Commit c1a72112 authored by Mark Andrews's avatar Mark Andrews
Browse files

4396. [func] dnssec-keymgr now takes a '-r randomfile' option.

                        [RT #42455]
parent b709d847
4395 [bug] Improve out-of-tree installation of python modules.
4396. [func] dnssec-keymgr now takes a '-r randomfile' option.
[RT #42455]
4395. [bug] Improve out-of-tree installation of python modules.
[RT #42586]
4394. [func] Add rndc command "dnstap-reopen" to close and
......
......@@ -14,10 +14,9 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- Converted by db4-upgrade version 1.0 -->
<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-keymgr">
<info>
<date>2016-04-03</date>
<date>2016-06-03</date>
</info>
<refentryinfo>
<corpname>ISC</corpname>
......@@ -53,6 +52,7 @@
<arg choice="opt" rep="norepeat"><option>-v</option></arg>
<arg choice="opt" rep="norepeat"><option>-z</option></arg>
<arg choice="opt" rep="norepeat"><option>-g <replaceable class="parameter">path</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">path</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">path</replaceable></option></arg>
<arg choice="opt" rep="repeat">zone</arg>
</cmdsynopsis>
......@@ -191,6 +191,18 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-r <replaceable class="parameter">randomdev</replaceable></term>
<listitem>
<para>
Specifies a path to a file containing random data.
This is passed to the <command>dnssec-keygen</command> binary
using its <option>-r</option> option.
<!-- TODO: what to do about "-r keyboard"? -->
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s <replaceable class="parameter">settime-path</replaceable></term>
<listitem>
......
......@@ -170,12 +170,15 @@ class dnskey:
self._changed[prop] = False
@classmethod
def generate(cls, keygen_bin, keys_dir, name, alg, keysize, sep,
def generate(cls, keygen_bin, randomdev, keys_dir, name, alg, keysize, sep,
ttl, publish=None, activate=None, **kwargs):
quiet = kwargs.get('quiet', False)
keygen_cmd = [keygen_bin, "-q", "-K", keys_dir, "-L", str(ttl)]
if randomdev:
keygen_cmd += ["-r", randomdev]
if sep:
keygen_cmd.append("-fk")
......@@ -210,7 +213,7 @@ class dnskey:
except Exception as e:
raise Exception('unable to parse generated key: %s' % str(e))
def generate_successor(self, keygen_bin, **kwargs):
def generate_successor(self, keygen_bin, randomdev, **kwargs):
quiet = kwargs.get('quiet', False)
if not self.inactive():
......@@ -221,6 +224,9 @@ class dnskey:
if self.ttl:
keygen_cmd += ["-L", str(self.ttl)]
if randomdev:
keygen_cmd += ["-r", randomdev]
if not quiet:
print('# ' + ' '.join(keygen_cmd))
......
......@@ -80,6 +80,9 @@ def parse_args():
parser.add_argument('-g', dest='keygen', default=keygen, type=str,
help='Path to \'dnssec-keygen\'',
metavar='path')
parser.add_argument('-r', dest='randomdev', type=str, default=None,
help='Path to a file containing random data to pass to \'dnssec-keygen\'',
metavar='path')
parser.add_argument('-s', dest='settime', default=settime, type=str,
help='Path to \'dnssec-settime\'',
metavar='path')
......@@ -130,7 +133,8 @@ def main():
# into a context object that can be passed around
context = {'keygen_path': args.keygen,
'settime_path': args.settime,
'keys_path': args.path}
'keys_path': args.path,
'randomdev': args.randomdev}
try:
dp = policy.dnssec_policy(args.policyfile)
......
......@@ -131,6 +131,7 @@ class keyseries:
# generated if Inactive has been set in the predecessor key
prev.commit(self._context['settime_path'], **kwargs)
key = prev.generate_successor(self._context['keygen_path'],
self._context['randomdev'],
**kwargs)
key.setinactive(key.activate() + rp, **kwargs)
......@@ -166,6 +167,7 @@ class keyseries:
if 'ksk' not in kwargs or not kwargs['ksk']:
if len(self._Z[zone][algnum]) == 0:
k = dnskey.generate(self._context['keygen_path'],
self._context['randomdev'],
keys_dir, zone, alg,
policy.zsk_keysize, False,
policy.keyttl or 3600,
......@@ -176,6 +178,7 @@ class keyseries:
if 'zsk' not in kwargs or not kwargs['zsk']:
if len(self._K[zone][algnum]) == 0:
k = dnskey.generate(self._context['keygen_path'],
self._context['randomdev'],
keys_dir, zone, alg,
policy.ksk_keysize, True,
policy.keyttl or 3600,
......
......@@ -39,7 +39,7 @@ for dir in [0-9][0-9]-*; do
. $dir/expect
# run keymgr to update keys
$KEYMGR -K $dir -g $KEYGEN -s $SETTIME $kargs > keymgr.$n 2>&1
$KEYMGR -K $dir -g $KEYGEN -r $RANDFILE -s $SETTIME $kargs > keymgr.$n 2>&1
# check that return code matches expectations
found=$?
if [ $found -ne $kret ]; then
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment