dnssec-importkey.c 11.7 KB
Newer Older
1
/*
2
 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
3
 *
4 5 6
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
7 8 9
 *
 * See the COPYRIGHT file distributed with this work for additional
 * information regarding copyright ownership.
10 11 12 13
 */

/*! \file */

14
#include <stdbool.h>
15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
#include <stdlib.h>

#include <isc/buffer.h>
#include <isc/commandline.h>
#include <isc/hash.h>
#include <isc/mem.h>
#include <isc/print.h>
#include <isc/string.h>
#include <isc/util.h>

#include <dns/callbacks.h>
#include <dns/db.h>
#include <dns/dbiterator.h>
#include <dns/ds.h>
#include <dns/fixedname.h>
#include <dns/keyvalues.h>
#include <dns/log.h>
#include <dns/master.h>
#include <dns/name.h>
#include <dns/rdata.h>
#include <dns/rdataclass.h>
#include <dns/rdataset.h>
#include <dns/rdatasetiter.h>
#include <dns/rdatatype.h>
#include <dns/result.h>

#include <dst/dst.h>

Ondřej Surý's avatar
Ondřej Surý committed
43
#if USE_PKCS11
44
#include <pk11/result.h>
45
#endif /* if USE_PKCS11 */
46

47 48 49 50 51
#include "dnssectool.h"

const char *program = "dnssec-importkey";

static dns_rdataclass_t rdclass;
Evan Hunt's avatar
Evan Hunt committed
52 53 54 55 56 57 58 59 60 61
static dns_fixedname_t fixed;
static dns_name_t *name = NULL;
static isc_mem_t *mctx = NULL;
static bool setpub = false, setdel = false;
static bool setttl = false;
static isc_stdtime_t pub = 0, del = 0;
static dns_ttl_t ttl = 0;
static isc_stdtime_t syncadd = 0, syncdel = 0;
static bool setsyncadd = false;
static bool setsyncdel = false;
62 63

static isc_result_t
Evan Hunt's avatar
Evan Hunt committed
64
initname(char *setname) {
65 66 67
	isc_result_t result;
	isc_buffer_t buf;

68
	name = dns_fixedname_initname(&fixed);
69 70 71 72 73 74 75 76

	isc_buffer_init(&buf, setname, strlen(setname));
	isc_buffer_add(&buf, strlen(setname));
	result = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
	return (result);
}

static void
Evan Hunt's avatar
Evan Hunt committed
77 78
db_load_from_stream(dns_db_t *db, FILE *fp) {
	isc_result_t result;
79 80 81 82
	dns_rdatacallbacks_t callbacks;

	dns_rdatacallbacks_init(&callbacks);
	result = dns_db_beginload(db, &callbacks);
83
	if (result != ISC_R_SUCCESS) {
84
		fatal("dns_db_beginload failed: %s", isc_result_totext(result));
85
	}
86

87 88
	result = dns_master_loadstream(fp, name, name, rdclass, 0, &callbacks,
				       mctx);
89
	if (result != ISC_R_SUCCESS) {
90
		fatal("can't load from input: %s", isc_result_totext(result));
91
	}
92 93

	result = dns_db_endload(db, &callbacks);
94
	if (result != ISC_R_SUCCESS) {
95
		fatal("dns_db_endload failed: %s", isc_result_totext(result));
96
	}
97 98 99
}

static isc_result_t
Evan Hunt's avatar
Evan Hunt committed
100 101 102
loadset(const char *filename, dns_rdataset_t *rdataset) {
	isc_result_t result;
	dns_db_t *db = NULL;
103
	dns_dbnode_t *node = NULL;
Evan Hunt's avatar
Evan Hunt committed
104
	char setname[DNS_NAME_FORMATSIZE];
105 106 107

	dns_name_format(name, setname, sizeof(setname));

108 109
	result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone, rdclass, 0,
			       NULL, &db);
110
	if (result != ISC_R_SUCCESS) {
111
		fatal("can't create database");
112
	}
113 114 115 116 117

	if (strcmp(filename, "-") == 0) {
		db_load_from_stream(db, stdin);
		filename = "input";
	} else {
118 119
		result = dns_db_load(db, filename, dns_masterformat_text,
				     DNS_MASTER_NOTTL);
120
		if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE) {
121 122
			fatal("can't load %s: %s", filename,
			      isc_result_totext(result));
123
		}
124 125
	}

126
	result = dns_db_findnode(db, name, false, &node);
127
	if (result != ISC_R_SUCCESS) {
128
		fatal("can't find %s node in %s", setname, filename);
129
	}
130

131 132
	result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_dnskey, 0, 0,
				     rdataset, NULL);
133

134
	if (result == ISC_R_NOTFOUND) {
135
		fatal("no DNSKEY RR for %s in %s", setname, filename);
136
	} else if (result != ISC_R_SUCCESS) {
137
		fatal("dns_db_findrdataset");
138
	}
139

140
	if (node != NULL) {
141
		dns_db_detachnode(db, &node);
142 143
	}
	if (db != NULL) {
144
		dns_db_detach(&db);
145
	}
146 147 148 149 150
	return (result);
}

static void
loadkey(char *filename, unsigned char *key_buf, unsigned int key_buf_size,
Evan Hunt's avatar
Evan Hunt committed
151
	dns_rdata_t *rdata) {
152
	isc_result_t result;
Evan Hunt's avatar
Evan Hunt committed
153
	dst_key_t *key = NULL;
154 155
	isc_buffer_t keyb;
	isc_region_t r;
156 157 158 159 160

	dns_rdata_init(rdata);

	isc_buffer_init(&keyb, key_buf, key_buf_size);

161 162
	result = dst_key_fromnamedfile(filename, NULL, DST_TYPE_PUBLIC, mctx,
				       &key);
163
	if (result != ISC_R_SUCCESS) {
164 165
		fatal("invalid keyfile name %s: %s", filename,
		      isc_result_totext(result));
166
	}
167 168 169 170 171 172 173 174 175

	if (verbose > 2) {
		char keystr[DST_KEY_FORMATSIZE];

		dst_key_format(key, keystr, sizeof(keystr));
		fprintf(stderr, "%s: %s\n", program, keystr);
	}

	result = dst_key_todns(key, &keyb);
176
	if (result != ISC_R_SUCCESS) {
177
		fatal("can't decode key");
178
	}
179 180

	isc_buffer_usedregion(&keyb, &r);
181 182
	dns_rdata_fromregion(rdata, dst_key_class(key), dns_rdatatype_dnskey,
			     &r);
183 184 185

	rdclass = dst_key_class(key);

186
	name = dns_fixedname_initname(&fixed);
187
	dns_name_copynf(dst_key_name(key), name);
188 189 190 191 192

	dst_key_free(&key);
}

static void
Evan Hunt's avatar
Evan Hunt committed
193
emit(const char *dir, dns_rdata_t *rdata) {
194
	isc_result_t result;
Evan Hunt's avatar
Evan Hunt committed
195 196 197
	char keystr[DST_KEY_FORMATSIZE];
	char pubname[1024];
	char priname[1024];
198
	isc_buffer_t buf;
Evan Hunt's avatar
Evan Hunt committed
199
	dst_key_t *key = NULL, *tmp = NULL;
200 201 202 203 204 205 206 207

	isc_buffer_init(&buf, rdata->data, rdata->length);
	isc_buffer_add(&buf, rdata->length);
	result = dst_key_fromdns(name, rdclass, &buf, mctx, &key);
	if (result != ISC_R_SUCCESS) {
		fatal("dst_key_fromdns: %s", isc_result_totext(result));
	}

208
	isc_buffer_init(&buf, pubname, sizeof(pubname));
209 210 211 212 213
	result = dst_key_buildfilename(key, DST_TYPE_PUBLIC, dir, &buf);
	if (result != ISC_R_SUCCESS) {
		fatal("Failed to build public key filename: %s",
		      isc_result_totext(result));
	}
214 215 216 217 218 219 220
	isc_buffer_init(&buf, priname, sizeof(priname));
	result = dst_key_buildfilename(key, DST_TYPE_PRIVATE, dir, &buf);
	if (result != ISC_R_SUCCESS) {
		fatal("Failed to build private key filename: %s",
		      isc_result_totext(result));
	}

221 222 223
	result = dst_key_fromfile(
		dst_key_name(key), dst_key_id(key), dst_key_alg(key),
		DST_TYPE_PUBLIC | DST_TYPE_PRIVATE, dir, mctx, &tmp);
224
	if (result == ISC_R_SUCCESS) {
225
		if (dst_key_isprivate(tmp) && !dst_key_isexternal(tmp)) {
226
			fatal("Private key already exists in %s", priname);
227
		}
228 229 230
		dst_key_free(&tmp);
	}

231
	dst_key_setexternal(key, true);
232
	if (setpub) {
233
		dst_key_settime(key, DST_TIME_PUBLISH, pub);
234 235
	}
	if (setdel) {
236
		dst_key_settime(key, DST_TIME_DELETE, del);
237 238
	}
	if (setsyncadd) {
239
		dst_key_settime(key, DST_TIME_SYNCPUBLISH, syncadd);
240 241
	}
	if (setsyncdel) {
242
		dst_key_settime(key, DST_TIME_SYNCDELETE, syncdel);
243
	}
244

245
	if (setttl) {
246
		dst_key_setttl(key, ttl);
247
	}
248

249
	result = dst_key_tofile(key, DST_TYPE_PUBLIC | DST_TYPE_PRIVATE, dir);
250 251 252 253 254
	if (result != ISC_R_SUCCESS) {
		dst_key_format(key, keystr, sizeof(keystr));
		fatal("Failed to write key %s: %s", keystr,
		      isc_result_totext(result));
	}
255
	printf("%s\n", pubname);
256 257 258 259 260 261 262

	isc_buffer_clear(&buf);
	result = dst_key_buildfilename(key, DST_TYPE_PRIVATE, dir, &buf);
	if (result != ISC_R_SUCCESS) {
		fatal("Failed to build private key filename: %s",
		      isc_result_totext(result));
	}
263
	printf("%s\n", priname);
264 265 266
	dst_key_free(&key);
}

Ondřej Surý's avatar
Ondřej Surý committed
267 268
ISC_PLATFORM_NORETURN_PRE static void
usage(void) ISC_PLATFORM_NORETURN_POST;
269 270

static void
Evan Hunt's avatar
Evan Hunt committed
271
usage(void) {
272
	fprintf(stderr, "Usage:\n");
273
	fprintf(stderr, "    %s options [-K dir] keyfile\n\n", program);
274
	fprintf(stderr, "    %s options -f file [keyname]\n\n", program);
275 276
	fprintf(stderr, "Version: %s\n", VERSION);
	fprintf(stderr, "Options:\n");
277
	fprintf(stderr, "    -f file: read key from zone file\n");
278
	fprintf(stderr, "    -K <directory>: directory in which to store "
279
			"the key files\n");
280 281
	fprintf(stderr, "    -L ttl:             set default key TTL\n");
	fprintf(stderr, "    -v <verbose level>\n");
282
	fprintf(stderr, "    -V: print version information\n");
283 284 285
	fprintf(stderr, "    -h: print usage and exit\n");
	fprintf(stderr, "Timing options:\n");
	fprintf(stderr, "    -P date/[+-]offset/none: set/unset key "
286
			"publication date\n");
287
	fprintf(stderr, "    -P sync date/[+-]offset/none: set/unset "
288
			"CDS and CDNSKEY publication date\n");
289
	fprintf(stderr, "    -D date/[+-]offset/none: set/unset key "
290
			"deletion date\n");
291
	fprintf(stderr, "    -D sync date/[+-]offset/none: set/unset "
292
			"CDS and CDNSKEY deletion date\n");
293

294
	exit(-1);
295 296 297
}

int
Evan Hunt's avatar
Evan Hunt committed
298 299 300 301 302 303 304
main(int argc, char **argv) {
	char *classname = NULL;
	char *filename = NULL, *dir = NULL, *namestr;
	char *endp;
	int ch;
	isc_result_t result;
	isc_log_t *log = NULL;
305
	dns_rdataset_t rdataset;
Evan Hunt's avatar
Evan Hunt committed
306 307
	dns_rdata_t rdata;
	isc_stdtime_t now;
308 309 310 311

	dns_rdata_init(&rdata);
	isc_stdtime_get(&now);

312
	if (argc == 1) {
313
		usage();
314
	}
315

316
	isc_mem_create(&mctx);
317

Ondřej Surý's avatar
Ondřej Surý committed
318
#if USE_PKCS11
319
	pk11_result_register();
320
#endif /* if USE_PKCS11 */
321 322
	dns_result_register();

323
	isc_commandline_errprint = false;
324

325
#define CMDLINE_FLAGS "D:f:hK:L:P:v:V"
326
	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
327
		switch (ch) {
Tinderbox User's avatar
Tinderbox User committed
328
		case 'D':
329 330
			/* -Dsync ? */
			if (isoptarg("sync", argv, usage)) {
331
				if (setsyncdel) {
332 333
					fatal("-D sync specified more than "
					      "once");
334
				}
335 336

				syncdel = strtotime(isc_commandline_argument,
337
						    now, now, &setsyncdel);
338 339 340 341
				break;
			}
			/* -Ddnskey ? */
			(void)isoptarg("dnskey", argv, usage);
342
			if (setdel) {
Tinderbox User's avatar
Tinderbox User committed
343
				fatal("-D specified more than once");
344
			}
345

346 347
			del = strtotime(isc_commandline_argument, now, now,
					&setdel);
348 349 350
			break;
		case 'K':
			dir = isc_commandline_argument;
351
			if (strlen(dir) == 0U) {
352
				fatal("directory must be non-empty string");
353
			}
354
			break;
355
		case 'L':
Evan Hunt's avatar
Evan Hunt committed
356
			ttl = strtottl(isc_commandline_argument);
357
			setttl = true;
358
			break;
Tinderbox User's avatar
Tinderbox User committed
359
		case 'P':
360 361
			/* -Psync ? */
			if (isoptarg("sync", argv, usage)) {
362
				if (setsyncadd) {
363 364
					fatal("-P sync specified more than "
					      "once");
365
				}
366 367

				syncadd = strtotime(isc_commandline_argument,
368
						    now, now, &setsyncadd);
369 370 371 372
				break;
			}
			/* -Pdnskey ? */
			(void)isoptarg("dnskey", argv, usage);
373
			if (setpub) {
Tinderbox User's avatar
Tinderbox User committed
374
				fatal("-P specified more than once");
375
			}
376

377 378
			pub = strtotime(isc_commandline_argument, now, now,
					&setpub);
Tinderbox User's avatar
Tinderbox User committed
379
			break;
380 381 382 383 384
		case 'f':
			filename = isc_commandline_argument;
			break;
		case 'v':
			verbose = strtol(isc_commandline_argument, &endp, 0);
385
			if (*endp != '\0') {
386
				fatal("-v must be followed by a number");
387
			}
388 389
			break;
		case '?':
390
			if (isc_commandline_option != '?') {
391 392
				fprintf(stderr, "%s: invalid argument -%c\n",
					program, isc_commandline_option);
393 394
			}
		/* FALLTHROUGH */
395
		case 'h':
396
			/* Does not return. */
397 398
			usage();

399 400 401 402
		case 'V':
			/* Does not return. */
			version(program);

403
		default:
404 405
			fprintf(stderr, "%s: unhandled option -%c\n", program,
				isc_commandline_option);
406 407 408 409 410 411
			exit(1);
		}
	}

	rdclass = strtoclass(classname);

412
	if (argc < isc_commandline_index + 1 && filename == NULL) {
413
		fatal("the key file name was not specified");
414 415
	}
	if (argc > isc_commandline_index + 1) {
416
		fatal("extraneous arguments");
417
	}
418

419
	result = dst_lib_init(mctx, NULL);
420
	if (result != ISC_R_SUCCESS) {
421 422
		fatal("could not initialize dst: %s",
		      isc_result_totext(result));
423
	}
424

425
	setup_logging(mctx, &log);
426 427 428 429

	dns_rdataset_init(&rdataset);

	if (filename != NULL) {
430 431
		if (argc < isc_commandline_index + 1) {
			/* using filename as zone name */
432
			namestr = filename;
433
		} else {
434
			namestr = argv[isc_commandline_index];
435
		}
436 437

		result = initname(namestr);
438
		if (result != ISC_R_SUCCESS) {
439
			fatal("could not initialize name %s", namestr);
440
		}
441 442 443

		result = loadset(filename, &rdataset);

444
		if (result != ISC_R_SUCCESS) {
445 446
			fatal("could not load DNSKEY set: %s\n",
			      isc_result_totext(result));
447
		}
448 449 450

		for (result = dns_rdataset_first(&rdataset);
		     result == ISC_R_SUCCESS;
Evan Hunt's avatar
Evan Hunt committed
451 452
		     result = dns_rdataset_next(&rdataset))
		{
453 454 455 456 457 458 459
			dns_rdata_init(&rdata);
			dns_rdataset_current(&rdataset, &rdata);
			emit(dir, &rdata);
		}
	} else {
		unsigned char key_buf[DST_KEY_MAXSIZE];

460 461
		loadkey(argv[isc_commandline_index], key_buf, DST_KEY_MAXSIZE,
			&rdata);
462 463 464 465

		emit(dir, &rdata);
	}

466
	if (dns_rdataset_isassociated(&rdataset)) {
467
		dns_rdataset_disassociate(&rdataset);
468
	}
469
	cleanup_logging(&log);
Evan Hunt's avatar
Evan Hunt committed
470
	dst_lib_destroy();
471
	if (verbose > 10) {
472
		isc_mem_stats(mctx, stdout);
473
	}
474 475 476 477 478 479
	isc_mem_destroy(&mctx);

	fflush(stdout);
	if (ferror(stdout)) {
		fprintf(stderr, "write error\n");
		return (1);
480
	} else {
481
		return (0);
482
	}
483
}