33 #include "cmdhandler.h"
39 #include "clientpipe.h"
46 #include "libhsmdns.h"
50 static const char *module_str =
"keystate_ds_x_cmd";
59 get_dnskey(
const char *
id,
const char *zone,
int alg, uint32_t ttl)
62 hsm_sign_params_t *sign_params;
65 hsm_ctx_t *hsm_ctx = hsm_create_context();
67 ods_log_error(
"[%s] Could not connect to HSM", module_str);
70 if (!(key = hsm_find_key_by_id(hsm_ctx,
id))) {
71 hsm_destroy_context(hsm_ctx);
77 sign_params = hsm_sign_params_new();
78 sign_params->owner = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, zone);
79 sign_params->algorithm = (ldns_algorithm) alg;
80 sign_params->flags = LDNS_KEY_ZONE_KEY | LDNS_KEY_SEP_KEY;
83 dnskey_rr = hsm_get_dnskey(hsm_ctx, key, sign_params);
86 hsm_sign_params_free(sign_params);
87 hsm_destroy_context(hsm_ctx);
90 if (ttl) ldns_rr_set_ttl(dnskey_rr, ttl);
97 exec_dnskey_by_id(
int sockfd,
key_data_t *key,
const char* ds_command,
101 int ttl = 0, status, i;
103 char *rrstr, *chrptr;
105 struct stat stat_ret;
113 ods_log_error_and_printf(sockfd, module_str,
114 "Error fetching from database");
134 if (!dnskey_rr)
return 2;
136 rrstr = ldns_rr2str(dnskey_rr);
139 for (i = 0; rrstr[i]; ++i) {
140 if (rrstr[i] ==
'\t') rrstr[i] =
' ';
145 if ((chrptr = strchr(rrstr,
';'))) {
150 if (!ds_command || ds_command[0] ==
'\0') {
151 ods_log_error_and_printf(sockfd, module_str,
152 "No \"DelegationSigner%sCommand\" "
153 "configured.", action);
156 pos = strstr(ds_command,
" --cka_id");
160 rrstr[strlen(rrstr)-1] =
'\0';
164 if (stat(ds_command, &stat_ret) != 0) {
165 ods_log_error_and_printf(sockfd, module_str,
166 "Cannot stat file %s: %s", ds_command,
169 }
else if (S_ISREG(stat_ret.st_mode) &&
170 !(stat_ret.st_mode & S_IXUSR ||
171 stat_ret.st_mode & S_IXGRP ||
172 stat_ret.st_mode & S_IXOTH)) {
176 ods_log_error_and_printf(sockfd, module_str,
177 "File %s is not executable", ds_command);
180 FILE *fp = popen(ds_command,
"w");
183 ods_log_error_and_printf(sockfd, module_str,
184 "failed to run command: %s: %s",ds_command,
189 bytes_written = fprintf(fp,
"%s; {cka_id = %s}\n", rrstr, locator);
191 bytes_written = fprintf(fp,
"%s", rrstr);
192 if (bytes_written < 0) {
194 ods_log_error_and_printf(sockfd, module_str,
195 "Failed to write to %s: %s", ds_command,
197 }
else if (pclose(fp) == -1) {
199 ods_log_error_and_printf(sockfd, module_str,
200 "failed to close %s: %s", ds_command,
203 client_printf(sockfd,
"key %sed to %s\n",
211 ldns_rr_free(dnskey_rr);
218 const char* ds_submit_command;
220 return exec_dnskey_by_id(sockfd, key, ds_submit_command,
"submit");
226 const char* ds_retract_command;
228 return exec_dnskey_by_id(sockfd, key, ds_retract_command,
"retract");
235 const char *fmth =
"%-31s %-13s %-13s %-40s\n";
236 const char *fmtl =
"%-31s %-13s %-13u %-40s\n";
267 client_printf(sockfd, fmth,
"Zone:",
"Key role:",
"Keytag:",
"Id:");
274 client_printf(sockfd, fmtl,
322 if (!keystate)
return 1;
337 keystate = keystate_next;
346 const char *zonename,
const hsm_key_t* hsmkey,
int keytag,
353 int status = 0, key_match = 0, key_mod = 0;
362 push_clauses(clause_list, zone, state_from, hsmkey, keytag) ||
368 client_printf_err(sockfd,
"Could not find ksk for zone %s, "
369 "does zone exist?\n", zonename);
370 ods_log_error(
"[%s] Error fetching from database", module_str);
384 ods_log_error(
"[%s] Error fetching from database", module_str);
395 (void)submit_dnskey_by_id(sockfd, key, engine);
399 (void)retract_dnskey_by_id(sockfd, key, engine);
406 ods_log_error(
"[%s] Error writing to database", module_str);
407 client_printf(sockfd,
"[%s] Error writing to database", module_str);
421 client_printf(sockfd,
"%d KSK matches found.\n", key_match);
422 if (!key_match) status = 11;
423 client_printf(sockfd,
"%d KSKs changed.\n", key_mod);
424 if (zone && key_mod > 0) {
438 const char *zonename = NULL, *cka_id = NULL, *keytag_s = NULL;
442 char buf[ODS_SE_MAXLINE];
445 int argc = 0, long_index = 0, opt = 0;
446 const char* argv[
NARGV];
448 static struct option long_options[] = {
449 {
"zone", required_argument, 0,
'z'},
450 {
"cka_id", required_argument, 0,
'k'},
451 {
"keytag", required_argument, 0,
'x'},
452 {
"all", no_argument, 0,
'a'},
456 strncpy(buf, cmd, ODS_SE_MAXLINE);
457 buf[
sizeof(buf)-1] =
'\0';
458 argc = ods_str_explode(buf,
NARGV, argv);
460 client_printf_err(sockfd,
"too many arguments\n");
461 ods_log_error(
"[%s] too many arguments for %s command",
467 while ((opt = getopt_long(argc, (
char*
const*)argv,
"z:k:x:a", long_options, &long_index)) != -1) {
482 client_printf_err(sockfd,
"unknown arguments\n");
483 ods_log_error(
"[%s] unknown arguments for %s command",
489 if (!all && !zonename && !cka_id && !keytag_s) {
490 return ds_list_keys(dbconn, sockfd, state_from);
494 keytag = atoi(keytag_s);
495 if (keytag < 0 || keytag >= 65536) {
496 ods_log_warning(
"[%s] value \"%d\" for --keytag is invalid",
498 client_printf_err(sockfd,
"value \"%d\" for --keytag is invalid\n",
505 if (all && zonename) {
506 ods_log_warning (
"[%s] Error: Unable to use --zone and --all together", module_str);
507 client_printf_err(sockfd,
"Error: Unable to use --zone and --all together\n");
512 ods_log_warning (
"[%s] Error: Unable to find a zone named \"%s\" in database\n", module_str, zonename);
513 client_printf_err(sockfd,
"Error: Unable to find a zone named \"%s\" in database\n", zonename);
520 if (!zonename && (keytag != -1 || cka_id)) {
521 ods_log_warning (
"[%s] Error: expected --zone <zone>", module_str);
522 client_printf_err(sockfd,
"Error: expected --zone <zone>\n");
526 if (!(zonename && ((cka_id && keytag == -1) || (!cka_id && keytag != -1))) && !all)
528 ods_log_warning(
"[%s] expected --zone and either --cka_id or "
529 "--keytag option or expected --all", module_str);
530 client_printf_err(sockfd,
"expected --zone and either --cka_id or "
531 "--keytag option or expected --all.\n");
536 client_printf_err(sockfd,
"CKA_ID %s can not be found!\n", cka_id);
540 state_from, state_to, engine);
db_clause_list_t * db_clause_list_new(void)
void db_clause_list_free(db_clause_list_t *clause_list)
int db_clause_set_type(db_clause_t *clause, db_clause_type_t type)
void enforce_task_flush_zone(engine_type *engine, char const *zonename)
void hsm_key_free(hsm_key_t *hsm_key)
const char * hsm_key_locator(const hsm_key_t *hsm_key)
const db_value_t * hsm_key_id(const hsm_key_t *hsm_key)
hsm_key_t * hsm_key_new_get_by_locator(const db_connection_t *connection, const char *locator)
const key_data_t * key_data_list_next(key_data_list_t *key_data_list)
int key_data_update(key_data_t *key_data)
void key_data_free(key_data_t *key_data)
key_data_t * key_data_list_get_next(key_data_list_t *key_data_list)
const char * key_data_role_text(const key_data_t *key_data)
zone_db_t * key_data_get_zone(const key_data_t *key_data)
int key_data_list_get_by_clauses(key_data_list_t *key_data_list, const db_clause_list_t *clause_list)
unsigned int key_data_keytag(const key_data_t *key_data)
key_state_list_t * key_data_key_state_list(key_data_t *key_data)
void key_data_list_free(key_data_list_t *key_data_list)
db_clause_t * key_data_ds_at_parent_clause(db_clause_list_t *clause_list, key_data_ds_at_parent_t ds_at_parent)
int key_data_cache_hsm_key(key_data_t *key_data)
key_data_list_t * key_data_list_new_get_by_clauses(const db_connection_t *connection, const db_clause_list_t *clause_list)
db_clause_t * key_data_zone_id_clause(db_clause_list_t *clause_list, const db_value_t *zone_id)
int key_data_set_ds_at_parent(key_data_t *key_data, key_data_ds_at_parent_t ds_at_parent)
int key_data_retrieve_key_state_list(key_data_t *key_data)
const hsm_key_t * key_data_hsm_key(const key_data_t *key_data)
unsigned int key_data_algorithm(const key_data_t *key_data)
db_clause_t * key_data_keytag_clause(db_clause_list_t *clause_list, unsigned int keytag)
hsm_key_t * key_data_get_hsm_key(const key_data_t *key_data)
key_data_list_t * key_data_list_new(const db_connection_t *connection)
db_clause_t * key_data_hsm_key_id_clause(db_clause_list_t *clause_list, const db_value_t *hsm_key_id)
db_clause_t * key_data_role_clause(db_clause_list_t *clause_list, key_data_role_t role)
enum key_data_ds_at_parent key_data_ds_at_parent_t
@ KEY_DATA_DS_AT_PARENT_SUBMITTED
@ KEY_DATA_DS_AT_PARENT_RETRACT
@ KEY_DATA_DS_AT_PARENT_SUBMIT
@ KEY_DATA_DS_AT_PARENT_RETRACTED
int key_data_cache_key_states(key_data_t *key_data)
const key_state_t * key_data_cached_dnskey(key_data_t *key_data)
unsigned int key_state_ttl(const key_state_t *key_state)
void key_state_free(key_state_t *key_state)
key_state_t * key_state_list_get_begin(key_state_list_t *key_state_list)
key_state_t * key_state_list_get_next(key_state_list_t *key_state_list)
int key_state_update(key_state_t *key_state)
int run_ds_cmd(int sockfd, const char *cmd, db_connection_t *dbconn, key_data_ds_at_parent_t state_from, key_data_ds_at_parent_t state_to, engine_type *engine)
int change_keys_from_to(db_connection_t *dbconn, int sockfd, const char *zonename, const hsm_key_t *hsmkey, int keytag, key_data_ds_at_parent_t state_from, key_data_ds_at_parent_t state_to, engine_type *engine)
engineconfig_type * config
const char * delegation_signer_submit_command
const char * delegation_signer_retract_command
void zone_db_free(zone_db_t *zone)
const char * zone_db_name(const zone_db_t *zone)
zone_db_t * zone_db_new(const db_connection_t *connection)
int zone_db_update(zone_db_t *zone)
int zone_db_get_by_name(zone_db_t *zone, const char *name)
const db_value_t * zone_db_id(const zone_db_t *zone)
zone_db_t * zone_db_new_get_by_name(const db_connection_t *connection, const char *name)
char * zone_db_ext_zonename_from_id(const db_connection_t *connection, const db_value_t *id)