61 #include <libhsmdns.h>
62 #include <ldns/ldns.h>
64 #include <libxml/tree.h>
65 #include <libxml/parser.h>
66 #include <libxml/xpointer.h>
67 #include <libxml/xpath.h>
68 #include <libxml/xpathInternals.h>
69 #include <libxml/relaxng.h>
70 #include <libxml/xmlreader.h>
71 #include <libxml/xmlsave.h>
73 #define MAX(a, b) ((a) > (b) ? (a) : (b))
77 #define DURATION_TYPE 1
81 #define ROLLOVER_TYPE 5
82 #define INT_TYPE_NO_FREE 6
85 # define MAXPATHLEN 4096
90 #define DEFAULT_LOG_FACILITY LOG_DAEMON
92 #define DEFAULT_LOG_FACILITY LOG_USER
98 char *
config = (
char *) OPENDNSSEC_CONFIG_FILE;
115 static int all_flag = 0;
116 static int ds_flag = 0;
117 static int retire_flag = 1;
118 static int verbose_flag = 0;
119 static int xml_flag = 1;
120 static int td_flag = 0;
122 static int restart_enforcerd(
void);
129 " --version aka -V\n");
137 "\tImport config into a database (deletes current contents)\n");
144 " start|stop|notify\n"
145 "\tStart, stop or SIGHUP the ods-enforcerd\n");
156 "\tUpdate database from config\n");
164 "\t--zone <zone> aka -z\n"
165 "\t[--policy <policy>] aka -p\n"
166 "\t[--signerconf <signerconf.xml>] aka -s\n"
167 "\t[--input <input>] aka -i\n"
168 "\t[--output <output>] aka -o\n"
169 "\t[--no-xml] aka -m\n");
177 "\t--zone <zone> | --all aka -z / -a\n"
178 "\t[--no-xml] aka -m\n");
192 "usage: %s [-c <config> | --config <config>] zone \n\n",
203 " repository list\n");
211 "\t--policy [policy_name] | --all aka -p / -a\n");
239 "usage: %s [-c <config> | --config <config>] \n\n",
253 "\t--zone <zone> | --all aka -z / -a\n"
255 "\t(will appear soon:\n"
256 "\t[--keystate <state>] aka -e\n"
257 "\t[--keytype <type>] aka -t\n"
268 "\t--zone <zone> | --all aka -z / -a\n"
269 "\t[--keystate <state>] aka -e\n"
270 "\t[--keytype <type>] aka -t\n"
271 "\t[--ds] aka -d\n");
279 "\t--cka_id <CKA_ID> aka -k\n"
280 "\t--repository <repository> aka -r\n"
281 "\t--zone <zone> aka -z\n"
282 "\t--bits <size> aka -b\n"
283 "\t--algorithm <algorithm> aka -g\n"
284 "\t--keystate <state> aka -e\n"
285 "\t--keytype <type> aka -t\n"
286 "\t--time <time> aka -w\n"
287 "\t[--retire <retire>] aka -y\n");
295 "\t--zone zone [--keytype <type>] aka -z\n"
297 "\t--policy policy [--keytype <type>] aka -p\n");
305 "\t--zone <zone> aka -z\n"
307 "\t--policy <policy> aka -p\n");
315 "\t--policy <policy>\n"
316 "\t--interval <interval>\n");
324 "\t--zone <zone> aka -z\n"
325 "\t--keytag <keytag> | --cka_id <CKA_ID> aka -x / -k\n");
334 "\t--zone <zone> aka -z\n"
335 "\t--keytag <keytag> | --cka_id <CKA_ID> aka -x / -k\n"
343 "usage: %s [-c <config> | --config <config>] \n\n",
360 "\t--repository <repository> aka -r\n"
362 "\t--repository <repository> aka -r\n"
364 "\t--repository <repository> aka -r\n"
366 "\t--repository <repository> aka -r\n"
368 "\t--repository <repository> aka -r\n");
376 "\t[--zone <zone>]\n");
384 "\t[--output <output>] aka -o\n");
392 " zonelist import\n");
399 "usage: %s [-c <config> | --config <config>] command [options]\n\n",
432 "\n\tAllowed date/time strings are of the form:\n"
434 "\tYYYYMMDD[HH[MM[SS]]] (all numeric)\n"
436 "\tor D-MMM-YYYY[:| ]HH[:MM[:SS]] (alphabetic month)\n"
437 "\tor DD-MMM-YYYY[:| ]HH[:MM[:SS]] (alphabetic month)\n"
438 "\tor YYYY-MMM-DD[:| ]HH[:MM[:SS]] (alphabetic month)\n"
440 "\tD-MM-YYYY[:| ]HH[:MM[:SS]] (numeric month)\n"
441 "\tDD-MM-YYYY[:| ]HH[:MM[:SS]] (numeric month)\n"
442 "\tor YYYY-MM-DD[:| ]HH[:MM[:SS]] (numeric month)\n"
444 "\t... and the distinction between them is given by the location of the\n"
452 "key states: GENERATE|PUBLISH|READY|ACTIVE|RETIRE|DEAD\n");
459 "key types: KSK|ZSK\n");
469 FILE* lock_fd = NULL;
470 char* zone_list_filename;
475 char *dbschema = NULL;
479 char *password = NULL;
484 char* setup_command = NULL;
485 char* lock_filename = NULL;
488 printf(
"*WARNING* This will erase all data in the database; are you sure? [y/N] ");
490 user_certain = getchar();
491 if (user_certain !=
'y' && user_certain !=
'Y') {
492 printf(
"Okay, quitting...\n");
499 status =
get_db_details(&dbschema, &host, &port, &user, &password);
518 lock_fd = fopen(lock_filename,
"w");
521 printf(
"Error getting db lock\n");
522 if (lock_fd != NULL) {
543 if (system(setup_command) != 0)
545 printf(
"Could not call db setup command:\n\t%s\n", setup_command);
561 printf(
"Couldn't fix permissions on file %s\n", dbschema);
562 printf(
"Will coninue with setup, but you may need to manually change ownership\n");
572 printf(
"Failed to connect to database, username too long.\n");
585 printf(
"Failed to connect to database, password too long.\n");
607 if (password != NULL) {
609 StrAppend(&setup_command, quoted_password);
617 if (system(setup_command) != 0)
619 printf(
"Could not call db setup command:\n\t%s\n", setup_command);
632 status =
DbConnect(&dbhandle, dbschema, host, password, user, port);
634 printf(
"Failed to connect to database\n");
657 printf(
"Failed to read conf.xml\n");
668 printf(
"Failed to update repositories\n");
680 printf(
"Failed to update policies\n");
681 printf(
"SETUP FAILED\n");
696 printf(
"Failed to update zones\n");
719 FILE* lock_fd = NULL;
720 char* zone_list_filename = NULL;
721 char* kasp_filename = NULL;
723 int done_something = 0;
728 printf(
"Failed to connect to database\n");
737 if (strncmp(qualifier,
"ZONELIST", 8) == 0 ||
738 strncmp(qualifier,
"KASP", 4) == 0 ||
739 strncmp(qualifier,
"ALL", 3) == 0) {
742 printf(
"Failed to read conf.xml\n");
752 if (strncmp(qualifier,
"CONF", 4) == 0 ||
753 strncmp(qualifier,
"ALL", 3) == 0) {
756 printf(
"Failed to update repositories\n");
758 if (strncmp(qualifier,
"ALL", 3) == 0) {
771 if (strncmp(qualifier,
"KASP", 4) == 0 ||
772 strncmp(qualifier,
"ALL", 3) == 0) {
775 printf(
"Failed to update policies\n");
788 if (strncmp(qualifier,
"ZONELIST", 8) == 0 ||
789 strncmp(qualifier,
"ALL", 3) == 0) {
792 printf(
"Failed to update zones\n");
804 if (done_something == 0) {
805 printf(
"Unrecognised command update %s. Please specify one of:\n", qualifier);
809 if (restart_enforcerd() != 0)
811 fprintf(stderr,
"Could not HUP ods-enforcerd\n");
821 if (kasp_filename != NULL) {
824 if (zone_list_filename != NULL) {
843 FILE* lock_fd = NULL;
844 char* zonelist_filename = NULL;
845 char* backup_filename = NULL;
847 char* sig_conf_name = NULL;
848 char* input_name = NULL;
849 char* output_name = NULL;
856 xmlDocPtr doc = NULL;
862 printf(
"Couldn't malloc path: %s\n", strerror(errno));
868 printf(
"Please specify a zone with the --zone option\n");
881 StrAppend(&sig_conf_name, OPENDNSSEC_STATE_DIR);
895 StrAppend(&input_name, OPENDNSSEC_STATE_DIR);
908 StrAppend(&output_name, OPENDNSSEC_STATE_DIR);
925 printf(
"couldn't read zonelist\n");
940 printf(
"Failed to connect to database\n");
952 printf(
"Error, can't find policy : %s\n",
o_policy);
953 printf(
"Failed to update zones\n");
961 status =
KsmImportZone(
o_zone, policy_id, 1, &new_zone, sig_conf_name, input_name, output_name);
964 printf(
"Failed to Import zone %s; it already exists\n",
o_zone);
965 }
else if (status == -3) {
966 printf(
"Failed to Import zone %s; it already exists both with and without a trailing dot\n",
o_zone);
968 printf(
"Failed to Import zone\n");
982 printf(
"Can't retrieve shared-keys parameter for policy\n");
992 printf(
"Can't retrieve shared-keys parameter for policy\n");
1003 if (data.
value == 1) {
1006 printf(
"Failed to Link Keys to zone\n");
1024 if (xml_flag == 1) {
1027 xmlKeepBlanksDefault(0);
1028 xmlTreeIndentString =
"\t";
1041 StrAppend(&backup_filename, zonelist_filename);
1043 status =
backup_file(zonelist_filename, backup_filename);
1051 status = xmlSaveFormatFile(zonelist_filename, doc, 1);
1056 printf(
"couldn't save zonelist\n");
1064 if (xml_flag == 0) {
1065 printf(
"Imported zone: %s into database only, please run \"ods-ksmutil zonelist export\" to update zonelist.xml\n",
o_zone);
1067 printf(
"Imported zone: %s\n",
o_zone);
1081 char* zonelist_filename = NULL;
1082 char* backup_filename = NULL;
1087 xmlDocPtr doc = NULL;
1094 FILE* lock_fd = NULL;
1097 if (all_flag &&
o_zone != NULL) {
1098 printf(
"can not use --all with --zone\n");
1101 else if (!all_flag &&
o_zone == NULL) {
1102 printf(
"please specify either --zone <zone> or --all\n");
1107 if (all_flag == 1) {
1108 printf(
"*WARNING* This will remove all zones from OpenDNSSEC; are you sure? [y/N] ");
1110 user_certain = getchar();
1111 if (user_certain !=
'y' && user_certain !=
'Y') {
1112 printf(
"Okay, quitting...\n");
1120 printf(
"Failed to connect to database\n");
1133 if (xml_flag == 1) {
1137 printf(
"couldn't read zonelist\n");
1162 StrAppend(&backup_filename, zonelist_filename);
1164 status =
backup_file(zonelist_filename, backup_filename);
1173 status = xmlSaveFormatFile(zonelist_filename, doc, 1);
1177 printf(
"Could not save %s\n", zonelist_filename);
1188 if (all_flag == 0) {
1191 printf(
"Couldn't find zone %s\n",
o_zone);
1201 printf(
"Error: failed to mark keys as dead in database\n");
1210 printf(
"Error: failed to remove zone%s from database\n", (all_flag == 1) ?
"s" :
"");
1216 if (all_flag == 0) {
1217 if (system(SIGNER_CLI_UPDATE) != 0)
1219 printf(
"Could not call signer engine\n");
1226 if (xml_flag == 0) {
1227 printf(
"Deleted zone: %s from database only, please run \"ods-ksmutil zonelist export\" to update zonelist.xml\n",
o_zone);
1241 FILE* lock_fd = NULL;
1243 char* zonelist_filename = NULL;
1246 xmlTextReaderPtr reader = NULL;
1248 char* tag_name = NULL;
1250 int file_zone_count = 0;
1256 char* temp_name = NULL;
1263 printf(
"couldn't read zonelist\n");
1264 if (zonelist_filename != NULL) {
1273 printf(
"Failed to connect to database\n");
1279 reader = xmlNewTextReaderFilename(zonelist_filename);
1280 if (reader != NULL) {
1281 ret = xmlTextReaderRead(reader);
1283 tag_name = (
char*) xmlTextReaderLocalName(reader);
1285 if (strncmp(tag_name,
"Zone", 4) == 0
1286 && strncmp(tag_name,
"ZoneList", 8) != 0
1287 && xmlTextReaderNodeType(reader) == 1) {
1291 ret = xmlTextReaderRead(reader);
1294 xmlFreeTextReader(reader);
1296 printf(
"%s : failed to parse\n", zonelist_filename);
1299 printf(
"Unable to open %s\n", zonelist_filename);
1303 zone_ids =
MemMalloc(file_zone_count *
sizeof(
int));
1309 if (file_zone_count != 0) {
1310 StrAppend(&sql,
"select name from zones where id not in (");
1311 for (j = 0; j < file_zone_count; ++j) {
1315 snprintf(buffer,
sizeof(buffer),
"%d", zone_ids[j]);
1320 StrAppend(&sql,
"select name from zones");
1326 while (status == 0) {
1330 printf(
"Found zone %s in DB but not zonelist.\n", temp_name);
1347 if (file_zone_count == 0) {
1348 printf(
"No zones in DB or zonelist.\n");
1374 char *case_keytype = NULL;
1375 char *case_keystate = NULL;
1376 char *zone_name = NULL;
1379 hsm_key_t *key = NULL;
1380 ldns_rr *dnskey_rr = NULL;
1381 ldns_rr *ds_sha1_rr = NULL;
1382 ldns_rr *ds_sha256_rr = NULL;
1383 hsm_sign_params_t *sign_params = NULL;
1391 int done_something = 0;
1398 if (strncmp(case_keystate,
"KEYPUBLISH", 10) == 0 || strncmp(
o_keystate,
"10", 2) == 0) {
1401 else if (strncmp(case_keystate,
"GENERATE", 8) == 0 || strncmp(
o_keystate,
"1", 1) == 0) {
1404 else if (strncmp(case_keystate,
"PUBLISH", 7) == 0 || strncmp(
o_keystate,
"2", 1) == 0) {
1407 else if (strncmp(case_keystate,
"READY", 5) == 0 || strncmp(
o_keystate,
"3", 1) == 0) {
1410 else if (strncmp(case_keystate,
"ACTIVE", 6) == 0 || strncmp(
o_keystate,
"4", 1) == 0) {
1413 else if (strncmp(case_keystate,
"RETIRE", 6) == 0 || strncmp(
o_keystate,
"5", 1) == 0) {
1416 else if (strncmp(case_keystate,
"DEAD", 4) == 0 || strncmp(
o_keystate,
"6", 1) == 0) {
1419 else if (strncmp(case_keystate,
"DSSUB", 5) == 0 || strncmp(
o_keystate,
"7", 1) == 0) {
1422 else if (strncmp(case_keystate,
"DSPUBLISH", 9) == 0 || strncmp(
o_keystate,
"8", 1) == 0) {
1425 else if (strncmp(case_keystate,
"DSREADY", 7) == 0 || strncmp(
o_keystate,
"9", 1) == 0) {
1429 printf(
"Error: Unrecognised state %s; should be one of GENERATE, PUBLISH, READY, ACTIVE, RETIRE, DEAD, DSSUB, DSPUBLISH, DSREADY or KEYPUBLISH\n",
o_keystate);
1441 if (strncmp(case_keytype,
"KSK", 3) == 0 || strncmp(
o_keytype,
"257", 3) == 0) {
1444 else if (strncmp(case_keytype,
"ZSK", 3) == 0 || strncmp(
o_keytype,
"256", 3) == 0) {
1448 printf(
"Error: Unrecognised keytype %s; should be one of KSK or ZSK\n",
o_keytype);
1459 printf(
"Failed to connect to database\n");
1471 printf(
"Error: unable to find a zone named \"%s\" in database\n",
o_zone);
1477 status = hsm_open(
config, hsm_prompt_pin, NULL);
1479 hsm_print_error(NULL);
1484 if (state_id != -1) {
1487 nchar = snprintf(buffer,
sizeof(buffer),
"(%d, %d, %d, %d, %d, %d)",
1490 if (nchar >=
sizeof(buffer)) {
1498 if (zone_id != -1) {
1506 status =
KsmKey(result, &data);
1507 while (status == 0) {
1510 key = hsm_find_key_by_id(NULL, data.
location);
1513 printf(
"Key %s in DB but not repository\n", data.
location);
1517 sign_params = hsm_sign_params_new();
1519 if (zone_id == -1) {
1522 printf(
"Error: unable to find zone name for id %d\n", zone_id);
1523 hsm_sign_params_free(sign_params);
1526 sign_params->owner = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, zone_name);
1530 sign_params->owner = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME,
o_zone);
1533 sign_params->algorithm = data.
algorithm;
1534 sign_params->flags = LDNS_KEY_ZONE_KEY;
1536 sign_params->flags += LDNS_KEY_SEP_KEY;
1538 dnskey_rr = hsm_get_dnskey(NULL, key, sign_params);
1539 sign_params->keytag = ldns_calc_keytag(dnskey_rr);
1543 ldns_rr_print(stdout, dnskey_rr);
1548 ds_sha1_rr = ldns_key_rr2ds(dnskey_rr, LDNS_SHA1);
1549 ldns_rr_print(stdout, ds_sha1_rr);
1552 ds_sha256_rr = ldns_key_rr2ds(dnskey_rr, LDNS_SHA256);
1553 ldns_rr_print(stdout, ds_sha256_rr);
1558 hsm_sign_params_free(sign_params);
1560 status =
KsmKey(result, &data);
1572 if (!done_something) {
1573 if (state_id != -1) {
1576 printf(
"No keys in READY state or higher to export.\n");
1582 if (dnskey_rr != NULL) {
1583 ldns_rr_free(dnskey_rr);
1585 if (ds_sha1_rr != NULL) {
1586 ldns_rr_free(ds_sha1_rr);
1588 if (ds_sha256_rr != NULL) {
1589 ldns_rr_free(ds_sha256_rr);
1608 xmlDocPtr doc = xmlNewDoc((
const xmlChar *)
"1.0");
1615 if (all_flag &&
o_policy != NULL) {
1616 printf(
"can not use --all with --policy\n");
1619 else if (!all_flag &&
o_policy == NULL) {
1620 printf(
"please specify either --policy <policy> or --all\n");
1627 printf(
"Failed to connect to database\n");
1646 policy->
zone == NULL || policy->
parent == NULL ||
1647 policy->
keys == NULL ||
1648 policy->
ksk == NULL || policy->
zsk == NULL ||
1650 fprintf(stderr,
"Malloc for policy struct failed\n");
1655 xmlKeepBlanksDefault(0);
1656 xmlTreeIndentString =
" ";
1657 root = xmlNewDocNode(doc, NULL, (
const xmlChar *)
"KASP", NULL);
1658 (void) xmlDocSetRootElement(doc, root);
1667 while (status == 0) {
1677 xmlSaveFormatFile(
"-", doc, 1);
1698 xmlDocPtr doc = xmlNewDoc((
const xmlChar *)
"1.0");
1701 int prev_policy_id = -1;
1708 printf(
"Failed to connect to database\n");
1715 fprintf(stderr,
"Malloc for zone struct failed\n");
1720 xmlKeepBlanksDefault(0);
1721 xmlTreeIndentString =
" ";
1722 root = xmlNewDocNode(doc, NULL, (
const xmlChar *)
"ZoneList", NULL);
1723 (void) xmlDocSetRootElement(doc, root);
1729 status =
KsmZone(result, zone);
1731 while (status == 0) {
1732 if (zone->
policy_id != prev_policy_id) {
1736 fprintf(stderr,
"Couldn't get name for policy with ID: %d, exiting...\n", zone->
policy_id);
1743 status =
KsmZone(result, zone);
1748 xmlSaveFormatFile(
"-", doc, 1);
1766 FILE* lock_fd = NULL;
1786 printf(
"Failed to connect to database\n");
1816 if (data.
value == 1) {
1817 printf(
"*WARNING* This zone shares keys with others, all instances of the active key on this zone will be retired; are you sure? [y/N] ");
1819 user_certain = getchar();
1820 if (user_certain !=
'y' && user_certain !=
'Y') {
1821 printf(
"Okay, quitting...\n");
1827 status =
keyRoll(zone_id, -1, key_type);
1837 if (restart_enforcerd() != 0)
1839 fprintf(stderr,
"Could not HUP ods-enforcerd\n");
1855 FILE* lock_fd = NULL;
1859 int zone_count = -1;
1876 printf(
"Failed to connect to database\n");
1883 printf(
"Error, can't find policy : %s\n",
o_policy);
1889 printf(
"*WARNING* This will roll all keys on the policy; are you sure? [y/N] ");
1891 user_certain = getchar();
1892 if (user_certain !=
'y' && user_certain !=
'Y') {
1893 printf(
"Okay, quitting...\n");
1908 if (zone_count == 0) {
1909 printf(
"No zones on policy; nothing to roll\n");
1914 printf(
"Couldn't count zones on policy; quitting...\n");
1919 status =
keyRoll(-1, policy_id, key_type);
1925 if (restart_enforcerd() != 0)
1927 fprintf(stderr,
"Could not HUP ods-enforcerd\n");
1948 FILE* lock_fd = NULL;
1953 printf(
"Failed to connect to database\n");
1962 printf(
"Error: unable to find a policy named \"%s\" in database\n",
o_policy);
1976 printf(
"Error: unable to find a zone named \"%s\" in database\n",
o_zone);
1986 printf(
"Error: failed to purge dead keys\n");
2010 FILE* lock_fd = NULL;
2015 if (datetime == NULL) {
2016 printf(
"Couldn't turn \"now\" into a date, quitting...\n");
2023 printf(
"Failed to connect to database\n");
2033 printf(
"Error: unable to find a repository named \"%s\" in database\n",
o_repository);
2041 if (strncmp(qualifier,
"PREPARE", 7) == 0 ||
2042 strncmp(qualifier,
"DONE", 4) == 0 ) {
2045 printf(
"There were no keys to mark\n");
2047 else if (status != 0) {
2048 printf(
"Error: failed to mark pre_backup as done\n");
2053 if (strncmp(qualifier,
"PREPARE", 7) == 0) {
2055 printf(
"Marked repository %s as pre-backed up at %s\n",
o_repository, datetime);
2057 printf(
"Marked all repositories as pre-backed up at %s\n", datetime);
2064 if (strncmp(qualifier,
"COMMIT", 6) == 0 ||
2065 strncmp(qualifier,
"DONE", 4) == 0 ) {
2068 printf(
"There were no keys to mark\n");
2070 else if (status != 0) {
2071 printf(
"Error: failed to mark backup as done\n");
2077 printf(
"Marked repository %s as backed up at %s\n",
o_repository, datetime);
2079 printf(
"Marked all repositories as backed up at %s\n", datetime);
2085 if (strncmp(qualifier,
"ROLLBACK", 6) == 0 ) {
2088 printf(
"There were no keys to rollback\n");
2090 else if (status != 0) {
2091 printf(
"Error: failed to mark backup as done\n");
2097 printf(
"Rolled back pre-backup of repository %s\n",
o_repository);
2099 printf(
"Rolled back pre-backup of all repositories\n");
2120 int qualifier_id = -1;
2124 FILE* lock_fd = NULL;
2129 printf(
"Failed to connect to database\n");
2142 printf(
"Error: unable to find a zone named \"%s\" in database\n",
o_zone);
2149 printf(
"Rollovers:\n");
2154 printf(
"Error: failed to list rollovers\n");
2176 int qualifier_id = -1;
2180 FILE* lock_fd = NULL;
2185 printf(
"Failed to connect to database\n");
2194 printf(
"Error: unable to find a repository named \"%s\" in database\n",
o_repository);
2200 printf(
"Backups:\n");
2204 printf(
"Error: failed to list backups\n");
2227 FILE* lock_fd = NULL;
2232 printf(
"Failed to connect to database\n");
2237 printf(
"Repositories:\n");
2242 printf(
"Error: failed to list repositories\n");
2243 if (lock_fd != NULL) {
2268 FILE* lock_fd = NULL;
2273 printf(
"Failed to connect to database\n");
2278 printf(
"Policies:\n");
2283 printf(
"Error: failed to list policies\n");
2304 int qualifier_id = -1;
2308 FILE* lock_fd = NULL;
2313 printf(
"Failed to connect to database\n");
2326 printf(
"Error: unable to find a zone named \"%s\" in database\n",
o_zone);
2338 printf(
"Error: failed to list keys\n");
2365 int keytag_int = -1;
2366 int temp_key_state = -1;
2367 int temp_keypair_id = -1;
2368 char* temp_cka_id = NULL;
2373 FILE* lock_fd = NULL;
2378 if (datetime == NULL) {
2379 printf(
"Couldn't turn \"now\" into a date, quitting...\n");
2385 printf(
"*WARNING* This will retire the currently active KSK; are you sure? [y/N] ");
2387 user_certain = getchar();
2388 if (user_certain !=
'y' && user_certain !=
'Y') {
2389 printf(
"Okay, quitting...\n");
2396 printf(
"Failed to connect to database\n");
2410 printf(
"Error: unable to find a zone named \"%s\" in database\n",
o_zone);
2423 printf(
"Error: Unable to convert keytag \"%s\"; to an integer\n",
o_keytag);
2429 printf(
"Error: keytag \"%s\"; should be numeric only\n",
o_keytag);
2439 printf(
"Please provide a zone or details of the key to roll\n");
2448 printf(
"Error: failed to count active keys\n");
2455 if (key_count < 2) {
2456 printf(
"Error: completing this action would leave no active keys on zone, quitting...\n");
2465 printf(
"Error: failed to find policy for zone\n");
2474 printf(
"Old key retired\n");
2476 printf(
"Old key NOT retired\n");
2484 status =
CountKeys(&zone_id, keytag_int,
o_cka_id, &key_count, &temp_cka_id, &temp_key_state, &temp_keypair_id);
2486 printf(
"Error: failed to count keys\n");
2493 if (key_count > 1) {
2494 printf(
"More than one key matched your parameters, please include more information from the above keys\n");
2502 printf(
"No keys in the ACTIVE state matched your parameters, please check the parameters\n");
2510 printf(
"Error: failed to count active keys\n");
2517 if (key_count < 2) {
2518 printf(
"Error: completing this action would leave no active keys on zone, quitting...\n");
2527 printf(
"Error: failed to find policy for zone\n");
2538 printf(
"Key %s retired\n", temp_cka_id);
2565 int retired_count = -1;
2566 int keytag_int = -1;
2567 int temp_key_state = -1;
2568 int temp_keypair_id = -1;
2569 char* temp_cka_id = NULL;
2574 FILE* lock_fd = NULL;
2581 if (datetime == NULL) {
2582 printf(
"Couldn't turn \"now\" into a date, quitting...\n");
2589 printf(
"Please provide a keytag or a CKA_ID for the key (CKA_ID will be used if both are provided\n");
2597 printf(
"*WARNING* This will retire the currently active KSK; are you sure? [y/N] ");
2599 user_certain = getchar();
2600 if (user_certain !=
'y' && user_certain !=
'Y') {
2601 printf(
"Okay, quitting...\n");
2608 printf(
"Failed to connect to database\n");
2619 printf(
"Please specify a zone using the --zone flag\n");
2625 else if (
o_zone != NULL) {
2632 printf(
"Error: unable to find a zone named \"%s\" in database\n",
o_zone);
2639 else if (all_flag) {
2640 printf(
"*WARNING* This will act on every zone where this key is in use; are you sure? [y/N] ");
2642 user_certain = getchar();
2643 if (user_certain !=
'y' && user_certain !=
'Y') {
2644 printf(
"Okay, quitting...\n");
2656 printf(
"Error: Unable to convert keytag \"%s\"; to an integer\n",
o_keytag);
2662 printf(
"Error: keytag \"%s\"; should be numeric only\n",
o_keytag);
2673 status =
CountKeys(&zone_id, keytag_int,
o_cka_id, &key_count, &temp_cka_id, &temp_key_state, &temp_keypair_id);
2675 printf(
"Error: failed to count keys\n");
2682 if (key_count > 1) {
2683 printf(
"More than one key matched your parameters, please include more information from the above keys\n");
2691 printf(
"Key is already active\n");
2698 if (key_count == 0) {
2699 printf(
"No keys in the READY state matched your parameters, please check the parameters\n");
2708 printf(
"Error: failed to find policy for zone\n");
2715 status =
MarkDSSeen(temp_keypair_id, zone_id, policy_id, datetime, temp_key_state);
2719 snprintf(logmsg, 256,
"Key %s made %s", temp_cka_id, (temp_key_state ==
KSM_STATE_READY) ?
"active" :
"into standby");
2720 printf(
"%s\n", logmsg);
2724 syslog(LOG_INFO,
"%s", logmsg);
2731 if (retire_flag == 1) {
2736 printf(
"Error: failed to count active keys\n");
2743 if (key_count < 2) {
2748 printf(
"Error: failed to count retired keys\n");
2757 if (retired_count != 0) {
2758 printf(
"Error: retiring a key would leave no active keys on zone, skipping...\n");
2763 if (restart_enforcerd() != 0)
2765 fprintf(stderr,
"Could not HUP ods-enforcerd\n");
2775 printf(
"Old key retired\n");
2777 printf(
"Old key NOT retired\n");
2780 printf(
"Old key NOT retired\n");
2785 if (restart_enforcerd() != 0)
2787 fprintf(stderr,
"Could not HUP ods-enforcerd\n");
2809 char* case_keytype = NULL;
2810 char* case_algorithm = NULL;
2811 char* case_state = NULL;
2816 int cka_id_exists = -1;
2817 int keytype_id = -1;
2824 DB_ID keypair_id = 0;
2833 FILE* lock_fd = NULL;
2843 printf(
"Error: please specify a CKA_ID with the --cka_id <CKA_ID>\n");
2847 printf(
"Error: please specify a repository with the --repository <repository>\n");
2851 printf(
"Error: please specify a zone with the --zone <zone>\n");
2855 printf(
"Error: please specify the number of bits with the --bits <size>\n");
2859 printf(
"Error: please specify the algorithm with the --algorithm <algorithm>\n");
2863 printf(
"Error: please specify the state with the --keystate <state>\n");
2867 printf(
"Error: please specify a keytype, KSK or ZSK, with the --keytype <type>\n");
2871 printf(
"Error: please specify the time of when the key entered the given state with the --time <time>\n");
2878 printf(
"Failed to connect to database\n");
2886 printf(
"Error: unable to find a repository named \"%s\" in database\n",
o_repository);
2898 printf(
"Error: unable to find a zone named \"%s\" in database\n",
o_zone);
2910 if (cka_id_exists == 1) {
2911 printf(
"Error: key with CKA_ID \"%s\" already exists in database\n",
o_cka_id);
2919 if (strncmp(case_keytype,
"KSK", 3) == 0 || strncmp(
o_keytype,
"257", 3) == 0) {
2922 else if (strncmp(case_keytype,
"ZSK", 3) == 0 || strncmp(
o_keytype,
"256", 3) == 0) {
2926 printf(
"Error: Unrecognised keytype %s; should be one of KSK or ZSK\n",
o_keytype);
2938 printf(
"Error: Unable to convert bits \"%s\"; to an integer\n",
o_size);
2943 printf(
"Error: Bits \"%s\"; should be numeric only\n",
o_size);
2961 if (status != 0 || algo_id == 0 || hsm_supported_algorithm(algo_id) != 0) {
2962 printf(
"Error: Key algorithm %s not supported; try one of RSASHA1, RSASHA1-NSEC3-SHA1 or RSASHA256\n",
o_algo);
2970 if (strncmp(case_state,
"GENERATE", 8) == 0 || strncmp(
o_keystate,
"1", 1) == 0) {
2973 else if (strncmp(case_state,
"PUBLISH", 7) == 0 || strncmp(
o_keystate,
"2", 1) == 0) {
2976 else if (strncmp(case_state,
"READY", 5) == 0 || strncmp(
o_keystate,
"3", 1) == 0) {
2979 else if (strncmp(case_state,
"ACTIVE", 6) == 0 || strncmp(
o_keystate,
"4", 1) == 0) {
2982 else if (strncmp(case_state,
"RETIRE", 6) == 0 || strncmp(
o_keystate,
"5", 1) == 0) {
2986 printf(
"Error: Unrecognised state %s; should be one of GENERATE, PUBLISH, READY, ACTIVE or RETIRE\n",
o_keystate);
2997 printf(
"Error: unable to convert \"%s\" into a date\n",
o_time);
3004 snprintf(form_time,
KSM_TIME_LENGTH,
"%4.4d-%2.2d-%2.2d %2.2d:%2.2d:%2.2d",
3005 datetime.tm_year + 1900, datetime.tm_mon + 1, datetime.tm_mday,
3006 datetime.tm_hour, datetime.tm_min, datetime.tm_sec);
3012 printf(
"Error: unable to specify retire time for a key in state \"%s\"\n",
o_keystate);
3019 printf(
"Error: unable to convert retire time \"%s\" into a date\n",
o_retire);
3026 snprintf(form_opt_time,
KSM_TIME_LENGTH,
"%4.4d-%2.2d-%2.2d %2.2d:%2.2d:%2.2d",
3027 datetime.tm_year + 1900, datetime.tm_mon + 1, datetime.tm_mday,
3028 datetime.tm_hour, datetime.tm_min, datetime.tm_sec);
3032 form_opt_time[0] =
'\0';
3049 if (data.
value == 1) {
3050 printf(
"*WARNING* This zone shares keys with others, the key will be added to all; are you sure? [y/N] ");
3052 user_certain = getchar();
3053 if (user_certain !=
'y' && user_certain !=
'Y') {
3054 printf(
"Okay, quitting...\n");
3061 status =
KsmImportKeyPair(policy_id,
o_cka_id, repo_id, size_int, algo_id, state_id, form_time, fix_time, &keypair_id);
3063 printf(
"Error: couldn't import key\n");
3073 status =
KsmDnssecKeyCreate(zone_id, (
int) keypair_id, keytype_id, state_id, form_time, form_opt_time, &ignore);
3076 printf(
"Error: couldn't allocate key to zone(s)\n");
3081 printf(
"Key imported into zone(s)\n");
3097 FILE* lock_fd = NULL;
3100 char *dbschema = NULL;
3104 char *password = NULL;
3108 char* backup_filename = NULL;
3109 char* lock_filename;
3111 char *path = getenv(
"PWD");
3114 printf(
"Sorry, currently this utility can only backup a sqlite database file\n");
3119 status =
get_db_details(&dbschema, &host, &port, &user, &password);
3130 lock_filename = NULL;
3134 lock_fd = fopen(lock_filename,
"w");
3137 printf(
"Error getting db lock\n");
3138 if (lock_fd != NULL) {
3187 char* kasp_filename = NULL;
3188 char* zonelist_filename = NULL;
3189 char* backup_filename = NULL;
3192 FILE* lock_fd = NULL;
3201 int zone_count = -1;
3203 xmlDocPtr doc = NULL;
3206 printf(
"*WARNING* This feature is experimental and has not been fully tested; are you sure? [y/N] ");
3208 user_certain = getchar();
3209 if (user_certain !=
'y' && user_certain !=
'Y') {
3210 printf(
"Okay, quitting...\n");
3217 printf(
"Failed to read conf.xml\n");
3223 StrAppend(&backup_filename, kasp_filename);
3225 status =
backup_file(kasp_filename, backup_filename);
3234 if ((test = fopen(kasp_filename,
"ab"))==NULL) {
3235 printf(
"Cannot open kasp.xml for writing: %s\n", strerror(errno));
3244 printf(
"Failed to connect to database\n");
3261 if (policy == NULL) {
3262 printf(
"Malloc for policy struct failed\n");
3271 while (status == 0) {
3281 if (zone_count == 0) {
3282 printf(
"No zones on policy %s; purging...\n", policy->
name);
3284 size = snprintf(sql,
KSM_SQL_SIZE,
"update dnsseckeys set state = %d where keypair_id in (select id from keypairs where policy_id = %d)",
KSM_STATE_DEAD, policy->
id);
3288 printf(
"Couldn't construct SQL to kill orphaned keys\n");
3307 printf(
"Key purge failed for policy %s\n", policy->
name);
3314 sql2 =
DdsInit(
"parameters_policies");
3353 status = xmlSaveFormatFile(kasp_filename, doc, 1);
3356 printf(
"Could not save %s\n", kasp_filename);
3365 printf(
"Couldn't count zones on policy; quitting...\n");
3402 char* ods_control_cmd = NULL;
3403 char* ptr = command;
3408 *ptr = tolower((
int) *ptr);
3414 StrAppend(&ods_control_cmd, ODS_EN_CONTROL);
3417 status = system(ods_control_cmd);
3420 fprintf(stderr,
"Couldn't run %s\n", ods_control_cmd);
3436 char* case_command = NULL;
3437 char* case_verb = NULL;
3439 int option_index = 0;
3440 static struct option long_options[] =
3442 {
"all", no_argument, 0,
'a'},
3443 {
"bits", required_argument, 0,
'b'},
3444 {
"config", required_argument, 0,
'c'},
3445 {
"ds", no_argument, 0,
'd'},
3446 {
"keystate", required_argument, 0,
'e'},
3447 {
"no-retire", no_argument, 0,
'f'},
3448 {
"algorithm", required_argument, 0,
'g'},
3449 {
"help", no_argument, 0,
'h'},
3450 {
"input", required_argument, 0,
'i'},
3451 {
"cka_id", required_argument, 0,
'k'},
3452 {
"no-xml", no_argument, 0,
'm'},
3453 {
"interval", required_argument, 0,
'n'},
3454 {
"output", required_argument, 0,
'o'},
3455 {
"policy", required_argument, 0,
'p'},
3456 {
"repository", required_argument, 0,
'r'},
3457 {
"signerconf", required_argument, 0,
's'},
3458 {
"keytype", required_argument, 0,
't'},
3459 {
"time", required_argument, 0,
'w'},
3460 {
"verbose", no_argument, 0,
'v'},
3461 {
"version", no_argument, 0,
'V'},
3462 {
"keytag", required_argument, 0,
'x'},
3463 {
"retire", required_argument, 0,
'y'},
3464 {
"zone", required_argument, 0,
'z'},
3470 while ((ch = getopt_long(argc, argv,
"ab:c:de:fg:hi:k:n:o:p:r:s:t:vVw:x:y:z:", long_options, &option_index)) != -1) {
3528 printf(
"%s version %s\n", PACKAGE_NAME, PACKAGE_VERSION);
3583 if (!strncmp(case_command,
"SETUP", 5)) {
3587 }
else if (!strncmp(case_command,
"UPDATE", 6)) {
3591 }
else if (!strncmp(case_command,
"START", 5) ||
3592 !strncmp(case_command,
"STOP", 4) ||
3593 !strncmp(case_command,
"NOTIFY", 6)) {
3597 }
else if (!strncmp(case_command,
"ZONE", 4) && strlen(case_command) == 4) {
3602 if (!strncmp(case_verb,
"ADD", 3)) {
3604 }
else if (!strncmp(case_verb,
"DELETE", 6)) {
3606 }
else if (!strncmp(case_verb,
"LIST", 4)) {
3609 printf(
"Unknown command: zone %s\n", case_verb);
3613 }
else if (!strncmp(case_command,
"REPOSITORY", 10)) {
3617 if (!strncmp(case_verb,
"LIST", 4)) {
3620 printf(
"Unknown command: repository %s\n", case_verb);
3624 }
else if (!strncmp(case_command,
"POLICY", 6)) {
3628 if (!strncmp(case_verb,
"EXPORT", 6)) {
3630 }
else if (!strncmp(case_verb,
"IMPORT", 6)) {
3632 }
else if (!strncmp(case_verb,
"LIST", 4)) {
3634 }
else if (!strncmp(case_verb,
"PURGE", 5)) {
3637 printf(
"Unknown command: policy %s\n", case_verb);
3641 }
else if (!strncmp(case_command,
"KEY", 3)) {
3645 if (!strncmp(case_verb,
"LIST", 4)) {
3648 else if (!strncmp(case_verb,
"EXPORT", 6)) {
3651 else if (!strncmp(case_verb,
"IMPORT", 6)) {
3654 else if (!strncmp(case_verb,
"ROLLOVER", 8)) {
3663 printf(
"Please provide either a zone OR a policy to rollover\n");
3668 else if (!strncmp(case_verb,
"PURGE", 5)) {
3674 printf(
"Please provide either a zone OR a policy to key purge\n");
3679 else if (!strncmp(case_verb,
"GENERATE", 8)) {
3682 else if (!strncmp(case_verb,
"KSK-RETIRE", 10)) {
3685 else if (!strncmp(case_verb,
"DS-SEEN", 7)) {
3688 printf(
"Unknown command: key %s\n", case_verb);
3692 }
else if (!strncmp(case_command,
"BACKUP", 6)) {
3696 if (!strncmp(case_verb,
"DONE", 4) ||
3697 !strncmp(case_verb,
"PREPARE", 7) ||
3698 !strncmp(case_verb,
"COMMIT", 6) ||
3699 !strncmp(case_verb,
"ROLLBACK", 8)) {
3702 else if (!strncmp(case_verb,
"LIST", 4)) {
3705 printf(
"Unknown command: backup %s\n", case_verb);
3709 }
else if (!strncmp(case_command,
"ROLLOVER", 8)) {
3712 if (!strncmp(case_verb,
"LIST", 4)) {
3715 printf(
"Unknown command: rollover %s\n", case_verb);
3719 }
else if (!strncmp(case_command,
"DATABASE", 8)) {
3723 if (!strncmp(case_verb,
"BACKUP", 6)) {
3726 printf(
"Unknown command: database %s\n", case_verb);
3730 }
else if (!strncmp(case_command,
"ZONELIST", 8)) {
3734 if (!strncmp(case_verb,
"EXPORT", 6)) {
3737 else if (!strncmp(case_verb,
"IMPORT", 6)) {
3740 printf(
"Unknown command: zonelist %s\n", case_verb);
3745 printf(
"Unknown command: %s\n", argv[0]);
3757 xmlCleanupGlobals();
3758 xmlCleanupThreads();
3780 char *dbschema = NULL;
3784 char *password = NULL;
3788 char* backup_filename = NULL;
3789 char* lock_filename;
3792 status =
get_db_details(&dbschema, &host, &port, &user, &password);
3808 if (lock_fd != NULL) {
3809 lock_filename = NULL;
3813 *lock_fd = fopen(lock_filename,
"w");
3816 printf(
"Error getting db lock\n");
3817 if (*lock_fd != NULL) {
3840 if (lock_fd != NULL) {
3855 status =
DbConnect(dbhandle, dbschema, host, password, user, port);
3877 if (lock_fd != NULL) {
3880 printf(
"Error releasing db lock");
3901 if (lock_fd == NULL) {
3902 printf(
"%s could not be opened\n", lock_filename);
3906 memset(&fl, 0,
sizeof(
struct flock));
3907 fl.l_type = F_WRLCK;
3908 fl.l_whence = SEEK_SET;
3909 fl.l_pid = getpid();
3911 while (fcntl(fileno(lock_fd), F_SETLK, &fl) == -1) {
3912 if (errno == EACCES || errno == EAGAIN) {
3913 printf(
"%s already locked, sleep\n", lock_filename);
3918 select(0, NULL, NULL, NULL, &tv);
3921 printf(
"couldn't get lock on %s; %s\n", lock_filename, strerror(errno));
3934 if (lock_fd == NULL) {
3938 memset(&fl, 0,
sizeof(
struct flock));
3939 fl.l_type = F_UNLCK;
3940 fl.l_whence = SEEK_SET;
3942 if (fcntl(fileno(lock_fd), F_SETLK, &fl) == -1) {
3955 xmlTextReaderPtr reader = NULL;
3956 xmlDocPtr doc = NULL;
3957 xmlXPathContextPtr xpathCtx = NULL;
3958 xmlXPathObjectPtr xpathObj = NULL;
3960 char* tag_name = NULL;
3961 char* temp_char = NULL;
3963 xmlChar *zonelist_expr = (
unsigned char*)
"//Common/ZoneListFile";
3964 xmlChar *kaspfile_expr = (
unsigned char*)
"//Common/PolicyFile";
3967 reader = xmlNewTextReaderFilename(
config);
3968 if (reader != NULL) {
3969 ret = xmlTextReaderRead(reader);
3971 tag_name = (
char*) xmlTextReaderLocalName(reader);
3973 if (strncmp(tag_name,
"Common", 6) == 0
3974 && xmlTextReaderNodeType(reader) == 1) {
3977 xmlTextReaderExpand(reader);
3978 doc = xmlTextReaderCurrentDoc(reader);
3980 printf(
"Error: can not read Common section\n");
3982 ret = xmlTextReaderRead(reader);
3986 xpathCtx = xmlXPathNewContext(doc);
3987 if(xpathCtx == NULL) {
3988 printf(
"Error: can not create XPath context for Common section\n");
3990 ret = xmlTextReaderRead(reader);
3995 xpathObj = xmlXPathEvalExpression(zonelist_expr, xpathCtx);
3996 if(xpathObj == NULL) {
3997 printf(
"Error: unable to evaluate xpath expression: %s\n", zonelist_expr);
3999 ret = xmlTextReaderRead(reader);
4002 *zone_list_filename = NULL;
4003 temp_char = (
char*) xmlXPathCastToString(xpathObj);
4004 StrAppend(zone_list_filename, temp_char);
4006 xmlXPathFreeObject(xpathObj);
4007 printf(
"zonelist filename set to %s.\n", *zone_list_filename);
4010 xpathObj = xmlXPathEvalExpression(kaspfile_expr, xpathCtx);
4011 xmlXPathFreeContext(xpathCtx);
4012 if(xpathObj == NULL) {
4013 printf(
"Error: unable to evaluate xpath expression: %s\n", kaspfile_expr);
4015 ret = xmlTextReaderRead(reader);
4018 *kasp_filename = NULL;
4019 if (xpathObj->nodesetval != NULL && xpathObj->nodesetval->nodeNr > 0) {
4023 temp_char = (
char*) xmlXPathCastToString(xpathObj);
4031 StrAppend(kasp_filename, OPENDNSSEC_CONFIG_DIR);
4034 printf(
"kasp filename set to %s.\n", *kasp_filename);
4036 xmlXPathFreeObject(xpathObj);
4039 ret = xmlTextReaderRead(reader);
4043 xmlFreeTextReader(reader);
4045 printf(
"%s : failed to parse\n",
config);
4049 printf(
"Unable to open %s\n",
config);
4066 xmlDocPtr doc = NULL;
4067 xmlXPathContextPtr xpathCtx = NULL;
4068 xmlXPathObjectPtr xpathObj = NULL;
4070 char* repo_name = NULL;
4071 char* repo_capacity = NULL;
4072 int require_backup = 0;
4075 xmlChar *node_expr = (
unsigned char*)
"//Configuration/RepositoryList/Repository";
4079 doc = xmlParseFile(
config);
4081 printf(
"Unable to open %s\n",
config);
4086 xpathCtx = xmlXPathNewContext(doc);
4087 if(xpathCtx == NULL) {
4093 xpathObj = xmlXPathEvalExpression(node_expr, xpathCtx);
4094 if(xpathObj == NULL) {
4095 xmlXPathFreeContext(xpathCtx);
4100 if (xpathObj->nodesetval) {
4101 for (i = 0; i < xpathObj->nodesetval->nodeNr; i++) {
4106 curNode = xpathObj->nodesetval->nodeTab[i]->xmlChildrenNode;
4107 repo_name = (
char *) xmlGetProp(xpathObj->nodesetval->nodeTab[i],
4108 (
const xmlChar *)
"name");
4110 if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Capacity")) {
4111 repo_capacity = (
char *) xmlNodeGetContent(curNode);
4113 if (xmlStrEqual(curNode->name, (
const xmlChar *)
"RequireBackup")) {
4117 curNode = curNode->next;
4120 if (strlen(repo_name) != 0) {
4122 printf(
"Repository %s found\n", repo_name);
4123 if (strlen(repo_capacity) == 0) {
4124 printf(
"No Maximum Capacity set.\n");
4130 printf(
"Capacity set to %s.\n", repo_capacity);
4136 if (require_backup == 0) {
4137 printf(
"RequireBackup NOT set; please make sure that you know the potential problems of using keys which are not recoverable\n");
4139 printf(
"RequireBackup set.\n");
4143 printf(
"Error Importing Repository %s", repo_name);
4147 printf(
"WARNING: Repository found with NULL name, skipping...\n");
4155 xmlXPathFreeObject(xpathObj);
4158 xmlXPathFreeContext(xpathCtx);
4173 char *policy_name = NULL;
4174 char *policy_description = NULL;
4177 xmlDocPtr doc = NULL;
4178 xmlDocPtr pol_doc = NULL;
4179 xmlDocPtr rngdoc = NULL;
4182 xmlNode *childNode2;
4183 xmlNode *childNode3;
4184 xmlChar *opt_out_flag = (xmlChar *)
"N";
4185 xmlChar *share_keys_flag = (xmlChar *)
"N";
4186 xmlChar *man_roll_flag = (xmlChar *)
"N";
4187 xmlChar *rfc5011_flag = (xmlChar *)
"N";
4188 int standby_keys_flag = 0;
4189 xmlXPathContextPtr xpathCtx = NULL;
4190 xmlXPathObjectPtr xpathObj = NULL;
4191 xmlRelaxNGParserCtxtPtr rngpctx = NULL;
4192 xmlRelaxNGValidCtxtPtr rngctx = NULL;
4193 xmlRelaxNGPtr schema = NULL;
4196 xmlChar *node_expr = (
unsigned char*)
"//Policy";
4200 int audit_found = 0;
4205 const char* rngfilename = OPENDNSSEC_SCHEMA_DIR
"/kasp.rng";
4206 char* kaspcheck_cmd = NULL;
4207 char* kaspcheck_cmd_version = NULL;
4209 StrAppend(&kaspcheck_cmd, ODS_AU_KASPCHECK);
4213 StrAppend(&kaspcheck_cmd_version, ODS_AU_KASPCHECK);
4214 StrAppend(&kaspcheck_cmd_version,
" -v > /dev/null");
4217 status = system(kaspcheck_cmd_version);
4220 status = system(kaspcheck_cmd);
4223 fprintf(stderr,
"ods-kaspcheck returned an error, please check your policy\n");
4225 StrFree(kaspcheck_cmd_version);
4231 fprintf(stderr,
"Couldn't run ods-kaspcheck (Auditor is not installed), will carry on\n");
4235 StrFree(kaspcheck_cmd_version);
4238 doc = xmlParseFile(kasp_filename);
4240 printf(
"Error: unable to parse file \"%s\"\n", kasp_filename);
4245 rngdoc = xmlParseFile(rngfilename);
4246 if (rngdoc == NULL) {
4247 printf(
"Error: unable to parse file \"%s\"\n", rngfilename);
4252 rngpctx = xmlRelaxNGNewDocParserCtxt(rngdoc);
4253 if (rngpctx == NULL) {
4254 printf(
"Error: unable to create XML RelaxNGs parser context\n");
4259 schema = xmlRelaxNGParse(rngpctx);
4260 if (schema == NULL) {
4261 printf(
"Error: unable to parse a schema definition resource\n");
4266 rngctx = xmlRelaxNGNewValidCtxt(schema);
4267 if (rngctx == NULL) {
4268 printf(
"Error: unable to create RelaxNGs validation context based on the schema\n");
4273 status = xmlRelaxNGValidateDoc(rngctx,doc);
4275 printf(
"Error validating file \"%s\"\n", kasp_filename);
4281 if (policy == NULL) {
4282 printf(
"Malloc for policy struct failed");
4287 xpathCtx = xmlXPathNewContext(doc);
4288 if(xpathCtx == NULL) {
4295 xpathObj = xmlXPathEvalExpression(node_expr, xpathCtx);
4296 if(xpathObj == NULL) {
4297 xmlXPathFreeContext(xpathCtx);
4303 if (xpathObj->nodesetval) {
4304 for (i = 0; i < xpathObj->nodesetval->nodeNr; i++) {
4306 curNode = xpathObj->nodesetval->nodeTab[i]->xmlChildrenNode;
4307 policy_name = (
char *) xmlGetProp(xpathObj->nodesetval->nodeTab[i], (
const xmlChar *)
"name");
4308 if (strlen(policy_name) == 0) {
4310 printf(
"Error extracting policy name from %s\n", kasp_filename);
4315 printf(
"Policy %s found\n", policy_name);
4317 if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Description")) {
4318 policy_description = (
char *) xmlNodeGetContent(curNode);
4328 printf(
"Error: unable to read policy %s; skipping\n", policy_name);
4329 curNode = curNode->next;
4338 printf(
"Error: unable to insert policy %s; skipping\n", policy_name);
4345 printf(
"Error: unable to get policy id for %s; skipping\n", policy_name);
4351 else if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Signatures")) {
4352 childNode = curNode->children;
4354 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"Resign")) {
4357 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"Refresh")) {
4360 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"Validity")) {
4361 childNode2 = childNode->children;
4363 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Default")) {
4366 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Denial")) {
4369 childNode2 = childNode2->next;
4372 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"Jitter")) {
4375 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"InceptionOffset")) {
4378 childNode = childNode->next;
4381 else if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Denial")) {
4382 opt_out_flag = (xmlChar *)
"N";
4383 childNode = curNode->children;
4385 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"NSEC3")) {
4389 printf(
"Error: unable to insert/update %s for policy\n",
"Denial version");
4391 childNode2 = childNode->children;
4393 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"OptOut")) {
4394 opt_out_flag = (xmlChar *)
"Y";
4396 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Resalt")) {
4399 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Hash")) {
4400 childNode3 = childNode2->children;
4402 if (xmlStrEqual(childNode3->name, (
const xmlChar *)
"Algorithm")) {
4405 else if (xmlStrEqual(childNode3->name, (
const xmlChar *)
"Iterations")) {
4408 else if (xmlStrEqual(childNode3->name, (
const xmlChar *)
"Salt")) {
4411 childNode3 = childNode3->next;
4415 childNode2 = childNode2->next;
4420 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"NSEC")) {
4423 printf(
"Error: unable to insert/update %s for policy\n",
"Denial version");
4426 childNode = childNode->next;
4429 else if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Keys")) {
4430 share_keys_flag = (xmlChar *)
"N";
4431 childNode = curNode->children;
4433 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"TTL")) {
4436 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"RetireSafety")) {
4439 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"PublishSafety")) {
4442 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"ShareKeys")) {
4443 share_keys_flag = (xmlChar *)
"Y";
4445 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"Purge")) {
4449 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"KSK")) {
4450 man_roll_flag = (xmlChar *)
"N";
4451 rfc5011_flag = (xmlChar *)
"N";
4452 childNode2 = childNode->children;
4454 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Algorithm")) {
4459 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Lifetime")) {
4462 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Repository")) {
4464 printf(
"Please either add the repository to conf.xml or remove the reference to it from kasp.xml\n");
4466 xmlFreeDoc(pol_doc);
4467 xmlXPathFreeContext(xpathCtx);
4468 xmlRelaxNGFree(schema);
4469 xmlRelaxNGFreeValidCtxt(rngctx);
4470 xmlRelaxNGFreeParserCtxt(rngpctx);
4478 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Standby")) {
4480 standby_keys_flag = 1;
4482 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"ManualRollover")) {
4483 man_roll_flag = (xmlChar *)
"Y";
4485 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"RFC5011")) {
4486 rfc5011_flag = (xmlChar *)
"Y";
4491 childNode2 = childNode2->next;
4496 if (standby_keys_flag == 0) {
4499 standby_keys_flag = 0;
4503 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"ZSK")) {
4504 man_roll_flag = (xmlChar *)
"N";
4505 childNode2 = childNode->children;
4507 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Algorithm")) {
4512 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Lifetime")) {
4515 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Repository")) {
4517 printf(
"Please either add the repository to conf.xml or remove the reference to it from kasp.xml\n");
4519 xmlFreeDoc(pol_doc);
4520 xmlXPathFreeContext(xpathCtx);
4521 xmlRelaxNGFree(schema);
4522 xmlRelaxNGFreeValidCtxt(rngctx);
4523 xmlRelaxNGFreeParserCtxt(rngpctx);
4531 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Standby")) {
4533 standby_keys_flag = 1;
4535 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"ManualRollover")) {
4536 man_roll_flag = (xmlChar *)
"Y";
4538 childNode2 = childNode2->next;
4544 childNode = childNode->next;
4548 if (standby_keys_flag == 0) {
4551 standby_keys_flag = 0;
4556 else if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Zone")) {
4557 childNode = curNode->children;
4559 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"PropagationDelay")) {
4562 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"SOA")) {
4563 childNode2 = childNode->children;
4565 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"TTL")) {
4568 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Minimum")) {
4571 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Serial")) {
4574 childNode2 = childNode2->next;
4577 childNode = childNode->next;
4581 else if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Parent")) {
4582 childNode = curNode->children;
4584 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"PropagationDelay")) {
4587 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"DS")) {
4588 childNode2 = childNode->children;
4590 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"TTL")) {
4593 childNode2 = childNode2->next;
4596 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"SOA")) {
4597 childNode2 = childNode->children;
4599 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"TTL")) {
4602 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Minimum")) {
4605 childNode2 = childNode2->next;
4608 childNode = childNode->next;
4612 else if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Audit")) {
4614 childNode = curNode->children;
4616 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"Partial")) {
4619 childNode = childNode->next;
4623 printf(
"Error: unable to insert Audit info for policy %s\n", policy->
name);
4627 curNode = curNode->next;
4630 if (audit_found == 0) {
4642 xmlXPathFreeContext(xpathCtx);
4643 xmlRelaxNGFree(schema);
4644 xmlRelaxNGFreeValidCtxt(rngctx);
4645 xmlRelaxNGFreeParserCtxt(rngpctx);
4657 xmlTextReaderPtr reader = NULL;
4658 xmlDocPtr doc = NULL;
4659 xmlXPathContextPtr xpathCtx = NULL;
4660 xmlXPathObjectPtr xpathObj = NULL;
4662 char* zone_name = NULL;
4663 char* policy_name = NULL;
4664 char* current_policy = NULL;
4665 char* current_signconf = NULL;
4666 char* current_input = NULL;
4667 char* current_output = NULL;
4668 char* temp_char = NULL;
4669 char* tag_name = NULL;
4672 int file_zone_count = 0;
4673 int db_zone_count = 0;
4687 xmlChar *name_expr = (
unsigned char*)
"name";
4688 xmlChar *policy_expr = (
unsigned char*)
"//Zone/Policy";
4689 xmlChar *signconf_expr = (
unsigned char*)
"//Zone/SignerConfiguration";
4690 xmlChar *input_expr = (
unsigned char*)
"//Zone/Adapters/Input/File";
4691 xmlChar *output_expr = (
unsigned char*)
"//Zone/Adapters/Output/File";
4695 reader = xmlNewTextReaderFilename(zone_list_filename);
4696 if (reader != NULL) {
4697 ret = xmlTextReaderRead(reader);
4699 tag_name = (
char*) xmlTextReaderLocalName(reader);
4701 if (strncmp(tag_name,
"Zone", 4) == 0
4702 && strncmp(tag_name,
"ZoneList", 8) != 0
4703 && xmlTextReaderNodeType(reader) == 1) {
4707 ret = xmlTextReaderRead(reader);
4710 xmlFreeTextReader(reader);
4712 printf(
"%s : failed to parse\n", zone_list_filename);
4715 printf(
"Unable to open %s\n", zone_list_filename);
4719 zone_ids =
MemMalloc(file_zone_count *
sizeof(
int));
4722 reader = xmlNewTextReaderFilename(zone_list_filename);
4723 if (reader != NULL) {
4724 ret = xmlTextReaderRead(reader);
4726 tag_name = (
char*) xmlTextReaderLocalName(reader);
4728 if (strncmp(tag_name,
"Zone", 4) == 0
4729 && strncmp(tag_name,
"ZoneList", 8) != 0
4730 && xmlTextReaderNodeType(reader) == 1) {
4733 temp_char = (
char*) xmlTextReaderGetAttribute(reader, name_expr);
4747 if (zone_name == NULL) {
4749 printf(
"Error extracting zone name from %s\n", zone_list_filename);
4751 ret = xmlTextReaderRead(reader);
4755 printf(
"Zone %s found\n", zone_name);
4758 xmlTextReaderExpand(reader);
4759 doc = xmlTextReaderCurrentDoc(reader);
4761 printf(
"Error: can not read zone \"%s\"; skipping\n", zone_name);
4763 ret = xmlTextReaderRead(reader);
4767 xpathCtx = xmlXPathNewContext(doc);
4768 if(xpathCtx == NULL) {
4769 printf(
"Error: can not create XPath context for \"%s\"; skipping zone\n", zone_name);
4771 ret = xmlTextReaderRead(reader);
4777 xpathObj = xmlXPathEvalExpression(policy_expr, xpathCtx);
4778 if(xpathObj == NULL) {
4779 printf(
"Error: unable to evaluate xpath expression: %s; skipping zone\n", policy_expr);
4781 ret = xmlTextReaderRead(reader);
4785 current_policy = NULL;
4786 temp_char = (
char *)xmlXPathCastToString(xpathObj);
4789 printf(
"Policy set to %s.\n", current_policy);
4790 xmlXPathFreeObject(xpathObj);
4793 if (policy_name == NULL || strcmp(current_policy, policy_name) != 0) {
4795 StrAppend(&policy_name, current_policy);
4799 printf(
"Error, can't find policy : %s\n", policy_name);
4801 ret = xmlTextReaderRead(reader);
4808 xpathObj = xmlXPathEvalExpression(signconf_expr, xpathCtx);
4809 if(xpathObj == NULL) {
4810 printf(
"Error: unable to evaluate xpath expression: %s; skipping zone\n", signconf_expr);
4812 ret = xmlTextReaderRead(reader);
4816 current_signconf = NULL;
4817 temp_char = (
char *)xmlXPathCastToString(xpathObj);
4818 StrAppend(¤t_signconf, temp_char);
4820 xmlXPathFreeObject(xpathObj);
4824 xpathObj = xmlXPathEvalExpression(input_expr, xpathCtx);
4825 if(xpathObj == NULL) {
4826 printf(
"Error: unable to evaluate xpath expression: %s; skipping zone\n", input_expr);
4828 ret = xmlTextReaderRead(reader);
4832 current_input = NULL;
4833 temp_char = (
char *)xmlXPathCastToString(xpathObj);
4836 xmlXPathFreeObject(xpathObj);
4840 xpathObj = xmlXPathEvalExpression(output_expr, xpathCtx);
4841 xmlXPathFreeContext(xpathCtx);
4842 if(xpathObj == NULL) {
4843 printf(
"Error: unable to evaluate xpath expression: %s; skipping zone\n", output_expr);
4845 ret = xmlTextReaderRead(reader);
4849 current_output = NULL;
4850 temp_char = (
char *)xmlXPathCastToString(xpathObj);
4853 xmlXPathFreeObject(xpathObj);
4858 status =
KsmImportZone(zone_name, policy_id, 0, &new_zone, current_signconf, current_input, current_output);
4861 printf(
"Error Importing zone %s; it already exists both with and without a trailing dot\n", zone_name);
4863 printf(
"Error Importing Zone %s\n", zone_name);
4866 ret = xmlTextReaderRead(reader);
4871 if (new_zone == 1) {
4872 printf(
"Added zone %s to database\n", zone_name);
4886 printf(
"Error: unable to find a zone named \"%s\" in database\n", zone_name);
4887 printf(
"Error: Possibly two domains differ only by having a trailing dot or not?\n");
4893 zone_ids[i] = temp_id;
4906 ret = xmlTextReaderRead(reader);
4909 xmlFreeTextReader(reader);
4911 printf(
"%s : failed to parse\n", zone_list_filename);
4914 printf(
"Unable to open %s\n", zone_list_filename);
4930 if (file_zone_count == db_zone_count) {
4935 else if (file_zone_count > db_zone_count) {
4936 printf(
"Failed to add all zones from zonelist\n");
4952 while (status == 0) {
4953 DbInt(row, 0, &temp_id);
4955 DbInt(row, 2, &policy_id);
4958 for (i = 0; i < db_zone_count; ++i) {
4959 if (temp_id == zone_ids[i]) {
4965 if (seen_zone == 0) {
4968 printf(
"Removing zone %s from database\n", zone_name);
4970 status =
KsmParameterInit(&result2,
"zones_share_keys",
"keys", policy_id);
4994 if ((shared.
value == 1 && temp_count == 1) || shared.
value == 0) {
4997 printf(
"Error: failed to mark keys as dead in database\n");
5031 int SetParamOnPolicy(
const xmlChar* new_value,
const char* name,
const char* category,
int current_value,
int policy_id,
int value_type)
5035 char* temp_char = (
char *)new_value;
5039 if (strlen(temp_char) != 0) {
5042 printf(
"Error: unable to convert interval %s to seconds, error: %i\n", temp_char, status);
5046 else if (status == -1) {
5047 printf(
"Info: converting %s to seconds; M interpreted as 31 days, Y interpreted as 365 days\n", temp_char);
5056 if (strncmp(temp_char,
"Y", 1) == 0) {
5066 printf(
"Error: unable to find repository %s\n", temp_char);
5076 printf(
"Error: unable to find serial type %s\n", temp_char);
5086 printf(
"Error: unable to find rollover scheme %s\n", temp_char);
5095 printf(
"Error: unable to convert %s to int\n", temp_char);
5105 if (value != current_value || current_value == 0) {
5108 printf(
"Error: unable to insert/update %s for policy\n", name);
5109 printf(
"Error: Is your database schema up to date?\n");
5115 if (strncmp(name,
"saltlength", 10) == 0) {
5118 printf(
"Error: unable to insert/update %s for policy\n", name);
5119 printf(
"Error: Is your database schema up to date?\n");
5130 if (policy == NULL) {
5131 printf(
"Error, no policy provided");
5168 policy->
ksk->
sm = 0;
5180 policy->
zsk->
sm = 0;
5217 if((from = fopen( orig_file,
"rb"))==NULL) {
5218 if (errno == ENOENT) {
5219 printf(
"File %s does not exist, nothing to backup\n", orig_file);
5223 printf(
"Cannot open source file.\n");
5229 if((to = fopen(backup_file,
"wb"))==NULL) {
5230 printf(
"Cannot open destination file, will not make backup.\n");
5236 while(!feof(from)) {
5239 printf(
"Error reading source file.\n");
5244 if(!feof(from)) fputc(ch, to);
5246 printf(
"Error writing destination file.\n");
5253 if(fclose(from)==EOF) {
5254 printf(
"Error closing source file.\n");
5259 if(fclose(to)==EOF) {
5260 printf(
"Error closing destination file.\n");
5278 get_db_details(
char** dbschema,
char** host,
char** port,
char** user,
char** password)
5283 xmlXPathContextPtr xpathCtx;
5284 xmlXPathObjectPtr xpathObj;
5285 xmlRelaxNGParserCtxtPtr rngpctx;
5286 xmlRelaxNGValidCtxtPtr rngctx;
5287 xmlRelaxNGPtr schema;
5288 xmlChar *litexpr = (
unsigned char*)
"//Configuration/Enforcer/Datastore/SQLite";
5289 xmlChar *mysql_host = (
unsigned char*)
"//Configuration/Enforcer/Datastore/MySQL/Host";
5290 xmlChar *mysql_port = (
unsigned char*)
"//Configuration/Enforcer/Datastore/MySQL/Host/@port";
5291 xmlChar *mysql_db = (
unsigned char*)
"//Configuration/Enforcer/Datastore/MySQL/Database";
5292 xmlChar *mysql_user = (
unsigned char*)
"//Configuration/Enforcer/Datastore/MySQL/Username";
5293 xmlChar *mysql_pass = (
unsigned char*)
"//Configuration/Enforcer/Datastore/MySQL/Password";
5297 char* temp_char = NULL;
5300 const char* rngfilename = OPENDNSSEC_SCHEMA_DIR
"/conf.rng";
5303 doc = xmlParseFile(
config);
5305 printf(
"Error: unable to parse file \"%s\"\n",
config);
5310 rngdoc = xmlParseFile(rngfilename);
5311 if (rngdoc == NULL) {
5312 printf(
"Error: unable to parse file \"%s\"\n", rngfilename);
5318 rngpctx = xmlRelaxNGNewDocParserCtxt(rngdoc);
5320 if (rngpctx == NULL) {
5321 printf(
"Error: unable to create XML RelaxNGs parser context\n");
5327 schema = xmlRelaxNGParse(rngpctx);
5328 xmlRelaxNGFreeParserCtxt(rngpctx);
5329 if (schema == NULL) {
5330 printf(
"Error: unable to parse a schema definition resource\n");
5336 rngctx = xmlRelaxNGNewValidCtxt(schema);
5337 if (rngctx == NULL) {
5338 printf(
"Error: unable to create RelaxNGs validation context based on the schema\n");
5339 xmlRelaxNGFree(schema);
5345 status = xmlRelaxNGValidateDoc(rngctx,doc);
5346 xmlRelaxNGFreeValidCtxt(rngctx);
5347 xmlRelaxNGFree(schema);
5349 printf(
"Error validating file \"%s\"\n",
config);
5356 xpathCtx = xmlXPathNewContext(doc);
5357 if(xpathCtx == NULL) {
5358 printf(
"Error: unable to create new XPath context\n");
5364 xpathObj = xmlXPathEvalExpression(litexpr, xpathCtx);
5365 if(xpathObj == NULL) {
5366 printf(
"Error: unable to evaluate xpath expression: %s\n", litexpr);
5367 xmlXPathFreeContext(xpathCtx);
5371 if(xpathObj->nodesetval != NULL && xpathObj->nodesetval->nodeNr > 0) {
5373 temp_char = (
char *)xmlXPathCastToString(xpathObj);
5377 fprintf(stderr,
"SQLite database set to: %s\n", *dbschema);
5380 xmlXPathFreeObject(xpathObj);
5382 if (db_found == 0) {
5387 xpathObj = xmlXPathEvalExpression(mysql_host, xpathCtx);
5388 if(xpathObj == NULL) {
5389 printf(
"Error: unable to evaluate xpath expression: %s\n", mysql_host);
5390 xmlXPathFreeContext(xpathCtx);
5394 if(xpathObj->nodesetval != NULL && xpathObj->nodesetval->nodeNr > 0) {
5395 temp_char = (
char *)xmlXPathCastToString(xpathObj);
5399 fprintf(stderr,
"MySQL database host set to: %s\n", *host);
5402 xmlXPathFreeObject(xpathObj);
5405 xpathObj = xmlXPathEvalExpression(mysql_port, xpathCtx);
5406 if(xpathObj == NULL) {
5407 printf(
"Error: unable to evaluate xpath expression: %s\n", mysql_port);
5408 xmlXPathFreeContext(xpathCtx);
5412 if(xpathObj->nodesetval != NULL && xpathObj->nodesetval->nodeNr > 0) {
5413 temp_char = (
char *)xmlXPathCastToString(xpathObj);
5417 fprintf(stderr,
"MySQL database port set to: %s\n", *port);
5420 xmlXPathFreeObject(xpathObj);
5423 xpathObj = xmlXPathEvalExpression(mysql_db, xpathCtx);
5424 if(xpathObj == NULL) {
5425 printf(
"Error: unable to evaluate xpath expression: %s\n", mysql_db);
5426 xmlXPathFreeContext(xpathCtx);
5430 if(xpathObj->nodesetval != NULL && xpathObj->nodesetval->nodeNr > 0) {
5431 temp_char = (
char *)xmlXPathCastToString(xpathObj);
5435 fprintf(stderr,
"MySQL database schema set to: %s\n", *dbschema);
5440 xmlXPathFreeObject(xpathObj);
5443 xpathObj = xmlXPathEvalExpression(mysql_user, xpathCtx);
5444 if(xpathObj == NULL) {
5445 printf(
"Error: unable to evaluate xpath expression: %s\n", mysql_user);
5446 xmlXPathFreeContext(xpathCtx);
5450 if(xpathObj->nodesetval != NULL && xpathObj->nodesetval->nodeNr > 0) {
5451 temp_char = (
char *)xmlXPathCastToString(xpathObj);
5455 fprintf(stderr,
"MySQL database user set to: %s\n", *user);
5460 xmlXPathFreeObject(xpathObj);
5463 xpathObj = xmlXPathEvalExpression(mysql_pass, xpathCtx);
5464 if(xpathObj == NULL) {
5465 printf(
"Error: unable to evaluate xpath expression: %s\n", mysql_pass);
5466 xmlXPathFreeContext(xpathCtx);
5471 temp_char = (
char *)xmlXPathCastToString(xpathObj);
5474 xmlXPathFreeObject(xpathObj);
5477 fprintf(stderr,
"MySQL database password set\n");
5482 xmlXPathFreeContext(xpathCtx);
5487 printf(
"Error: unable to find complete database connection expression\n");
5493 printf(
"Error: database in config file does not match libksm\n");
5507 xmlTextReaderPtr reader = NULL;
5508 xmlDocPtr doc = NULL;
5509 xmlXPathContextPtr xpathCtx = NULL;
5510 xmlXPathObjectPtr xpathObj = NULL;
5512 char* temp_char = NULL;
5513 char* tag_name = NULL;
5515 xmlChar *zonelist_expr = (
unsigned char*)
"//Common/ZoneListFile";
5518 reader = xmlNewTextReaderFilename(
config);
5519 if (reader != NULL) {
5520 ret = xmlTextReaderRead(reader);
5522 tag_name = (
char*) xmlTextReaderLocalName(reader);
5524 if (strncmp(tag_name,
"Common", 6) == 0
5525 && xmlTextReaderNodeType(reader) == 1) {
5528 xmlTextReaderExpand(reader);
5529 doc = xmlTextReaderCurrentDoc(reader);
5531 printf(
"Error: can not read Common section\n");
5533 ret = xmlTextReaderRead(reader);
5537 xpathCtx = xmlXPathNewContext(doc);
5538 if(xpathCtx == NULL) {
5539 printf(
"Error: can not create XPath context for Common section\n");
5541 ret = xmlTextReaderRead(reader);
5546 xpathObj = xmlXPathEvalExpression(zonelist_expr, xpathCtx);
5547 if(xpathObj == NULL) {
5548 printf(
"Error: unable to evaluate xpath expression: %s\n", zonelist_expr);
5550 ret = xmlTextReaderRead(reader);
5553 *zone_list_filename = NULL;
5554 temp_char = (
char *)xmlXPathCastToString(xpathObj);
5555 xmlXPathFreeObject(xpathObj);
5556 StrAppend(zone_list_filename, temp_char);
5558 printf(
"zonelist filename set to %s.\n", *zone_list_filename);
5561 ret = xmlTextReaderRead(reader);
5564 xmlFreeTextReader(reader);
5566 printf(
"%s : failed to parse\n",
config);
5570 printf(
"Unable to open %s\n",
config);
5574 xmlXPathFreeContext(xpathCtx);
5584 const char *zone_name,
5585 const char *policy_name,
5586 const char *sig_conf_name,
5587 const char *input_name,
5588 const char *output_name)
5592 xmlNodePtr newzonenode;
5593 xmlNodePtr newadaptnode;
5594 xmlNodePtr newinputnode;
5595 xmlNodePtr newoutputnode;
5596 doc = xmlParseFile(docname);
5598 fprintf(stderr,
"Document not parsed successfully. \n");
5601 cur = xmlDocGetRootElement(doc);
5603 fprintf(stderr,
"empty document\n");
5607 if (xmlStrcmp(cur->name, (
const xmlChar *)
"ZoneList")) {
5608 fprintf(stderr,
"document of the wrong type, root node != %s",
"ZoneList");
5612 newzonenode = xmlNewTextChild(cur, NULL, (
const xmlChar *)
"Zone", NULL);
5613 (void) xmlNewProp(newzonenode, (
const xmlChar *)
"name", (
const xmlChar *)zone_name);
5615 (void) xmlNewTextChild (newzonenode, NULL, (
const xmlChar *)
"Policy", (
const xmlChar *)policy_name);
5617 (void) xmlNewTextChild (newzonenode, NULL, (
const xmlChar *)
"SignerConfiguration", (
const xmlChar *)sig_conf_name);
5619 newadaptnode = xmlNewChild (newzonenode, NULL, (
const xmlChar *)
"Adapters", NULL);
5621 newinputnode = xmlNewChild (newadaptnode, NULL, (
const xmlChar *)
"Input", NULL);
5623 (void) xmlNewTextChild (newinputnode, NULL, (
const xmlChar *)
"File", (
const xmlChar *)input_name);
5625 newoutputnode = xmlNewChild (newadaptnode, NULL, (
const xmlChar *)
"Output", NULL);
5627 (void) xmlNewTextChild (newoutputnode, NULL, (
const xmlChar *)
"File", (
const xmlChar *)output_name);
5633 const char *zone_name)
5639 doc = xmlParseFile(docname);
5641 fprintf(stderr,
"Document not parsed successfully. \n");
5644 root = xmlDocGetRootElement(doc);
5646 fprintf(stderr,
"empty document\n");
5650 if (xmlStrcmp(root->name, (
const xmlChar *)
"ZoneList")) {
5651 fprintf(stderr,
"document of the wrong type, root node != %s",
"ZoneList");
5657 if (all_flag == 1) {
5658 cur = root->children;
5664 cur = root->children;
5670 for(cur = root->children; cur != NULL; cur = cur->next)
5673 if (xmlStrcmp( xmlGetProp(cur, (xmlChar *)
"name"), (
const xmlChar *) zone_name) == 0)
5677 cur = root->children;
5692 xmlChar *polChar = NULL;
5693 xmlChar *propChar = NULL;
5699 doc = xmlParseFile(docname);
5701 fprintf(stderr,
"Document not parsed successfully. \n");
5704 root = xmlDocGetRootElement(doc);
5706 fprintf(stderr,
"empty document\n");
5710 if (xmlStrcmp(root->name, (
const xmlChar *)
"ZoneList")) {
5711 fprintf(stderr,
"document of the wrong type, root node != %s",
"ZoneList");
5717 for(cur = root->children; cur != NULL; cur = cur->next)
5719 if (xmlStrcmp( cur->name, (
const xmlChar *)
"Zone") == 0) {
5720 propChar = xmlGetProp(cur, (xmlChar *)
"name");
5721 printf(
"Found Zone: %s", propChar);
5727 printf(
" (zone not in database)");
5730 zone_ids[i] = temp_id;
5735 for(pol = cur->children; pol != NULL; pol = pol->next)
5737 if (xmlStrcmp( pol->name, (
const xmlChar *)
"Policy") == 0)
5739 polChar = xmlNodeGetContent(pol);
5740 printf(
"; on policy %s\n", polChar);
5759 xmlNodePtr policy_node;
5760 xmlNodePtr signatures_node;
5761 xmlNodePtr validity_node;
5762 xmlNodePtr denial_node;
5763 xmlNodePtr nsec_node;
5764 xmlNodePtr hash_node;
5765 xmlNodePtr salt_node;
5766 xmlNodePtr keys_node;
5767 xmlNodePtr ksk_node;
5768 xmlNodePtr ksk_alg_node;
5769 xmlNodePtr zsk_node;
5770 xmlNodePtr zsk_alg_node;
5771 xmlNodePtr zone_node;
5772 xmlNodePtr zone_soa_node;
5773 xmlNodePtr parent_node;
5774 xmlNodePtr parent_ds_node;
5775 xmlNodePtr parent_soa_node;
5779 root = xmlDocGetRootElement(doc);
5781 fprintf(stderr,
"empty document\n");
5784 if (xmlStrcmp(root->name, (
const xmlChar *)
"KASP")) {
5785 fprintf(stderr,
"document of the wrong type, root node != %s",
"KASP");
5789 policy_node = xmlNewTextChild(root, NULL, (
const xmlChar *)
"Policy", NULL);
5790 (void) xmlNewProp(policy_node, (
const xmlChar *)
"name", (
const xmlChar *)policy->
name);
5791 (void) xmlNewTextChild(policy_node, NULL, (
const xmlChar *)
"Description", (
const xmlChar *)policy->
description);
5794 signatures_node = xmlNewTextChild(policy_node, NULL, (
const xmlChar *)
"Signatures", NULL);
5796 (void) xmlNewTextChild(signatures_node, NULL, (
const xmlChar *)
"Resign", (
const xmlChar *)temp_time);
5798 (void) xmlNewTextChild(signatures_node, NULL, (
const xmlChar *)
"Refresh", (
const xmlChar *)temp_time);
5799 validity_node = xmlNewTextChild(signatures_node, NULL, (
const xmlChar *)
"Validity", NULL);
5801 (void) xmlNewTextChild(validity_node, NULL, (
const xmlChar *)
"Default", (
const xmlChar *)temp_time);
5803 (void) xmlNewTextChild(validity_node, NULL, (
const xmlChar *)
"Denial", (
const xmlChar *)temp_time);
5804 snprintf(temp_time, 32,
"PT%dS", policy->
signer->
jitter);
5805 (void) xmlNewTextChild(signatures_node, NULL, (
const xmlChar *)
"Jitter", (
const xmlChar *)temp_time);
5807 (void) xmlNewTextChild(signatures_node, NULL, (
const xmlChar *)
"InceptionOffset", (
const xmlChar *)temp_time);
5810 denial_node = xmlNewTextChild(policy_node, NULL, (
const xmlChar *)
"Denial", NULL);
5813 (void) xmlNewTextChild(denial_node, NULL, (
const xmlChar *)
"NSEC", NULL);
5817 nsec_node = xmlNewTextChild(denial_node, NULL, (
const xmlChar *)
"NSEC3", NULL);
5820 (void) xmlNewTextChild(nsec_node, NULL, (
const xmlChar *)
"OptOut", NULL);
5822 snprintf(temp_time, 32,
"PT%dS", policy->
denial->
resalt);
5823 (void) xmlNewTextChild(nsec_node, NULL, (
const xmlChar *)
"Resalt", (
const xmlChar *)temp_time);
5824 hash_node = xmlNewTextChild(nsec_node, NULL, (
const xmlChar *)
"Hash", NULL);
5826 (void) xmlNewTextChild(hash_node, NULL, (
const xmlChar *)
"Algorithm", (
const xmlChar *)temp_time);
5828 (void) xmlNewTextChild(hash_node, NULL, (
const xmlChar *)
"Iteration", (
const xmlChar *)temp_time);
5830 salt_node = xmlNewTextChild(hash_node, NULL, (
const xmlChar *)
"Salt", NULL);
5831 (void) xmlNewProp(salt_node, (
const xmlChar *)
"length", (
const xmlChar *)temp_time);
5835 keys_node = xmlNewTextChild(policy_node, NULL, (
const xmlChar *)
"Keys", NULL);
5836 snprintf(temp_time, 32,
"PT%dS", policy->
keys->
ttl);
5837 (void) xmlNewTextChild(keys_node, NULL, (
const xmlChar *)
"TTL", (
const xmlChar *)temp_time);
5839 (void) xmlNewTextChild(keys_node, NULL, (
const xmlChar *)
"RetireSafety", (
const xmlChar *)temp_time);
5841 (void) xmlNewTextChild(keys_node, NULL, (
const xmlChar *)
"PublishSafety", (
const xmlChar *)temp_time);
5844 (void) xmlNewTextChild(keys_node, NULL, (
const xmlChar *)
"ShareKeys", NULL);
5847 snprintf(temp_time, 32,
"PT%dS", policy->
keys->
purge);
5848 (void) xmlNewTextChild(keys_node, NULL, (
const xmlChar *)
"Purge", (
const xmlChar *)temp_time);
5852 ksk_node = xmlNewTextChild(keys_node, NULL, (
const xmlChar *)
"KSK", NULL);
5854 ksk_alg_node = xmlNewTextChild(ksk_node, NULL, (
const xmlChar *)
"Algorithm", (
const xmlChar *)temp_time);
5855 snprintf(temp_time, 32,
"%d", policy->
ksk->
bits);
5856 (void) xmlNewProp(ksk_alg_node, (
const xmlChar *)
"length", (
const xmlChar *)temp_time);
5857 snprintf(temp_time, 32,
"PT%dS", policy->
ksk->
lifetime);
5858 (void) xmlNewTextChild(ksk_node, NULL, (
const xmlChar *)
"Lifetime", (
const xmlChar *)temp_time);
5859 (void) xmlNewTextChild(ksk_node, NULL, (
const xmlChar *)
"Repository", (
const xmlChar *)policy->
ksk->
sm_name);
5861 (void) xmlNewTextChild(ksk_node, NULL, (
const xmlChar *)
"Standby", (
const xmlChar *)temp_time);
5864 (void) xmlNewTextChild(ksk_node, NULL, (
const xmlChar *)
"ManualRollover", NULL);
5868 (void) xmlNewTextChild(ksk_node, NULL, (
const xmlChar *)
"RFC5011", NULL);
5876 zsk_node = xmlNewTextChild(keys_node, NULL, (
const xmlChar *)
"ZSK", NULL);
5878 zsk_alg_node = xmlNewTextChild(zsk_node, NULL, (
const xmlChar *)
"Algorithm", (
const xmlChar *)temp_time);
5879 snprintf(temp_time, 32,
"%d", policy->
zsk->
bits);
5880 (void) xmlNewProp(zsk_alg_node, (
const xmlChar *)
"length", (
const xmlChar *)temp_time);
5881 snprintf(temp_time, 32,
"PT%dS", policy->
zsk->
lifetime);
5882 (void) xmlNewTextChild(zsk_node, NULL, (
const xmlChar *)
"Lifetime", (
const xmlChar *)temp_time);
5883 (void) xmlNewTextChild(zsk_node, NULL, (
const xmlChar *)
"Repository", (
const xmlChar *)policy->
zsk->
sm_name);
5885 (void) xmlNewTextChild(zsk_node, NULL, (
const xmlChar *)
"Standby", (
const xmlChar *)temp_time);
5888 (void) xmlNewTextChild(zsk_node, NULL, (
const xmlChar *)
"ManualRollover", NULL);
5892 zone_node = xmlNewTextChild(policy_node, NULL, (
const xmlChar *)
"Zone", NULL);
5894 (void) xmlNewTextChild(zone_node, NULL, (
const xmlChar *)
"PropagationDelay", (
const xmlChar *)temp_time);
5895 zone_soa_node = xmlNewTextChild(zone_node, NULL, (
const xmlChar *)
"SOA", NULL);
5896 snprintf(temp_time, 32,
"PT%dS", policy->
zone->
soa_ttl);
5897 (void) xmlNewTextChild(zone_soa_node, NULL, (
const xmlChar *)
"TTL", (
const xmlChar *)temp_time);
5898 snprintf(temp_time, 32,
"PT%dS", policy->
zone->
soa_min);
5899 (void) xmlNewTextChild(zone_soa_node, NULL, (
const xmlChar *)
"Minimum", (
const xmlChar *)temp_time);
5903 parent_node = xmlNewTextChild(policy_node, NULL, (
const xmlChar *)
"Parent", NULL);
5905 (void) xmlNewTextChild(parent_node, NULL, (
const xmlChar *)
"PropagationDelay", (
const xmlChar *)temp_time);
5906 parent_ds_node = xmlNewTextChild(parent_node, NULL, (
const xmlChar *)
"DS", NULL);
5907 snprintf(temp_time, 32,
"PT%dS", policy->
parent->
ds_ttl);
5908 (void) xmlNewTextChild(parent_ds_node, NULL, (
const xmlChar *)
"TTL", (
const xmlChar *)temp_time);
5909 parent_soa_node = xmlNewTextChild(parent_node, NULL, (
const xmlChar *)
"SOA", NULL);
5911 (void) xmlNewTextChild(parent_soa_node, NULL, (
const xmlChar *)
"TTL", (
const xmlChar *)temp_time);
5913 (void) xmlNewTextChild(parent_soa_node, NULL, (
const xmlChar *)
"Minimum", (
const xmlChar *)temp_time);
5916 if (strncmp(policy->
audit,
"NULL", 4) != 0) {
5917 (void) xmlNewChild(policy_node, NULL, (
const xmlChar *)
"Audit", NULL);
5927 const char *policy_name)
5933 doc = xmlParseFile(docname);
5935 fprintf(stderr,
"Document not parsed successfully. \n");
5938 root = xmlDocGetRootElement(doc);
5940 fprintf(stderr,
"empty document\n");
5944 if (xmlStrcmp(root->name, (
const xmlChar *)
"KASP")) {
5945 fprintf(stderr,
"document of the wrong type, root node != %s",
"KASP");
5952 for(cur = root->children; cur != NULL; cur = cur->next)
5955 if (xmlStrcmp( xmlGetProp(cur, (xmlChar *)
"name"), (
const xmlChar *) policy_name) == 0)
5959 cur = root->children;
5975 fprintf(stdout,
"KSK:");
5979 fprintf(stdout,
"ZSK:");
5981 fprintf(stdout,
" %s Retired\n", key_data->
location);
5993 fprintf(stderr,
"%s\n", format);
6020 char* temp_zone = NULL;
6023 char* temp_ready = NULL;
6024 char* temp_active = NULL;
6025 char* temp_retire = NULL;
6026 char* temp_dead = NULL;
6027 char* temp_loc = NULL;
6028 char* temp_hsm = NULL;
6032 hsm_key_t *key = NULL;
6033 ldns_rr *dnskey_rr = NULL;
6034 hsm_sign_params_t *sign_params = NULL;
6038 status = hsm_open(
config, hsm_prompt_pin, NULL);
6040 hsm_print_error(NULL);
6046 StrAppend(&sql,
"select z.name, k.keytype, k.state, k.ready, k.active, k.retire, k.dead, k.location, s.name, k.algorithm from securitymodules s, zones z, KEYDATA_VIEW k where z.id = k.zone_id and s.id = k.securitymodule_id and state != 6 and zone_id is not null ");
6047 if (zone_id != -1) {
6060 if (verbose_flag == 1) {
6061 printf(
"Zone: Keytype: State: Date of next transition: CKA_ID: Repository: Keytag:\n");
6064 printf(
"Zone: Keytype: State: Date of next transition:\n");
6066 while (status == 0) {
6069 DbInt(row, 1, &temp_type);
6070 DbInt(row, 2, &temp_state);
6077 DbInt(row, 9, &temp_alg);
6089 printf(
"%-31s %-13s %-9s %-26s", temp_zone, (temp_type ==
KSM_TYPE_KSK) ?
"KSK" :
"ZSK",
KsmKeywordStateValueToName(temp_state), (temp_retire == NULL) ?
"(not scheduled)" : temp_retire);
6101 printf(
"%-31s %-13s %-9s %-26s", temp_zone,
"KSK",
KsmKeywordStateValueToName(temp_state), (temp_ready == NULL) ?
"(not scheduled)" : temp_ready);
6109 printf(
"%-31s %-13s %-9s %-26s", temp_zone,
"KSK",
KsmKeywordStateValueToName(temp_state), (temp_active == NULL) ?
"(not scheduled)" : temp_active);
6113 if (done_row == 1 && verbose_flag == 1) {
6114 key = hsm_find_key_by_id(NULL, temp_loc);
6116 printf(
"%-33s %s NOT IN repository\n", temp_loc, temp_hsm);
6118 sign_params = hsm_sign_params_new();
6119 sign_params->owner = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, temp_zone);
6120 sign_params->algorithm = temp_alg;
6121 sign_params->flags = LDNS_KEY_ZONE_KEY;
6123 sign_params->flags += LDNS_KEY_SEP_KEY;
6125 dnskey_rr = hsm_get_dnskey(NULL, key, sign_params);
6126 sign_params->keytag = ldns_calc_keytag(dnskey_rr);
6128 printf(
"%-33s %-33s %d\n", temp_loc, temp_hsm, sign_params->keytag);
6130 hsm_sign_params_free(sign_params);
6134 else if (done_row == 1) {
6161 if (dnskey_rr != NULL) {
6162 ldns_rr_free(dnskey_rr);
6200 char* temp_loc = NULL;
6203 int done_something = 0;
6206 hsm_key_t *key = NULL;
6208 if ((zone_id == -1 && policy_id == -1) ||
6209 (zone_id != -1 && policy_id != -1)){
6210 printf(
"Please provide either a zone OR a policy to key purge\n");
6216 status = hsm_open(
config, hsm_prompt_pin, NULL);
6218 hsm_print_error(NULL);
6223 StrAppend(&sql,
"select distinct id, location from KEYDATA_VIEW where state = 6 ");
6224 if (zone_id != -1) {
6229 if (policy_id != -1) {
6240 while (status == 0) {
6242 DbInt(row, 0, &temp_id);
6296 key = hsm_find_key_by_id(NULL, temp_loc);
6299 printf(
"Key not found: %s\n", temp_loc);
6305 status = hsm_remove_key(NULL, key);
6310 printf(
"Key remove successful.\n");
6312 printf(
"Key remove failed.\n");
6332 if (done_something == 0) {
6333 printf(
"No keys to purge.\n");
6351 hsm_ctx_t *ctx = NULL;
6356 hsm_key_t *key = NULL;
6357 char *hsm_error_message = NULL;
6359 int ksks_needed = 0;
6360 int zsks_needed = 0;
6361 int keys_in_queue = 0;
6363 unsigned int current_count = 0;
6369 int ksks_created = 0;
6373 FILE* lock_fd = NULL;
6378 printf(
"Failed to connect to database\n");
6384 if (policy == NULL) {
6385 printf(
"Malloc for policy struct failed\n");
6391 printf(
"Please provide a policy name with the --policy option\n");
6397 printf(
"Please provide an interval with the --interval option\n");
6410 printf(
"Error: unable to read policy %s from database\n",
o_policy);
6416 printf(
"Error: policy %s doesn't exist in database\n",
o_policy);
6423 printf(
"Key sharing is On\n");
6425 printf(
"Key sharing is Off\n");
6430 printf(
"Error: unable to convert Interval %s to seconds, error: ",
o_interval);
6433 printf(
"invalid interval-type.\n");
6436 printf(
"unable to translate string.\n");
6439 printf(
"interval too long to be an int. E.g. Maximum is ~68 years on a system with 32-bit integers.\n");
6442 printf(
"invalid pointers or text string NULL.\n");
6445 printf(
"unknown\n");
6451 else if (status == -1) {
6452 printf(
"Info: converting %s to seconds; M interpreted as 31 days, Y interpreted as 365 days\n",
o_interval);
6456 status = hsm_open(
config, hsm_prompt_pin, NULL);
6458 hsm_error_message = hsm_get_error(ctx);
6459 if (hsm_error_message) {
6460 printf(
"%s\n", hsm_error_message);
6461 free(hsm_error_message);
6467 printf(
"hsm_open() result: HSM error\n");
6469 case HSM_PIN_INCORRECT:
6470 printf(
"hsm_open() result: incorrect PIN\n");
6472 case HSM_CONFIG_FILE_ERROR:
6473 printf(
"hsm_open() result: config file error\n");
6475 case HSM_REPOSITORY_NOT_FOUND:
6476 printf(
"hsm_open() result: repository not found\n");
6478 case HSM_NO_REPOSITORIES:
6479 printf(
"hsm_open() result: no repositories\n");
6482 printf(
"hsm_open() result: %d", status);
6489 printf(
"HSM opened successfully.\n");
6490 ctx = hsm_create_context();
6495 if (rightnow == NULL) {
6496 printf(
"Couldn't turn \"now\" into a date, quitting...\n");
6517 if (zone_count == 0) {
6518 printf(
"No zones on policy %s, skipping...", policy->
name);
6521 hsm_destroy_context(ctx);
6528 printf(
"Could not count zones on policy %s", policy->
name);
6531 hsm_destroy_context(ctx);
6541 printf(
"Could not predict ksk requirement for next interval for %s\n", policy->
name);
6547 printf(
"Could not count current ksk numbers for policy %s\n", policy->
name);
6552 keys_in_queue /= zone_count;
6555 new_keys = ksks_needed - keys_in_queue;
6560 current_count = hsm_count_keys_repository(ctx, policy->
ksk->
sm_name);
6562 printf(
"Repository %s is full, cannot create more KSKs for policy %s\n", policy->
ksk->
sm_name, policy->
name);
6566 printf(
"Repository %s is nearly full, will create %lu KSKs for policy %s (reduced from %d)\n", policy->
ksk->
sm_name, policy->
ksk->
sm_capacity - current_count, policy->
name, new_keys);
6572 for (i=new_keys ; i > 0 ; i--){
6573 if (hsm_supported_algorithm(policy->
ksk->
algorithm) == 0) {
6578 printf(
"Created key in repository %s\n", policy->
ksk->
sm_name);
6581 printf(
"Error creating key in repository %s\n", policy->
ksk->
sm_name);
6582 hsm_error_message = hsm_get_error(ctx);
6583 if (hsm_error_message) {
6584 printf(
"%s\n", hsm_error_message);
6585 free(hsm_error_message);
6591 id = hsm_get_key_id(ctx, key);
6595 printf(
"Error creating key in Database\n");
6596 hsm_error_message = hsm_get_error(ctx);
6597 if (hsm_error_message) {
6598 printf(
"%s\n", hsm_error_message);
6599 free(hsm_error_message);
6605 printf(
"Created KSK size: %i, alg: %i with id: %s in repository: %s and database.\n", policy->
ksk->
bits,
6609 printf(
"Key algorithm %d unsupported by libhsm.\n", policy->
ksk->
algorithm);
6615 ksks_created = new_keys;
6625 printf(
"Could not predict zsk requirement for next interval for %s\n", policy->
name);
6631 printf(
"Could not count current zsk numbers for policy %s\n", policy->
name);
6636 keys_in_queue /= zone_count;
6640 keys_in_queue -= ksks_needed;
6643 new_keys = zsks_needed - keys_in_queue;
6648 current_count = hsm_count_keys_repository(ctx, policy->
zsk->
sm_name);
6650 printf(
"Repository %s is full, cannot create more ZSKs for policy %s\n", policy->
zsk->
sm_name, policy->
name);
6654 printf(
"Repository %s is nearly full, will create %lu ZSKs for policy %s (reduced from %d)\n", policy->
zsk->
sm_name, policy->
zsk->
sm_capacity - current_count, policy->
name, new_keys);
6660 for (i = new_keys ; i > 0 ; i--) {
6661 if (hsm_supported_algorithm(policy->
zsk->
algorithm) == 0) {
6666 printf(
"Created key in repository %s\n", policy->
zsk->
sm_name);
6669 printf(
"Error creating key in repository %s\n", policy->
zsk->
sm_name);
6670 hsm_error_message = hsm_get_error(ctx);
6671 if (hsm_error_message) {
6672 printf(
"%s\n", hsm_error_message);
6673 free(hsm_error_message);
6679 id = hsm_get_key_id(ctx, key);
6683 printf(
"Error creating key in Database\n");
6684 hsm_error_message = hsm_get_error(ctx);
6685 if (hsm_error_message) {
6686 printf(
"%s\n", hsm_error_message);
6687 free(hsm_error_message);
6693 printf(
"Created ZSK size: %i, alg: %i with id: %s in repository: %s and database.\n", policy->
zsk->
bits,
6697 printf(
"Key algorithm %d unsupported by libhsm.\n", policy->
zsk->
algorithm);
6707 printf(
"NOTE: keys generated in repository %s will not become active until they have been backed up\n", policy->
ksk->
sm_name);
6710 printf(
"NOTE: keys generated in repository %s will not become active until they have been backed up\n", policy->
zsk->
sm_name);
6717 hsm_destroy_context(ctx);
6719 status = hsm_close();
6720 printf(
"all done! hsm_close result: %d\n", status);
6734 struct stat stat_ret;
6738 xmlDocPtr doc = NULL;
6739 xmlDocPtr rngdoc = NULL;
6740 xmlXPathContextPtr xpathCtx = NULL;
6741 xmlXPathObjectPtr xpathObj = NULL;
6742 xmlRelaxNGParserCtxtPtr rngpctx = NULL;
6743 xmlRelaxNGValidCtxtPtr rngctx = NULL;
6744 xmlRelaxNGPtr schema = NULL;
6745 xmlChar *user_expr = (
unsigned char*)
"//Configuration/Enforcer/Privileges/User";
6746 xmlChar *group_expr = (
unsigned char*)
"//Configuration/Enforcer/Privileges/Group";
6748 char* filename = OPENDNSSEC_CONFIG_FILE;
6749 char* rngfilename = OPENDNSSEC_SCHEMA_DIR
"/conf.rng";
6750 char* temp_char = NULL;
6757 char *username = NULL;
6758 char *groupname = NULL;
6760 printf(
"fixing permissions on file %s\n", dbschema);
6762 if (geteuid() != 0) {
6767 if (stat(dbschema, &stat_ret) != 0) {
6768 printf(
"cannot stat file %s: %s", dbschema, strerror(errno));
6774 doc = xmlParseFile(filename);
6776 printf(
"Error: unable to parse file \"%s\"", filename);
6781 rngdoc = xmlParseFile(rngfilename);
6782 if (rngdoc == NULL) {
6783 printf(
"Error: unable to parse file \"%s\"", rngfilename);
6788 rngpctx = xmlRelaxNGNewDocParserCtxt(rngdoc);
6789 if (rngpctx == NULL) {
6790 printf(
"Error: unable to create XML RelaxNGs parser context");
6795 schema = xmlRelaxNGParse(rngpctx);
6796 if (schema == NULL) {
6797 printf(
"Error: unable to parse a schema definition resource");
6802 rngctx = xmlRelaxNGNewValidCtxt(schema);
6803 if (rngctx == NULL) {
6804 printf(
"Error: unable to create RelaxNGs validation context based on the schema");
6809 status = xmlRelaxNGValidateDoc(rngctx,doc);
6811 printf(
"Error validating file \"%s\"", filename);
6817 xpathCtx = xmlXPathNewContext(doc);
6818 if(xpathCtx == NULL) {
6819 printf(
"Error: unable to create new XPath context");
6825 xpathObj = xmlXPathEvalExpression(group_expr, xpathCtx);
6826 if(xpathObj == NULL) {
6827 printf(
"Error: unable to evaluate xpath expression: %s", group_expr);
6828 xmlXPathFreeContext(xpathCtx);
6832 if (xpathObj->nodesetval != NULL && xpathObj->nodesetval->nodeNr > 0) {
6833 temp_char = (
char*) xmlXPathCastToString(xpathObj);
6836 xmlXPathFreeObject(xpathObj);
6842 xpathObj = xmlXPathEvalExpression(user_expr, xpathCtx);
6843 if(xpathObj == NULL) {
6844 printf(
"Error: unable to evaluate xpath expression: %s", user_expr);
6845 xmlXPathFreeContext(xpathCtx);
6849 if (xpathObj->nodesetval != NULL && xpathObj->nodesetval->nodeNr > 0) {
6850 temp_char = (
char*) xmlXPathCastToString(xpathObj);
6853 xmlXPathFreeObject(xpathObj);
6859 xmlXPathFreeContext(xpathCtx);
6860 xmlRelaxNGFree(schema);
6861 xmlRelaxNGFreeValidCtxt(rngctx);
6862 xmlRelaxNGFreeParserCtxt(rngpctx);
6867 if (username != NULL) {
6869 if ((pwd = getpwnam(username)) == NULL) {
6870 printf(
"user '%s' does not exist. cannot chown %s...\n", username, dbschema);
6879 if ((grp = getgrnam(groupname)) == NULL) {
6880 printf(
"group '%s' does not exist. cannot chown %s...\n", groupname, dbschema);
6889 if (chown(dbschema, uid, gid) == -1) {
6890 printf(
"cannot chown(%u,%u) %s: %s",
6891 (
unsigned) uid, (
unsigned) gid, dbschema, strerror(errno));
6900 if (chown(temp_char, uid, gid) == -1) {
6901 printf(
"cannot chown(%u,%u) %s: %s",
6902 (
unsigned) uid, (
unsigned) gid, temp_char, strerror(errno));
6944 int CountKeys(
int *zone_id,
int keytag,
const char *cka_id,
int *key_count,
char **temp_cka_id,
int *temp_key_state,
int *temp_keypair_id)
6957 int temp_zone_id = 0;
6958 char* temp_loc = NULL;
6961 int temp_keypair = 0;
6966 hsm_key_t *key = NULL;
6967 ldns_rr *dnskey_rr = NULL;
6968 hsm_sign_params_t *sign_params = NULL;
6971 status = hsm_open(
config, hsm_prompt_pin, NULL);
6973 hsm_print_error(NULL);
6978 nchar = snprintf(buffer,
sizeof(buffer),
"(%d, %d, %d)",
6980 if (nchar >=
sizeof(buffer)) {
6981 printf(
"Error: Overran buffer in CountKeys\n");
6986 StrAppend(&sql,
"select k.zone_id, k.location, k.algorithm, k.state, k.id from KEYDATA_VIEW k where state in ");
6988 StrAppend(&sql,
" and zone_id is not null and k.keytype = 257");
6990 if (*zone_id != -1) {
6995 if (cka_id != NULL) {
7013 while (status == 0) {
7015 DbInt(row, 0, &temp_zone_id);
7017 DbInt(row, 2, &temp_alg);
7018 DbInt(row, 3, &temp_state);
7019 DbInt(row, 4, &temp_keypair);
7023 if (keytag == -1 && cka_id == NULL)
7025 *temp_key_state = temp_state;
7028 key = hsm_find_key_by_id(NULL, temp_loc);
7030 printf(
"cka_id %-33s in DB but NOT IN repository\n", temp_loc);
7031 }
else if (keytag != -1) {
7032 sign_params = hsm_sign_params_new();
7033 sign_params->owner = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME,
"temp_zone");
7034 sign_params->algorithm = temp_alg;
7035 sign_params->flags = LDNS_KEY_ZONE_KEY;
7036 sign_params->flags += LDNS_KEY_SEP_KEY;
7038 dnskey_rr = hsm_get_dnskey(NULL, key, sign_params);
7039 sign_params->keytag = ldns_calc_keytag(dnskey_rr);
7042 if (keytag == sign_params->keytag) {
7045 *temp_cka_id = NULL;
7047 *zone_id = temp_zone_id;
7048 *temp_key_state = temp_state;
7049 *temp_keypair_id = temp_keypair;
7050 printf(
"Found key with CKA_ID %s\n", temp_loc);
7053 hsm_sign_params_free(sign_params);
7055 if (key && cka_id != NULL && strncmp(cka_id, temp_loc, strlen(temp_loc)) == 0) {
7057 if (done_row == 0) {
7059 *temp_cka_id = NULL;
7061 *zone_id = temp_zone_id;
7062 *temp_key_state = temp_state;
7063 *temp_keypair_id = temp_keypair;
7064 printf(
"Found key with CKA_ID %s\n", temp_loc);
7084 *key_count = temp_count;
7091 if (dnskey_rr != NULL) {
7092 ldns_rr_free(dnskey_rr);
7125 int MarkDSSeen(
int keypair_id,
int zone_id,
int policy_id,
const char *datetime,
int key_state)
7144 printf(
"Error: failed to read policy\n");
7165 nchar = snprintf(buffer,
sizeof(buffer),
7166 "DATE_ADD('%s', INTERVAL %d SECOND) ", datetime, deltat);
7168 nchar = snprintf(buffer,
sizeof(buffer),
7169 "DATETIME('%s', '+%d SECONDS') ", datetime, deltat);
7190 nchar = snprintf(buffer,
sizeof(buffer),
7191 "DATE_ADD('%s', INTERVAL %d SECOND) ", datetime, deltat);
7193 nchar = snprintf(buffer,
sizeof(buffer),
7194 "DATETIME('%s', '+%d SECONDS') ", datetime, deltat);
7255 char* where_clause = NULL;
7271 printf(
"Error: failed to read policy\n");
7287 StrAppend(&where_clause,
"select id from KEYDATA_VIEW where state = 4 and keytype = 257 and zone_id = ");
7289 StrAppend(&where_clause,
" and retire = (select min(retire) from KEYDATA_VIEW where state = 4 and keytype = 257 and zone_id = ");
7298 printf(
"Error: failed to find ID of key to retire\n");
7307 nchar = snprintf(buffer,
sizeof(buffer),
7308 "DATE_ADD('%s', INTERVAL %d SECOND) ", datetime, deltat);
7310 nchar = snprintf(buffer,
sizeof(buffer),
7311 "DATETIME('%s', '+%d SECONDS') ", datetime, deltat);
7378 if (zone_id != -1) {
7387 printf(
"Error in CountKeysInState\n");
7424 int ChangeKeyState(
int keytype,
const char *cka_id,
int zone_id,
int policy_id,
const char *datetime,
int keystate)
7453 printf(
"Error: failed to read policy\n");
7461 if (zone_id != -1) {
7480 keyids =
MemMalloc(count *
sizeof(
int));
7487 if (zone_id != -1) {
7496 while (status == 0) {
7497 status =
KsmKey(result, &data);
7528 for (j = 0; j < i; ++j) {
7532 snprintf(buffer,
sizeof(buffer),
"%d", keyids[j]);
7555 nchar = snprintf(buffer,
sizeof(buffer),
7556 "DATE_ADD('%s', INTERVAL %d SECOND) ", datetime, deltat);
7558 nchar = snprintf(buffer,
sizeof(buffer),
7559 "DATETIME('%s', '+%d SECONDS') ", datetime, deltat);
7569 if (zone_id != -1) {
7587 nchar = snprintf(buffer,
sizeof(buffer),
7588 "DATE_ADD('%s', INTERVAL %d SECOND) ", datetime, deltat);
7590 nchar = snprintf(buffer,
sizeof(buffer),
7591 "DATETIME('%s', '+%d SECONDS') ", datetime, deltat);
7601 if (zone_id != -1) {
7612 nchar = snprintf(buffer,
sizeof(buffer),
7613 "DATE_ADD('%s', INTERVAL %d SECOND) ", datetime, deltat);
7615 nchar = snprintf(buffer,
sizeof(buffer),
7616 "DATETIME('%s', '+%d SECONDS') ", datetime, deltat);
7626 if (zone_id != -1) {
7661 static int restart_enforcerd()
7665 return system(RESTART_ENFORCERD_CMD);
7677 xmlDocPtr doc = NULL;
7678 xmlXPathContextPtr xpathCtx = NULL;
7679 xmlXPathObjectPtr xpathObj = NULL;
7680 char* temp_char = NULL;
7682 xmlChar *iv_expr = (
unsigned char*)
"//Configuration/Enforcer/Interval";
7683 xmlChar *mk_expr = (
unsigned char*)
"//Configuration/Enforcer/ManualKeyGeneration";
7686 doc = xmlParseFile(
config);
7688 printf(
"Error: unable to parse file \"%s\"\n",
config);
7693 xpathCtx = xmlXPathNewContext(doc);
7694 if(xpathCtx == NULL) {
7695 printf(
"Error: unable to create new XPath context\n");
7701 xpathObj = xmlXPathEvalExpression(iv_expr, xpathCtx);
7702 if(xpathObj == NULL) {
7703 printf(
"Error: unable to evaluate xpath expression: %s", iv_expr);
7704 xmlXPathFreeContext(xpathCtx);
7709 temp_char = (
char *)xmlXPathCastToString(xpathObj);
7712 printf(
"Error: unable to convert Interval %s to seconds, error: %i\n", temp_char, status);
7716 else if (status == -1) {
7717 printf(
"Info: converting %s to seconds; M interpreted as 31 days, Y interpreted as 365 days\n", temp_char);
7721 xmlXPathFreeObject(xpathObj);
7724 xpathObj = xmlXPathEvalExpression(mk_expr, xpathCtx);
7725 if(xpathObj == NULL) {
7726 printf(
"Error: unable to evaluate xpath expression: %s\n", mk_expr);
7727 xmlXPathFreeContext(xpathCtx);
7732 if (xpathObj->nodesetval != NULL && xpathObj->nodesetval->nodeNr > 0) {
7740 xmlXPathFreeObject(xpathObj);
7743 xmlXPathFreeContext(xpathCtx);
7783 int man_key_gen = -1;
7794 printf(
"Failed to Link Keys to zone\n");
7804 if (policy == NULL) {
7805 printf(
"Malloc for policy struct failed\n");
7815 printf(
"Error: unable to read policy %s from database\n",
o_policy);
7820 printf(
"Error: policy %s doesn't exist in database\n",
o_policy);
7828 printf(
"Error allocating zsks to zone %s", zone_name);
7834 printf(
"Error allocating ksks to zone %s", zone_name);
7876 int keys_needed = 0;
7877 int keys_in_queue = 0;
7878 int keys_pending_retirement = 0;
7880 int key_pair_id = 0;
7887 if (datetime == NULL) {
7888 printf(
"Couldn't turn \"now\" into a date, quitting...");
7892 if (policy == NULL) {
7893 printf(
"NULL policy sent to allocateKeysToZone");
7899 printf(
"Unknown keytype: %i in allocateKeysToZone", key_type);
7913 status =
KsmKeyPredict(policy->
id, key_type, 1, interval, &keys_needed, rollover_scheme, 1);
7915 printf(
"Could not predict key requirement for next interval for %s", zone_name);
7923 printf(
"Could not count current key numbers for zone %s", zone_name);
7931 printf(
"Could not count keys which may retire before the next run (for zone %s)", zone_name);
7937 new_keys = keys_needed - (keys_in_queue - keys_pending_retirement);
7942 for (i=0 ; i < new_keys ; i++){
7946 if (status == -1 || key_pair_id == 0) {
7947 if (man_key_gen == 0) {
7948 printf(
"Not enough keys to satisfy ksk policy for zone: %s", zone_name);
7949 printf(
"ods-enforcerd will create some more keys on its next run");
7952 printf(
"Not enough keys to satisfy ksk policy for zone: %s", zone_name);
7953 printf(
"please use \"ods-ksmutil key generate\" to create some more keys.");
7957 else if (status != 0) {
7958 printf(
"Could not get an unallocated ksk for zone: %s", zone_name);
7963 if (status == -1 || key_pair_id == 0) {
7964 if (man_key_gen == 0) {
7965 printf(
"Not enough keys to satisfy zsk policy for zone: %s", zone_name);
7966 printf(
"ods-enforcerd will create some more keys on its next run");
7969 printf(
"Not enough keys to satisfy zsk policy for zone: %s", zone_name);
7970 printf(
"please use \"ods-ksmutil key generate\" to create some more keys.");
7974 else if (status != 0) {
7975 printf(
"Could not get an unallocated zsk for zone: %s", zone_name);
7979 if(key_pair_id > 0) {
7984 printf(
"KsmKeyGetUnallocated returned bad key_id %d for zone: %s; exiting...", key_pair_id, zone_name);
8012 int keyRoll(
int zone_id,
int policy_id,
int key_type)
8025 int temp_zone_id = -1;
8031 char* insql1 = NULL;
8032 char* insql2 = NULL;
8038 if (datetime == NULL) {
8039 printf(
"Couldn't turn \"now\" into a date, quitting...\n");
8047 if (zone_id != -1) {
8050 if (policy_id != -1) {
8054 if (key_type != -1) {
8063 while (status == 0) {
8065 DbInt(row, 0, &temp_id);
8066 DbInt(row, 1, &temp_type);
8070 DusSetInt(&sql1,
"compromisedflag", 1, 1);
8131 size = snprintf(sql2,
KSM_SQL_SIZE,
"select zone_id from dnsseckeys where retire = \"%s\" and keypair_id = %d", datetime, temp_id);
8135 while (status == 0) {
8137 DbInt(row2, 0, &temp_zone_id);
8142 snprintf(buffer,
sizeof(buffer),
"%d", temp_zone_id);
8165 while (status == 0) {
8167 DbInt(row2, 0, &temp_zone_id);
8172 snprintf(buffer,
sizeof(buffer),
"%d", temp_zone_id);
8194 printf(
"Couldn't construct SQL to promote standby key\n");
8257 else if (status == -1) {}
8272 xmlNodePtr zone_node;
8273 xmlNodePtr adapters_node;
8274 xmlNodePtr input_node;
8275 xmlNodePtr output_node;
8277 root = xmlDocGetRootElement(doc);
8279 fprintf(stderr,
"empty document\n");
8282 if (xmlStrcmp(root->name, (
const xmlChar *)
"ZoneList")) {
8283 fprintf(stderr,
"document of the wrong type, root node != %s",
"ZoneList");
8287 zone_node = xmlNewTextChild(root, NULL, (
const xmlChar *)
"Zone", NULL);
8288 (void) xmlNewProp(zone_node, (
const xmlChar *)
"name", (
const xmlChar *)zone->
name);
8291 (void) xmlNewTextChild(zone_node, NULL, (
const xmlChar *)
"Policy", (
const xmlChar *)zone->
policy_name);
8294 (void) xmlNewTextChild(zone_node, NULL, (
const xmlChar *)
"SignerConfiguration", (
const xmlChar *)zone->
signconf);
8297 adapters_node = xmlNewTextChild(zone_node, NULL, (
const xmlChar *)
"Adapters", NULL);
8299 input_node = xmlNewTextChild(adapters_node, NULL, (
const xmlChar *)
"Input", NULL);
8300 (void) xmlNewTextChild(input_node, NULL, (
const xmlChar *)
"File", (
const xmlChar *)zone->
input);
8302 output_node = xmlNewTextChild(adapters_node, NULL, (
const xmlChar *)
"Output", NULL);
8303 (void) xmlNewTextChild(output_node, NULL, (
const xmlChar *)
"File", (
const xmlChar *)zone->
output);
8314 size_t len = strlen(
string);
8317 for (i = 0; i < len; ++i) {
8318 if (
string[i] ==
'\'') {
8323 buffer[j++] =
string[i];
8327 return ( (j <= buflen) ? 0 : 1);
8332 char* signconf = NULL;
8333 char* moved_signconf = NULL;
8334 char* zone_name = NULL;
8338 xmlDocPtr doc = NULL;
8340 xmlXPathContextPtr xpathCtx = NULL;
8341 xmlXPathObjectPtr xpathObj = NULL;
8343 xmlChar *node_expr = (
unsigned char*)
"//Zone";
8345 doc = xmlParseFile(zonelist_filename);
8347 printf(
"Error: unable to parse file \"%s\"\n", zonelist_filename);
8351 xpathCtx = xmlXPathNewContext(doc);
8352 if(xpathCtx == NULL) {
8358 xpathObj = xmlXPathEvalExpression(node_expr, xpathCtx);
8359 if(xpathObj == NULL) {
8360 xmlXPathFreeContext(xpathCtx);
8365 if (xpathObj->nodesetval) {
8366 for (i = 0; i < xpathObj->nodesetval->nodeNr; i++) {
8368 curNode = xpathObj->nodesetval->nodeTab[i]->xmlChildrenNode;
8369 zone_name = (
char *) xmlGetProp(xpathObj->nodesetval->nodeTab[i], (
const xmlChar *)
"name");
8371 if (all_flag || (strlen(zone_name) == strlen(o_zone) &&
8372 strncmp(zone_name, o_zone, strlen(zone_name)) == 0)) {
8376 if (xmlStrEqual(curNode->name, (
const xmlChar *)
"SignerConfiguration")) {
8377 StrAppend(&signconf, (
char *) xmlNodeGetContent(curNode));
8379 StrAppend(&moved_signconf,
".ZONE_DELETED");
8381 status = rename(signconf, moved_signconf);
8382 if (status != 0 && errno != ENOENT)
8385 printf(
"Could not rename: %s -> %s", signconf, moved_signconf);
8396 curNode = curNode->next;