dnssec-dsfromkey.c 12.8 KB
Newer Older
1
/*
2
 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
3
 *
4 5 6
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
7 8 9
 *
 * See the COPYRIGHT file distributed with this work for additional
 * information regarding copyright ownership.
10 11 12 13
 */

/*! \file */

14
#include <inttypes.h>
15
#include <stdbool.h>
16 17 18 19 20 21 22 23 24 25
#include <stdlib.h>

#include <isc/buffer.h>
#include <isc/commandline.h>
#include <isc/hash.h>
#include <isc/mem.h>
#include <isc/print.h>
#include <isc/string.h>
#include <isc/util.h>

26
#include <dns/callbacks.h>
27 28 29 30
#include <dns/db.h>
#include <dns/dbiterator.h>
#include <dns/ds.h>
#include <dns/fixedname.h>
31
#include <dns/keyvalues.h>
32
#include <dns/log.h>
33
#include <dns/master.h>
34 35 36 37 38 39 40 41 42 43
#include <dns/name.h>
#include <dns/rdata.h>
#include <dns/rdataclass.h>
#include <dns/rdataset.h>
#include <dns/rdatasetiter.h>
#include <dns/rdatatype.h>
#include <dns/result.h>

#include <dst/dst.h>

Ondřej Surý's avatar
Ondřej Surý committed
44
#if USE_PKCS11
45
#include <pk11/result.h>
46
#endif /* if USE_PKCS11 */
47

48 49 50 51 52
#include "dnssectool.h"

const char *program = "dnssec-dsfromkey";

static dns_rdataclass_t rdclass;
Evan Hunt's avatar
Evan Hunt committed
53 54 55 56 57
static dns_fixedname_t fixed;
static dns_name_t *name = NULL;
static isc_mem_t *mctx = NULL;
static uint32_t ttl;
static bool emitttl = false;
58

59
static isc_result_t
Evan Hunt's avatar
Evan Hunt committed
60
initname(char *setname) {
61 62
	isc_result_t result;
	isc_buffer_t buf;
63

64
	name = dns_fixedname_initname(&fixed);
Automatic Updater's avatar
Automatic Updater committed
65 66 67

	isc_buffer_init(&buf, setname, strlen(setname));
	isc_buffer_add(&buf, strlen(setname));
68
	result = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
69 70
	return (result);
}
71

72
static void
Evan Hunt's avatar
Evan Hunt committed
73 74
db_load_from_stream(dns_db_t *db, FILE *fp) {
	isc_result_t result;
75 76 77
	dns_rdatacallbacks_t callbacks;

	dns_rdatacallbacks_init(&callbacks);
78
	result = dns_db_beginload(db, &callbacks);
79
	if (result != ISC_R_SUCCESS) {
80
		fatal("dns_db_beginload failed: %s", isc_result_totext(result));
81
	}
82

83 84
	result = dns_master_loadstream(fp, name, name, rdclass, 0, &callbacks,
				       mctx);
85
	if (result != ISC_R_SUCCESS) {
86
		fatal("can't load from input: %s", isc_result_totext(result));
87
	}
Automatic Updater's avatar
Automatic Updater committed
88

89
	result = dns_db_endload(db, &callbacks);
90
	if (result != ISC_R_SUCCESS) {
91
		fatal("dns_db_endload failed: %s", isc_result_totext(result));
92
	}
93 94
}

95
static isc_result_t
Evan Hunt's avatar
Evan Hunt committed
96 97 98
loadset(const char *filename, dns_rdataset_t *rdataset) {
	isc_result_t result;
	dns_db_t *db = NULL;
99
	dns_dbnode_t *node = NULL;
Evan Hunt's avatar
Evan Hunt committed
100
	char setname[DNS_NAME_FORMATSIZE];
101

102
	dns_name_format(name, setname, sizeof(setname));
103

104 105
	result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone, rdclass, 0,
			       NULL, &db);
106
	if (result != ISC_R_SUCCESS) {
107
		fatal("can't create database");
108
	}
109

110 111 112 113
	if (strcmp(filename, "-") == 0) {
		db_load_from_stream(db, stdin);
		filename = "input";
	} else {
114
		result = dns_db_load(db, filename, dns_masterformat_text, 0);
115
		if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE) {
116 117
			fatal("can't load %s: %s", filename,
			      isc_result_totext(result));
118
		}
119
	}
120

121
	result = dns_db_findnode(db, name, false, &node);
122
	if (result != ISC_R_SUCCESS) {
123
		fatal("can't find %s node in %s", setname, filename);
124
	}
125

126 127
	result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_dnskey, 0, 0,
				     rdataset, NULL);
128

129
	if (result == ISC_R_NOTFOUND) {
130
		fatal("no DNSKEY RR for %s in %s", setname, filename);
131
	} else if (result != ISC_R_SUCCESS) {
132
		fatal("dns_db_findrdataset");
133
	}
134

135
	if (node != NULL) {
136
		dns_db_detachnode(db, &node);
137 138
	}
	if (db != NULL) {
139
		dns_db_detach(&db);
140
	}
141 142 143 144
	return (result);
}

static isc_result_t
Evan Hunt's avatar
Evan Hunt committed
145
loadkeyset(char *dirname, dns_rdataset_t *rdataset) {
146
	isc_result_t result;
Evan Hunt's avatar
Evan Hunt committed
147
	char filename[PATH_MAX + 1];
148
	isc_buffer_t buf;
149 150 151 152 153 154

	dns_rdataset_init(rdataset);

	isc_buffer_init(&buf, filename, sizeof(filename));
	if (dirname != NULL) {
		/* allow room for a trailing slash */
155
		if (strlen(dirname) >= isc_buffer_availablelength(&buf)) {
156
			return (ISC_R_NOSPACE);
157
		}
158
		isc_buffer_putstr(&buf, dirname);
159
		if (dirname[strlen(dirname) - 1] != '/') {
160
			isc_buffer_putstr(&buf, "/");
161
		}
162 163
	}

164
	if (isc_buffer_availablelength(&buf) < 7) {
165
		return (ISC_R_NOSPACE);
166
	}
167 168
	isc_buffer_putstr(&buf, "keyset-");

169
	result = dns_name_tofilenametext(name, false, &buf);
170
	check_result(result, "dns_name_tofilenametext()");
171
	if (isc_buffer_availablelength(&buf) == 0) {
172
		return (ISC_R_NOSPACE);
173
	}
174 175
	isc_buffer_putuint8(&buf, 0);

176
	return (loadset(filename, rdataset));
177 178 179
}

static void
180
loadkey(char *filename, unsigned char *key_buf, unsigned int key_buf_size,
Evan Hunt's avatar
Evan Hunt committed
181
	dns_rdata_t *rdata) {
182
	isc_result_t result;
Evan Hunt's avatar
Evan Hunt committed
183
	dst_key_t *key = NULL;
184 185
	isc_buffer_t keyb;
	isc_region_t r;
186 187 188

	dns_rdata_init(rdata);

189
	isc_buffer_init(&keyb, key_buf, key_buf_size);
190

191 192
	result = dst_key_fromnamedfile(filename, NULL, DST_TYPE_PUBLIC, mctx,
				       &key);
193
	if (result != ISC_R_SUCCESS) {
194 195
		fatal("can't load %s.key: %s", filename,
		      isc_result_totext(result));
196
	}
197 198

	if (verbose > 2) {
199
		char keystr[DST_KEY_FORMATSIZE];
200

201
		dst_key_format(key, keystr, sizeof(keystr));
202 203 204 205
		fprintf(stderr, "%s: %s\n", program, keystr);
	}

	result = dst_key_todns(key, &keyb);
206
	if (result != ISC_R_SUCCESS) {
207
		fatal("can't decode key");
208
	}
209 210

	isc_buffer_usedregion(&keyb, &r);
211 212
	dns_rdata_fromregion(rdata, dst_key_class(key), dns_rdatatype_dnskey,
			     &r);
213 214 215

	rdclass = dst_key_class(key);

216
	name = dns_fixedname_initname(&fixed);
217
	dns_name_copynf(dst_key_name(key), name);
218 219 220 221 222

	dst_key_free(&key);
}

static void
Evan Hunt's avatar
Evan Hunt committed
223
logkey(dns_rdata_t *rdata) {
224
	isc_result_t result;
Evan Hunt's avatar
Evan Hunt committed
225
	dst_key_t *key = NULL;
226
	isc_buffer_t buf;
Evan Hunt's avatar
Evan Hunt committed
227
	char keystr[DST_KEY_FORMATSIZE];
228 229 230 231

	isc_buffer_init(&buf, rdata->data, rdata->length);
	isc_buffer_add(&buf, rdata->length);
	result = dst_key_fromdns(name, rdclass, &buf, mctx, &key);
232
	if (result != ISC_R_SUCCESS) {
233
		return;
234
	}
235

236
	dst_key_format(key, keystr, sizeof(keystr));
237 238 239 240 241 242
	fprintf(stderr, "%s: %s\n", program, keystr);

	dst_key_free(&key);
}

static void
Evan Hunt's avatar
Evan Hunt committed
243 244 245 246 247 248 249 250 251
emit(dns_dsdigest_t dt, bool showall, bool cds, dns_rdata_t *rdata) {
	isc_result_t result;
	unsigned char buf[DNS_DS_BUFFERSIZE];
	char text_buf[DST_KEY_MAXTEXTSIZE];
	char name_buf[DNS_NAME_MAXWIRE];
	char class_buf[10];
	isc_buffer_t textb, nameb, classb;
	isc_region_t r;
	dns_rdata_t ds;
252
	dns_rdata_dnskey_t dnskey;
253 254

	isc_buffer_init(&textb, text_buf, sizeof(text_buf));
255
	isc_buffer_init(&nameb, name_buf, sizeof(name_buf));
256 257 258 259
	isc_buffer_init(&classb, class_buf, sizeof(class_buf));

	dns_rdata_init(&ds);

260
	result = dns_rdata_tostruct(rdata, &dnskey, NULL);
261
	if (result != ISC_R_SUCCESS) {
262
		fatal("can't convert DNSKEY");
263
	}
264

265
	if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 && !showall) {
266
		return;
267
	}
268

269
	result = dns_ds_buildrdata(name, rdata, dt, buf, &ds);
270
	if (result != ISC_R_SUCCESS) {
271
		fatal("can't build record");
272
	}
273

274
	result = dns_name_totext(name, false, &nameb);
275
	if (result != ISC_R_SUCCESS) {
276
		fatal("can't print name");
277
	}
278

279
	result = dns_rdata_tofmttext(&ds, (dns_name_t *)NULL, 0, 0, 0, "",
280 281
				     &textb);

282
	if (result != ISC_R_SUCCESS) {
283
		fatal("can't print rdata");
284
	}
285 286

	result = dns_rdataclass_totext(rdclass, &classb);
287
	if (result != ISC_R_SUCCESS) {
288
		fatal("can't print class");
289
	}
290

291
	isc_buffer_usedregion(&nameb, &r);
Evan Hunt's avatar
Evan Hunt committed
292
	printf("%.*s ", (int)r.length, r.base);
293

294
	if (emitttl) {
295
		printf("%u ", ttl);
296
	}
297

298
	isc_buffer_usedregion(&classb, &r);
Evan Hunt's avatar
Evan Hunt committed
299
	printf("%.*s", (int)r.length, r.base);
300

301 302 303 304 305
	if (cds) {
		printf(" CDS ");
	} else {
		printf(" DS ");
	}
306 307

	isc_buffer_usedregion(&textb, &r);
Evan Hunt's avatar
Evan Hunt committed
308
	printf("%.*s\n", (int)r.length, r.base);
309 310
}

311
static void
Evan Hunt's avatar
Evan Hunt committed
312
emits(bool showall, bool cds, dns_rdata_t *rdata) {
313 314
	unsigned i, n;

315
	n = sizeof(dtype) / sizeof(dtype[0]);
316 317
	for (i = 0; i < n; i++) {
		if (dtype[i] != 0) {
318
			emit(dtype[i], showall, cds, rdata);
319 320 321 322
		}
	}
}

Ondřej Surý's avatar
Ondřej Surý committed
323 324
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
Francis Dupont's avatar
Francis Dupont committed
325

326
static void
Evan Hunt's avatar
Evan Hunt committed
327
usage(void) {
328
	fprintf(stderr, "Usage:\n");
329
	fprintf(stderr, "    %s [options] keyfile\n\n", program);
330 331 332
	fprintf(stderr, "    %s [options] -f zonefile [zonename]\n\n", program);
	fprintf(stderr, "    %s [options] -s dnsname\n\n", program);
	fprintf(stderr, "    %s [-h|-V]\n\n", program);
333
	fprintf(stderr, "Version: %s\n", VERSION);
334
	fprintf(stderr, "Options:\n"
335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350
			"    -1: digest algorithm SHA-1\n"
			"    -2: digest algorithm SHA-256\n"
			"    -a algorithm: digest algorithm (SHA-1, SHA-256 or "
			"SHA-384)\n"
			"    -A: include all keys in DS set, not just KSKs (-f "
			"only)\n"
			"    -c class: rdata class for DS set (default IN) (-f "
			"or -s only)\n"
			"    -C: print CDS records\n"
			"    -f zonefile: read keys from a zone file\n"
			"    -h: print help information\n"
			"    -K directory: where to find key or keyset files\n"
			"    -s: read keys from keyset-<dnsname> file\n"
			"    -T: TTL of output records (omitted by default)\n"
			"    -v level: verbosity\n"
			"    -V: print version information\n");
351
	fprintf(stderr, "Output: DS or CDS RRs\n");
352

353
	exit(-1);
354 355 356
}

int
Evan Hunt's avatar
Evan Hunt committed
357 358 359 360 361 362 363 364 365 366
main(int argc, char **argv) {
	char *classname = NULL;
	char *filename = NULL, *dir = NULL, *namestr;
	char *endp, *arg1;
	int ch;
	bool cds = false;
	bool usekeyset = false;
	bool showall = false;
	isc_result_t result;
	isc_log_t *log = NULL;
367
	dns_rdataset_t rdataset;
Evan Hunt's avatar
Evan Hunt committed
368
	dns_rdata_t rdata;
369 370 371

	dns_rdata_init(&rdata);

372
	if (argc == 1) {
373
		usage();
374
	}
375

376
	isc_mem_create(&mctx);
377

Ondřej Surý's avatar
Ondřej Surý committed
378
#if USE_PKCS11
379
	pk11_result_register();
380
#endif /* if USE_PKCS11 */
381 382
	dns_result_register();

383
	isc_commandline_errprint = false;
384

385 386
#define OPTIONS "12Aa:Cc:d:Ff:K:l:sT:v:hV"
	while ((ch = isc_commandline_parse(argc, argv, OPTIONS)) != -1) {
387 388
		switch (ch) {
		case '1':
389
			add_dtype(DNS_DSDIGEST_SHA1);
390 391
			break;
		case '2':
392
			add_dtype(DNS_DSDIGEST_SHA256);
393
			break;
394
		case 'A':
395
			showall = true;
396
			break;
397
		case 'a':
398
			add_dtype(strtodsdigest(isc_commandline_argument));
399
			break;
400
		case 'C':
401
			cds = true;
402
			break;
403 404 405 406
		case 'c':
			classname = isc_commandline_argument;
			break;
		case 'd':
407 408 409 410
			fprintf(stderr,
				"%s: the -d option is deprecated; "
				"use -K\n",
				program);
411
		/* fall through */
412 413
		case 'K':
			dir = isc_commandline_argument;
414
			if (strlen(dir) == 0U) {
415
				fatal("directory must be non-empty string");
416
			}
417 418 419
			break;
		case 'f':
			filename = isc_commandline_argument;
420 421
			break;
		case 'l':
422
			fatal("-l option (DLV lookaside) is obsolete");
423 424
			break;
		case 's':
425
			usekeyset = true;
426
			break;
427
		case 'T':
428
			emitttl = true;
Evan Hunt's avatar
Evan Hunt committed
429
			ttl = strtottl(isc_commandline_argument);
430
			break;
431 432
		case 'v':
			verbose = strtol(isc_commandline_argument, &endp, 0);
433
			if (*endp != '\0') {
434
				fatal("-v must be followed by a number");
435
			}
436
			break;
Francis Dupont's avatar
Francis Dupont committed
437
		case 'F':
438 439
		/* Reserved for FIPS mode */
		/* FALLTHROUGH */
440
		case '?':
441
			if (isc_commandline_option != '?') {
442 443
				fprintf(stderr, "%s: invalid argument -%c\n",
					program, isc_commandline_option);
444 445
			}
		/* FALLTHROUGH */
446
		case 'h':
447
			/* Does not return. */
448 449
			usage();

450 451 452 453
		case 'V':
			/* Does not return. */
			version(program);

454
		default:
455 456
			fprintf(stderr, "%s: unhandled option -%c\n", program,
				isc_commandline_option);
457 458 459 460 461 462
			exit(1);
		}
	}

	rdclass = strtoclass(classname);

463
	if (usekeyset && filename != NULL) {
464
		fatal("cannot use both -s and -f");
465
	}
466 467

	/* When not using -f, -A is implicit */
468
	if (filename == NULL) {
469
		showall = true;
470
	}
471

472 473 474 475 476
	/* Default digest type if none specified. */
	if (dtype[0] == 0) {
		dtype[0] = DNS_DSDIGEST_SHA256;
	}

477 478 479 480 481 482
	/*
	 * Use local variable arg1 so that clang can correctly analyse
	 * reachable paths rather than 'argc < isc_commandline_index + 1'.
	 */
	arg1 = argv[isc_commandline_index];
	if (arg1 == NULL && filename == NULL) {
483
		fatal("the key file name was not specified");
484
	}
485
	if (arg1 != NULL && argv[isc_commandline_index + 1] != NULL) {
486
		fatal("extraneous arguments");
487
	}
488

489
	result = dst_lib_init(mctx, NULL);
490
	if (result != ISC_R_SUCCESS) {
Francis Dupont's avatar
Francis Dupont committed
491 492
		fatal("could not initialize dst: %s",
		      isc_result_totext(result));
493
	}
494

495
	setup_logging(mctx, &log);
496

497 498 499
	dns_rdataset_init(&rdataset);

	if (usekeyset || filename != NULL) {
500 501
		if (arg1 == NULL) {
			/* using file name as the zone name */
502
			namestr = filename;
503
		} else {
504
			namestr = arg1;
505
		}
506

507
		result = initname(namestr);
508
		if (result != ISC_R_SUCCESS) {
509
			fatal("could not initialize name %s", namestr);
510
		}
511

512
		if (usekeyset) {
513
			result = loadkeyset(dir, &rdataset);
514
		} else {
515
			INSIST(filename != NULL);
516
			result = loadset(filename, &rdataset);
517
		}
518

519
		if (result != ISC_R_SUCCESS) {
520 521
			fatal("could not load DNSKEY set: %s\n",
			      isc_result_totext(result));
522
		}
523 524

		for (result = dns_rdataset_first(&rdataset);
525
		     result == ISC_R_SUCCESS;
Evan Hunt's avatar
Evan Hunt committed
526 527
		     result = dns_rdataset_next(&rdataset))
		{
528
			dns_rdata_init(&rdata);
529
			dns_rdataset_current(&rdataset, &rdata);
530

531
			if (verbose > 2) {
532
				logkey(&rdata);
533
			}
534

535
			emits(showall, cds, &rdata);
536 537
		}
	} else {
538 539
		unsigned char key_buf[DST_KEY_MAXSIZE];

540
		loadkey(arg1, key_buf, DST_KEY_MAXSIZE, &rdata);
541

542
		emits(showall, cds, &rdata);
543 544
	}

545
	if (dns_rdataset_isassociated(&rdataset)) {
546
		dns_rdataset_disassociate(&rdataset);
547
	}
548
	cleanup_logging(&log);
Evan Hunt's avatar
Evan Hunt committed
549
	dst_lib_destroy();
550
	if (verbose > 10) {
551
		isc_mem_stats(mctx, stdout);
552
	}
553 554
	isc_mem_destroy(&mctx);

555 556 557 558
	fflush(stdout);
	if (ferror(stdout)) {
		fprintf(stderr, "write error\n");
		return (1);
559
	} else {
560
		return (0);
561
	}
562
}