ctx, key);
7821 printf(
"Error creating key in Database\n");
7822 hsm_error_message = hsm_get_error(ctx);
7823 if (hsm_error_message) {
7824 printf(
"%s\n", hsm_error_message);
7825 free(hsm_error_message);
7829 hsm_destroy_context(ctx);
7833 printf(
"Created ZSK size: %i, alg: %i with id: %s in repository: %s and database.\n", policy->
zsk->
bits,
7837 printf(
"Key algorithm %d unsupported by libhsm.\n", policy->
zsk->
algorithm);
7840 hsm_destroy_context(ctx);
7849 printf(
"NOTE: keys generated in repository %s will not become active until they have been backed up\n", policy->
ksk->
sm_name);
7852 printf(
"NOTE: keys generated in repository %s will not become active until they have been backed up\n", policy->
zsk->
sm_name);
7858 hsm_destroy_context(ctx);
7860 printf(
"all done!\n");
7875 int keypair_id = -1;
7879 FILE* lock_fd = NULL;
7884 hsm_key_t *key = NULL;
7889 printf(
"Please provide a CKA_ID for the key to delete\n");
7897 printf(
"Failed to connect to database\n");
7905 if (status != 0 || key_state == -1) {
7906 printf(
"Failed to determine the state of the key\n");
7913 if (force_flag == 1) {
7914 printf(
"*WARNING* This will delete a key that the enforcer believes is in use; are you really sure? [y/N] ");
7916 user_certain = getchar();
7917 if (user_certain !=
'y' && user_certain !=
'Y') {
7918 printf(
"Okay, quitting...\n");
7923 printf(
"The enforcer believes that this key is in use, quitting...\n");
7956 if (hsm_flag == 1) {
7958 status = hsm_open(
config, hsm_prompt_pin);
7960 hsm_print_error(NULL);
7963 ctx = hsm_create_context();
7966 key = hsm_find_key_by_id(ctx,
o_cka_id);
7969 printf(
"Key not found in HSM: %s\n",
o_cka_id);
7970 hsm_destroy_context(ctx);
7975 status = hsm_remove_key(ctx, key);
7978 hsm_destroy_context(ctx);
7983 printf(
"Key delete successful: %s\n",
o_cka_id);
7985 printf(
"Key delete failed: %s\n",
o_cka_id);
7996 struct stat stat_ret;
8000 xmlDocPtr doc = NULL;
8001 xmlDocPtr rngdoc = NULL;
8002 xmlXPathContextPtr xpathCtx = NULL;
8003 xmlXPathObjectPtr xpathObj = NULL;
8004 xmlRelaxNGParserCtxtPtr rngpctx = NULL;
8005 xmlRelaxNGValidCtxtPtr rngctx = NULL;
8006 xmlRelaxNGPtr schema = NULL;
8007 xmlChar *user_expr = (
unsigned char*)
"//Configuration/Enforcer/Privileges/User";
8008 xmlChar *group_expr = (
unsigned char*)
"//Configuration/Enforcer/Privileges/Group";
8010 char* filename = OPENDNSSEC_CONFIG_FILE;
8011 char* rngfilename = OPENDNSSEC_SCHEMA_DIR
"/conf.rng";
8012 char* temp_char = NULL;
8019 char *username = NULL;
8020 char *groupname = NULL;
8022 printf(
"fixing permissions on file %s\n", dbschema);
8024 if (geteuid() != 0) {
8029 if (stat(dbschema, &stat_ret) != 0) {
8030 printf(
"cannot stat file %s: %s", dbschema, strerror(errno));
8036 doc = xmlParseFile(filename);
8038 printf(
"Error: unable to parse file \"%s\"", filename);
8043 rngdoc = xmlParseFile(rngfilename);
8044 if (rngdoc == NULL) {
8045 printf(
"Error: unable to parse file \"%s\"", rngfilename);
8050 rngpctx = xmlRelaxNGNewDocParserCtxt(rngdoc);
8051 if (rngpctx == NULL) {
8052 printf(
"Error: unable to create XML RelaxNGs parser context");
8057 schema = xmlRelaxNGParse(rngpctx);
8058 if (schema == NULL) {
8059 printf(
"Error: unable to parse a schema definition resource");
8064 rngctx = xmlRelaxNGNewValidCtxt(schema);
8065 if (rngctx == NULL) {
8066 printf(
"Error: unable to create RelaxNGs validation context based on the schema");
8071 status = xmlRelaxNGValidateDoc(rngctx,doc);
8073 printf(
"Error validating file \"%s\"", filename);
8079 xpathCtx = xmlXPathNewContext(doc);
8080 if(xpathCtx == NULL) {
8081 printf(
"Error: unable to create new XPath context");
8087 xpathObj = xmlXPathEvalExpression(group_expr, xpathCtx);
8088 if(xpathObj == NULL) {
8089 printf(
"Error: unable to evaluate xpath expression: %s", group_expr);
8090 xmlXPathFreeContext(xpathCtx);
8094 if (xpathObj->nodesetval != NULL && xpathObj->nodesetval->nodeNr > 0) {
8095 temp_char = (
char*) xmlXPathCastToString(xpathObj);
8098 xmlXPathFreeObject(xpathObj);
8104 xpathObj = xmlXPathEvalExpression(user_expr, xpathCtx);
8105 if(xpathObj == NULL) {
8106 printf(
"Error: unable to evaluate xpath expression: %s", user_expr);
8107 xmlXPathFreeContext(xpathCtx);
8111 if (xpathObj->nodesetval != NULL && xpathObj->nodesetval->nodeNr > 0) {
8112 temp_char = (
char*) xmlXPathCastToString(xpathObj);
8115 xmlXPathFreeObject(xpathObj);
8121 xmlXPathFreeContext(xpathCtx);
8122 xmlRelaxNGFree(schema);
8123 xmlRelaxNGFreeValidCtxt(rngctx);
8124 xmlRelaxNGFreeParserCtxt(rngpctx);
8129 if (username != NULL) {
8131 if ((pwd = getpwnam(username)) == NULL) {
8132 printf(
"user '%s' does not exist. cannot chown %s...\n", username, dbschema);
8141 if ((grp = getgrnam(groupname)) == NULL) {
8142 printf(
"group '%s' does not exist. cannot chown %s...\n", groupname, dbschema);
8151 if (chown(dbschema, uid, gid) == -1) {
8152 printf(
"cannot chown(%u,%u) %s: %s",
8153 (
unsigned) uid, (
unsigned) gid, dbschema, strerror(errno));
8162 if (chown(temp_char, uid, gid) == -1) {
8163 printf(
"cannot chown(%u,%u) %s: %s",
8164 (
unsigned) uid, (
unsigned) gid, temp_char, strerror(errno));
8206 int CountKeys(
int *zone_id,
int keytag,
const char *cka_id,
int *key_count,
char **temp_cka_id,
int *temp_key_state,
int *temp_keypair_id)
8219 int temp_zone_id = 0;
8220 char* temp_loc = NULL;
8223 int temp_keypair = 0;
8228 hsm_key_t *key = NULL;
8229 ldns_rr *dnskey_rr = NULL;
8230 hsm_sign_params_t *sign_params = NULL;
8234 status = hsm_open(
config, hsm_prompt_pin);
8236 hsm_print_error(NULL);
8239 ctx = hsm_create_context();
8242 nchar = snprintf(buffer,
sizeof(buffer),
"(%d, %d, %d, %d)",
8244 if (nchar >=
sizeof(buffer)) {
8245 printf(
"Error: Overran buffer in CountKeys\n");
8246 hsm_destroy_context(ctx);
8252 StrAppend(&sql,
"select k.zone_id, k.location, k.algorithm, k.state, k.id from KEYDATA_VIEW k where state in ");
8254 StrAppend(&sql,
" and zone_id is not null and k.keytype = 257");
8256 if (*zone_id != -1) {
8261 if (cka_id != NULL) {
8279 while (status == 0) {
8281 DbInt(row, 0, &temp_zone_id);
8283 DbInt(row, 2, &temp_alg);
8284 DbInt(row, 3, &temp_state);
8285 DbInt(row, 4, &temp_keypair);
8289 if (keytag == -1 && cka_id == NULL)
8291 *temp_key_state = temp_state;
8294 key = hsm_find_key_by_id(ctx, temp_loc);
8296 printf(
"cka_id %-33s in DB but NOT IN repository\n", temp_loc);
8297 }
else if (keytag != -1) {
8298 sign_params = hsm_sign_params_new();
8299 sign_params->owner = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME,
"temp_zone");
8300 sign_params->algorithm = temp_alg;
8301 sign_params->flags = LDNS_KEY_ZONE_KEY;
8302 sign_params->flags += LDNS_KEY_SEP_KEY;
8304 dnskey_rr = hsm_get_dnskey(ctx, key, sign_params);
8305 sign_params->keytag = ldns_calc_keytag(dnskey_rr);
8308 if (keytag == sign_params->keytag) {
8311 *temp_cka_id = NULL;
8313 *zone_id = temp_zone_id;
8314 *temp_key_state = temp_state;
8315 *temp_keypair_id = temp_keypair;
8316 printf(
"Found key with CKA_ID %s\n", temp_loc);
8319 hsm_sign_params_free(sign_params);
8321 if (key && cka_id != NULL && strncmp(cka_id, temp_loc, strlen(temp_loc)) == 0) {
8323 if (done_row == 0) {
8325 *temp_cka_id = NULL;
8327 *zone_id = temp_zone_id;
8328 *temp_key_state = temp_state;
8329 *temp_keypair_id = temp_keypair;
8330 printf(
"Found key with CKA_ID %s\n", temp_loc);
8350 *key_count = temp_count;
8357 if (dnskey_rr != NULL) {
8358 ldns_rr_free(dnskey_rr);
8361 hsm_destroy_context(ctx);
8368 int GetKeyState(
const char *cka_id,
int *temp_key_state,
int *temp_keypair_id) {
8376 int temp_keypair = 0;
8378 nchar = snprintf(sql,
sizeof(sql),
"select k.id, k.state from KEYDATA_VIEW k where k.location = '%s'", cka_id);
8379 if (nchar >=
sizeof(sql)) {
8380 printf(
"Error: Overran buffer in CountKeys\n");
8389 while (status == 0) {
8391 DbInt(row, 0, &temp_keypair);
8392 DbInt(row, 1, &temp_state);
8395 if (temp_state == 0) {
8399 *temp_key_state = temp_state;
8400 *temp_keypair_id = temp_keypair;
8442 int MarkDSSeen(
int keypair_id,
int zone_id,
int policy_id,
const char *datetime,
int key_state)
8460 printf(
"Error: failed to read policy\n");
8483 printf(
"DbDateDiff failed\n");
8508 printf(
"DbDateDiff failed\n");
8566 char* where_clause = NULL;
8581 printf(
"Error: failed to read policy\n");
8597 StrAppend(&where_clause,
"select id from KEYDATA_VIEW where state = 4 and keytype = 257 and zone_id = ");
8599 StrAppend(&where_clause,
" order by retire limit 1");
8606 printf(
"Error: failed to find ID of key to retire\n");
8617 printf(
"DbDateDiff failed\n");
8671 char* where_clause = NULL;
8684 printf(
"Error: failed to read policy\n");
8701 StrAppend(&where_clause,
"select id from KEYDATA_VIEW where state = 5 and keytype = 257 and zone_id = ");
8703 StrAppend(&where_clause,
" order by dead limit 1");
8710 printf(
"Error: failed to find ID of key to revoke\n");
8780 if (zone_id != -1) {
8789 printf(
"Error in CountKeysInState\n");
8826 int ChangeKeyState(
int keytype,
const char *cka_id,
int zone_id,
int policy_id,
const char *datetime,
int keystate)
8854 printf(
"Error: failed to read policy\n");
8862 if (zone_id != -1) {
8881 keyids =
MemMalloc(count *
sizeof(
int));
8888 if (zone_id != -1) {
8897 while (status == 0) {
8898 status =
KsmKey(result, &data);
8929 for (j = 0; j < i; ++j) {
8933 snprintf(buffer,
sizeof(buffer),
"%d", keyids[j]);
8958 printf(
"DbDateDiff failed\n");
8970 if (zone_id != -1) {
8990 printf(
"DbDateDiff failed\n");
9002 if (zone_id != -1) {
9015 printf(
"DbDateDiff failed\n");
9027 if (zone_id != -1) {
9058 static int restart_enforcerd()
9062 return system(ODS_EN_NOTIFY);
9074 xmlDocPtr doc = NULL;
9075 xmlXPathContextPtr xpathCtx = NULL;
9076 xmlXPathObjectPtr xpathObj = NULL;
9077 char* temp_char = NULL;
9079 xmlChar *iv_expr = (
unsigned char*)
"//Configuration/Enforcer/Interval";
9080 xmlChar *mk_expr = (
unsigned char*)
"//Configuration/Enforcer/ManualKeyGeneration";
9083 doc = xmlParseFile(
config);
9085 printf(
"Error: unable to parse file \"%s\"\n",
config);
9090 xpathCtx = xmlXPathNewContext(doc);
9091 if(xpathCtx == NULL) {
9092 printf(
"Error: unable to create new XPath context\n");
9098 xpathObj = xmlXPathEvalExpression(iv_expr, xpathCtx);
9099 if(xpathObj == NULL) {
9100 printf(
"Error: unable to evaluate xpath expression: %s", iv_expr);
9101 xmlXPathFreeContext(xpathCtx);
9106 temp_char = (
char *)xmlXPathCastToString(xpathObj);
9109 printf(
"Error: unable to convert Interval %s to seconds, error: %i\n", temp_char, status);
9113 else if (status == -1) {
9114 printf(
"Info: converting %s to seconds; M interpreted as 31 days, Y interpreted as 365 days\n", temp_char);
9118 xmlXPathFreeObject(xpathObj);
9121 xpathObj = xmlXPathEvalExpression(mk_expr, xpathCtx);
9122 if(xpathObj == NULL) {
9123 printf(
"Error: unable to evaluate xpath expression: %s\n", mk_expr);
9124 xmlXPathFreeContext(xpathCtx);
9129 if (xpathObj->nodesetval != NULL && xpathObj->nodesetval->nodeNr > 0) {
9137 xmlXPathFreeObject(xpathObj);
9140 xmlXPathFreeContext(xpathCtx);
9180 int man_key_gen = -1;
9191 printf(
"Failed to Link Keys to zone\n");
9201 if (policy == NULL) {
9202 printf(
"Malloc for policy struct failed\n");
9212 printf(
"Error: unable to read policy %s from database\n",
o_policy);
9217 printf(
"Error: policy %s doesn't exist in database\n",
o_policy);
9225 printf(
"Error allocating zsks to zone %s", zone_name);
9231 printf(
"Error allocating ksks to zone %s", zone_name);
9273 int keys_needed = 0;
9274 int keys_in_queue = 0;
9275 int keys_pending_retirement = 0;
9277 int key_pair_id = 0;
9284 if (datetime == NULL) {
9285 printf(
"Couldn't turn \"now\" into a date, quitting...");
9289 if (policy == NULL) {
9290 printf(
"NULL policy sent to allocateKeysToZone");
9296 printf(
"Unknown keytype: %i in allocateKeysToZone", key_type);
9310 status =
KsmKeyPredict(policy->
id, key_type, 1, interval, &keys_needed, rollover_scheme, 1);
9312 printf(
"Could not predict key requirement for next interval for %s", zone_name);
9320 printf(
"Could not count current key numbers for zone %s", zone_name);
9328 printf(
"Could not count keys which may retire before the next run (for zone %s)", zone_name);
9334 new_keys = keys_needed - (keys_in_queue - keys_pending_retirement);
9340 for (i=0 ; i < new_keys ; i++){
9344 if (status == -1 || key_pair_id == 0) {
9345 if (man_key_gen == 0) {
9346 printf(
"Not enough keys to satisfy ksk policy for zone: %s. keys_to_allocate(%d) = keys_needed(%d) - (keys_available(%d) - keys_pending_retirement(%d))\n", zone_name, new_keys, keys_needed, keys_in_queue, keys_pending_retirement);
9347 printf(
"Tried to allocate %d keys, failed on allocating key number %d", new_keys, i+1);
9348 printf(
"ods-enforcerd will create some more keys on its next run");
9351 printf(
"Not enough keys to satisfy ksk policy for zone: %s. keys_to_allocate(%d) = keys_needed(%d) - (keys_available(%d) - keys_pending_retirement(%d))\n", zone_name, new_keys, keys_needed, keys_in_queue, keys_pending_retirement);
9352 printf(
"Tried to allocate %d keys, failed on allocating key number %d", new_keys, i+1);
9353 printf(
"please use \"ods-ksmutil key generate\" to create some more keys.");
9357 else if (status != 0) {
9358 printf(
"Could not get an unallocated ksk for zone: %s", zone_name);
9363 if (status == -1 || key_pair_id == 0) {
9364 if (man_key_gen == 0) {
9365 printf(
"Not enough keys to satisfy zsk policy for zone: %s. keys_to_allocate(%d) = keys_needed(%d) - (keys_available(%d) - keys_pending_retirement(%d))\n", zone_name, new_keys, keys_needed, keys_in_queue, keys_pending_retirement);
9366 printf(
"Tried to allocate %d keys, failed on allocating key number %d", new_keys, i+1);
9367 printf(
"ods-enforcerd will create some more keys on its next run");
9370 printf(
"Not enough keys to satisfy zsk policy for zone: %s. keys_to_allocate(%d) = keys_needed(%d) - (keys_available(%d) - keys_pending_retirement(%d))\n", zone_name, new_keys, keys_needed, keys_in_queue, keys_pending_retirement);
9371 printf(
"Tried to allocate %d keys, failed on allocating key number %d", new_keys, i+1);
9372 printf(
"please use \"ods-ksmutil key generate\" to create some more keys.");
9376 else if (status != 0) {
9377 printf(
"Could not get an unallocated zsk for zone: %s", zone_name);
9381 if(key_pair_id > 0) {
9388 printf(
"KsmKeyGetUnallocated returned bad key_id %d for zone: %s; exiting...", key_pair_id, zone_name);
9392 printf(
"%s key allocation for zone %s: %d key(s) allocated\n", key_type ==
KSM_TYPE_KSK ?
"KSK" :
"ZSK", zone_name, new_keys);
9416 int keyRoll(
int zone_id,
int policy_id,
int key_type)
9429 int temp_zone_id = -1;
9435 char* insql1 = NULL;
9436 char* insql2 = NULL;
9442 if (datetime == NULL) {
9443 printf(
"Couldn't turn \"now\" into a date, quitting...\n");
9451 if (zone_id != -1) {
9454 if (policy_id != -1) {
9458 if (key_type != -1) {
9467 while (status == 0) {
9469 DbInt(row, 0, &temp_id);
9470 DbInt(row, 1, &temp_type);
9474 DusSetInt(&sql1,
"compromisedflag", 1, 1);
9535 size = snprintf(sql2,
KSM_SQL_SIZE,
"select zone_id from dnsseckeys where retire = \"%s\" and keypair_id = %d", datetime, temp_id);
9539 while (status == 0) {
9541 DbInt(row2, 0, &temp_zone_id);
9546 snprintf(buffer,
sizeof(buffer),
"%d", temp_zone_id);
9569 while (status == 0) {
9571 DbInt(row2, 0, &temp_zone_id);
9576 snprintf(buffer,
sizeof(buffer),
"%d", temp_zone_id);
9598 printf(
"Couldn't construct SQL to promote standby key\n");
9669 else if (status == -1) {}
9684 xmlNodePtr zone_node;
9685 xmlNodePtr adapters_node;
9686 xmlNodePtr input_node;
9687 xmlNodePtr in_ad_node;
9688 xmlNodePtr output_node;
9689 xmlNodePtr out_ad_node;
9691 root = xmlDocGetRootElement(doc);
9693 fprintf(stderr,
"empty document\n");
9696 if (xmlStrcmp(root->name, (
const xmlChar *)
"ZoneList")) {
9697 fprintf(stderr,
"document of the wrong type, root node != %s",
"ZoneList");
9701 zone_node = xmlNewTextChild(root, NULL, (
const xmlChar *)
"Zone", NULL);
9702 (void) xmlNewProp(zone_node, (
const xmlChar *)
"name", (
const xmlChar *)zone->
name);
9705 (void) xmlNewTextChild(zone_node, NULL, (
const xmlChar *)
"Policy", (
const xmlChar *)zone->
policy_name);
9708 (void) xmlNewTextChild(zone_node, NULL, (
const xmlChar *)
"SignerConfiguration", (
const xmlChar *)zone->
signconf);
9711 adapters_node = xmlNewTextChild(zone_node, NULL, (
const xmlChar *)
"Adapters", NULL);
9713 input_node = xmlNewTextChild(adapters_node, NULL, (
const xmlChar *)
"Input", NULL);
9714 in_ad_node = xmlNewTextChild (input_node, NULL, (
const xmlChar *)
"Adapter", (
const xmlChar *)zone->
input);
9716 if (zone->
in_type[0] ==
'\0') {
9717 (void) xmlNewProp(in_ad_node, (
const xmlChar *)
"type", (
const xmlChar *)
"File");
9719 (void) xmlNewProp(in_ad_node, (
const xmlChar *)
"type", (
const xmlChar *)zone->
in_type);
9723 output_node = xmlNewTextChild(adapters_node, NULL, (
const xmlChar *)
"Output", NULL);
9724 out_ad_node = xmlNewTextChild (output_node, NULL, (
const xmlChar *)
"Adapter", (
const xmlChar *)zone->
output);
9727 (void) xmlNewProp(out_ad_node, (
const xmlChar *)
"type", (
const xmlChar *)
"File");
9729 (void) xmlNewProp(out_ad_node, (
const xmlChar *)
"type", (
const xmlChar *)zone->
out_type);
9743 len = strlen(
string);
9745 for (i = 0; i < len; ++i) {
9746 if (
string[i] ==
'\'') {
9751 buffer[j++] =
string[i];
9755 return ( (j <= buflen) ? 0 : 1);
9760 char* signconf = NULL;
9761 char* moved_signconf = NULL;
9762 char* zone_name = NULL;
9766 xmlDocPtr doc = NULL;
9768 xmlXPathContextPtr xpathCtx = NULL;
9769 xmlXPathObjectPtr xpathObj = NULL;
9771 xmlChar *node_expr = (
unsigned char*)
"//Zone";
9773 doc = xmlParseFile(zonelist_filename);
9775 printf(
"Error: unable to parse file \"%s\"\n", zonelist_filename);
9779 xpathCtx = xmlXPathNewContext(doc);
9780 if(xpathCtx == NULL) {
9786 xpathObj = xmlXPathEvalExpression(node_expr, xpathCtx);
9787 if(xpathObj == NULL) {
9788 xmlXPathFreeContext(xpathCtx);
9793 if (xpathObj->nodesetval) {
9794 for (i = 0; i < xpathObj->nodesetval->nodeNr; i++) {
9796 curNode = xpathObj->nodesetval->nodeTab[i]->xmlChildrenNode;
9797 zone_name = (
char *) xmlGetProp(xpathObj->nodesetval->nodeTab[i], (
const xmlChar *)
"name");
9799 if (all_flag || (strlen(zone_name) == strlen(o_zone) &&
9800 strncmp(zone_name, o_zone, strlen(zone_name)) == 0)) {
9804 if (xmlStrEqual(curNode->name, (
const xmlChar *)
"SignerConfiguration")) {
9805 StrAppend(&signconf, (
char *) xmlNodeGetContent(curNode));
9807 StrAppend(&moved_signconf,
".ZONE_DELETED");
9809 status = rename(signconf, moved_signconf);
9810 if (status != 0 && errno != ENOENT)
9813 printf(
"Could not rename: %s -> %s", signconf, moved_signconf);
9823 curNode = curNode->next;
9859 char* temp_zone = NULL;
9860 int temp_policy = 0;
9861 char* temp_location = NULL;
9868 hsm_key_t *key = NULL;
9869 ldns_rr *dnskey_rr = NULL;
9870 hsm_sign_params_t *sign_params = NULL;
9874 char* ds_buffer = NULL;
9878 status = hsm_open(
config, hsm_prompt_pin);
9880 hsm_print_error(NULL);
9883 ctx = hsm_create_context();
9886 "select name, kv.policy_id, location, algorithm from KEYDATA_VIEW kv, zones z where keytype = 257 and state in (3,7) and zone_id = z.id ");
9887 if (zone_id != -1) {
9900 while (status == 0) {
9903 DbInt(row, 1, &temp_policy);
9905 DbInt(row, 3, &temp_algo);
9908 key = hsm_find_key_by_id(ctx, temp_location);
9911 printf(
"Key %s in DB but not repository.", temp_location);
9916 hsm_destroy_context(ctx);
9921 printf(
"\n*** Found DNSKEY RECORD involved with rollover:\n");
9923 sign_params = hsm_sign_params_new();
9924 sign_params->owner = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, temp_zone);
9925 sign_params->algorithm = temp_algo;
9926 sign_params->flags = LDNS_KEY_ZONE_KEY;
9927 sign_params->flags += LDNS_KEY_SEP_KEY;
9928 dnskey_rr = hsm_get_dnskey(ctx, key, sign_params);
9933 ldns_rr_set_ttl(dnskey_rr, rrttl);
9936 ds_buffer = ldns_rr2str(dnskey_rr);
9937 ldns_rr_free(dnskey_rr);
9940 for (i = 0; ds_buffer[i]; ++i) {
9941 if (ds_buffer[i] ==
'\t') {
9947 printf(
"%s", ds_buffer);
9948 printf(
"\nOnce the DS record for this DNSKEY is seen in DNS you can issue the ds-seen command for zone %s with the cka_id %s\n", temp_zone, temp_location);
9953 temp_location = NULL;
9956 hsm_sign_params_free(sign_params);
9970 hsm_destroy_context(ctx);
void DbFreeResult(DB_RESULT result)
int KsmCheckHSMkeyID(int repo_id, const char *cka_id, int *exists)
int LinkKeys(const char *zone_name, int policy_id)
int KsmPolicyInit(DB_RESULT *handle, const char *name)
char name[KSM_NAME_LENGTH]
unsigned long sm_capacity
int update_policies(char *kasp_filename)
void db_disconnect(FILE *lock_fd)
char name[KSM_ZONE_NAME_LENGTH]
int release_lite_lock(FILE *lock_fd)
int KsmZoneIdAndPolicyFromName(const char *zone_name, int *policy_id, int *zone_id)
int StrIsDigits(const char *string)
void DusConditionKeyword(char **query, const char *field, DQS_COMPARISON compare, const char *value, int clause)
xmlDocPtr add_zone_node(const char *docname, const char *zone_name, const char *policy_name, const char *sig_conf_name, const char *input_name, const char *output_name, const char *input_type, const char *output_type)
char signconf[KSM_PATH_LENGTH]
int DbFetchRow(DB_RESULT result, DB_ROW *row)
void SetPolicyDefaults(KSM_POLICY *policy, char *name)
int KsmPolicy(DB_RESULT handle, KSM_POLICY *data)
char * DqsSpecifyInit(const char *table, const char *fields)
char location[KSM_NAME_LENGTH]
int KsmKeywordTypeNameToValue(const char *name)
void usage_policyimport()
int KsmMarkPreBackup(int repo_id, const char *datetime)
int KsmKeyCountQueue(int keytype, int *count, int zone_id)
KSM_POLICY * KsmPolicyAlloc()
#define KSM_PAR_ZSKTTL_CAT
int KsmParameter(DB_RESULT result, KSM_PARAMETER *data)
KSM_COMMON_KEY_POLICY * keys
int ShellQuoteString(const char *string, char *buffer, size_t buflen)
int KsmZoneInit(DB_RESULT *handle, int policy_id)
int ListKeys(int zone_id)
int KsmParameterCollection(KSM_PARCOLL *data, int policy_id)
int KsmSerialIdFromName(const char *name, int *id)
int RevokeOldKey(int zone_id, int policy_id, const char *datetime)
int main(int argc, char *argv[])
char retire[KSM_TIME_LENGTH]
int KsmPolicySetIdFromName(KSM_POLICY *policy)
int get_db_details(char **dbschema, char **host, char **port, char **user, char **password)
xmlDocPtr del_zone_node(const char *docname, const char *zone_name)
void DqsConditionKeyword(char **query, const char *field, DQS_COMPARISON compare, const char *value, int index)
int get_policy_name_from_id(KSM_ZONE *zone)
int KsmKeyPairCreate(int policy_id, const char *HSMKeyID, int smID, int size, int alg, const char *generate, DB_ID *id)
int KsmImportZone(const char *zone_name, int policy_id, int fail_if_exists, int *new_zone, const char *signconf, const char *input, const char *output, const char *input_type, const char *output_type)
int KsmZone(DB_RESULT handle, KSM_ZONE *data)
int KsmKeywordRollNameToValue(const char *name)
void list_zone_node(const char *docname, int *zone_ids)
void DqsOrderBy(char **query, const char *field)
int KsmZoneCount(DB_RESULT handle, int *count)
char sm_name[KSM_NAME_LENGTH]
int MsgLog(int status,...)
int get_conf_key_info(int *interval, int *man_key_gen)
int KsmRollbackMarkPreBackup(int repo_id)
int KsmPolicyRead(KSM_POLICY *policy)
int cmd_control(char *command)
void usage_policyexport()
void DusSetInt(char **sql, const char *field, int data, int clause)
int append_policy(xmlDocPtr doc, KSM_POLICY *policy)
void DqsFree(char *query)
int keyRoll(int zone_id, int policy_id, int key_type)
#define KSM_STATE_KEYPUBLISH
void DdsFree(char *query)
void DusConditionInt(char **query, const char *field, DQS_COMPARISON compare, int value, int clause)
const char * KsmKeywordStateValueToName(int value)
char * DqsCountInit(const char *table)
int KsmPolicyIdFromName(const char *name, int *id)
int DbString(DB_ROW row, int field_index, char **result)
#define KSM_PAR_DSTTL_CAT
int KsmSmIdFromName(const char *name, int *id)
char * StrStrdup(const char *string)
void DqsConditionInt(char **query, const char *field, DQS_COMPARISON compare, int value, int index)
void DdsConditionInt(char **query, const char *field, DQS_COMPARISON compare, int value, int index)
#define KSM_PAR_ZSKTTL_STRING
int KsmPolicyIdFromZoneId(int zone_id, int *policy_id)
int SetParamOnPolicy(const xmlChar *new_value, const char *name, const char *category, int current_value, int policy_id, int value_type)
char * DdsInit(const char *table)
int DtGeneral(const char *string, struct tm *datetime)
char * DtParseDateTimeString(const char *string)
#define KSM_STATE_DSPUBLISH
KSM_PARENT_POLICY * parent
char output[KSM_PATH_LENGTH]
void ksm_log_msg(const char *format)
KSM_DENIAL_POLICY * denial
int backup_file(const char *orig_file, const char *backup_file)
int printKey(void *context, KSM_KEYDATA *key_data)
int KsmZoneIdFromName(const char *zone_name, int *zone_id)
int KsmListRollovers(int zone_id, int *ds_count)
int KsmParameterValue(const char *name, const char *category, int *value, int policy_id, int *parameter_id)
int KsmKeyInitSql(DB_RESULT *result, const char *sql)
int GetKeyState(const char *cka_id, int *temp_key_state, int *temp_keypair_id)
int KsmCollectionInit(KSM_PARCOLL *data)
int update_repositories()
#define DB_KEYDATA_FIELDS
const char * DbErrmsg(DB_HANDLE handle)
int KsmImportPolicy(const char *policy_name, const char *policy_description)
char policy_name[KSM_NAME_LENGTH]
void KsmPolicyFree(KSM_POLICY *policy)
void DbFreeRow(DB_ROW row)
int KsmKey(DB_RESULT result, KSM_KEYDATA *data)
void MsgRegister(int min, int max, const char **message, MSG_OUTPUT_FUNCTION output)
KSM_SIGNER_POLICY * signer
size_t StrToLower(char *text)
int cmd_update(const char *qualifier)
char input[KSM_PATH_LENGTH]
int DbDisconnect(DB_HANDLE dbhandle)
int KsmPolicyUpdateDesc(int policy_id, const char *policy_description)
int KsmKeyPredict(int policy_id, int keytype, int shared_keys, int interval, int *count, int rollover_scheme, int zone_count)
int KsmMarkKeysAsDead(int zone_id)
int read_zonelist_filename(char **zone_list_filename)
const char * KsmKeywordSerialValueToName(int value)
int KsmPolicyNullSaltStamp(int policy_id)
int DbExecuteSql(DB_HANDLE handle, const char *stmt_str, DB_RESULT *result)
#define KSM_POLICY_DESC_LENGTH
int DbStringBuffer(DB_ROW row, int field_index, char *buffer, size_t buflen)
int PurgeKeys(int zone_id, int policy_id)
void StrAppend(char **str1, const char *str2)
int StrStrtoi(const char *string, int *value)
int ChangeKeyState(int keytype, const char *cka_id, int zone_id, int policy_id, const char *datetime, int keystate)
int DbIntQuery(DB_HANDLE handle, int *value, const char *query)
void usage_keykskretire()
#define KSM_PAR_KSKTTL_CAT
#define KSM_STATE_PUBLISH
int DbDateDiff(const char *start, int delta, int sign, char *buffer, size_t buflen)
#define KSM_PAR_DSTTL_STRING
int KsmDeleteZone(int zone_id)
int allocateKeysToZone(KSM_POLICY *policy, int key_type, int zone_id, uint16_t interval, const char *zone_name, int man_key_gen, int rollover_scheme)
int KsmZoneNameFromId(int zone_id, char **zone_name)
char * DusInit(const char *table)
#define DEFAULT_LOG_FACILITY
int read_filenames(char **zone_list_filename, char **kasp_filename)
int CountKeysInState(int keytype, int keystate, int *count, int zone_id)
void KsmParameterEnd(DB_RESULT result)
int KsmImportKeyPair(int policy_id, const char *HSMKeyID, int smID, int size, int alg, int state, const char *time, int fixDate, DB_ID *id)
int cmd_backup(const char *qualifier)
int RetireOldKey(int zone_id, int policy_id, const char *datetime)
int KsmKeyGetUnallocated(int policy_id, int sm, int bits, int algorithm, int zone_id, int share_keys, int *keypair_id)
int db_connect(DB_HANDLE *dbhandle, FILE **lock_fd, int backup)
int append_zone(xmlDocPtr doc, KSM_ZONE *zone)
int KsmDnssecKeyCreate(int zone_id, int keypair_id, int keytype, int state, int rfc5011, const char *time, const char *retTime, DB_ID *id)
int KsmParameterInit(DB_RESULT *result, const char *name, const char *category, int policy_id)
xmlDocPtr del_policy_node(const char *docname, const char *policy_name)
int KsmPolicyExists(const char *name)
int fix_file_perms(const char *dbschema)
#define KSM_PAR_KSKTTL_STRING
int rename_signconf(const char *zonelist_filename, const char *o_zone)
int KsmRequestPendingRetireCount(int keytype, const char *datetime, KSM_PARCOLL *parameters, int *count, int zone_id, int interval)
int KsmZoneCountInit(DB_RESULT *handle, int id)
void DdsEnd(char **query)
int KsmParameterSet(const char *name, const char *category, int value, int policy_id)
KSM_ENFORCER_POLICY * enforcer
int KsmImportRepository(const char *repo_name, const char *repo_capacity, int require_backup)
int KsmKeywordAlgorithmNameToValue(const char *name)
char in_type[KSM_ADAPTER_NAME_LENGTH]
int DbInt(DB_ROW row, int field_index, int *value)
void * MemMalloc(size_t size)
int DtNow(struct tm *datetime)
char out_type[KSM_ADAPTER_NAME_LENGTH]
int KsmListBackups(int repo_id, int verbose_flag)
#define KSM_STATE_DSREADY
int DtXMLIntervalSeconds(const char *text, int *interval)
size_t StrToUpper(char *text)
void KsmKeyEnd(DB_RESULT result)
int get_lite_lock(char *lock_filename, FILE *lock_fd)
int KsmMarkBackup(int repo_id, const char *datetime)
#define KSM_STATE_GENERATE
void DusSetString(char **sql, const char *field, const char *data, int clause)
int MarkDSSeen(int keypair_id, int zone_id, int policy_id, const char *datetime, int key_state)
void DqsEnd(char **query)
void usage_keykskrevoke()
int DbBeginTransaction(void)
int DbExecuteSqlNoResult(DB_HANDLE handle, const char *stmt_str)
void DqsConditionString(char **query, const char *field, DQS_COMPARISON compare, const char *value, int index)
int KsmKeyCountStillGood(int policy_id, int sm, int bits, int algorithm, int interval, const char *datetime, int *count, int keytype)
int update_zones(char *zone_list_filename)
int CountKeys(int *zone_id, int keytag, const char *cka_id, int *key_count, char **temp_cka_id, int *temp_key_state, int *temp_keypair_id)
KSM_SIGNATURE_POLICY * signature
int DbConnect(DB_HANDLE *dbhandle, const char *database,...)
void DbStringFree(char *string)