61 #include <libhsmdns.h>
62 #include <ldns/ldns.h>
64 #include <libxml/tree.h>
65 #include <libxml/parser.h>
66 #include <libxml/xpointer.h>
67 #include <libxml/xpath.h>
68 #include <libxml/xpathInternals.h>
69 #include <libxml/relaxng.h>
70 #include <libxml/xmlreader.h>
71 #include <libxml/xmlsave.h>
73 #define MAX(a, b) ((a) > (b) ? (a) : (b))
77 #define DURATION_TYPE 1
81 #define ROLLOVER_TYPE 5
82 #define INT_TYPE_NO_FREE 6
85 # define MAXPATHLEN 4096
90 #define DEFAULT_LOG_FACILITY LOG_DAEMON
92 #define DEFAULT_LOG_FACILITY LOG_USER
98 char *
config = (
char *) OPENDNSSEC_CONFIG_FILE;
117 static int all_flag = 0;
118 static int auto_accept_flag = 0;
119 static int ds_flag = 0;
120 static int retire_flag = 1;
121 static int verbose_flag = 0;
122 static int xml_flag = 1;
123 static int td_flag = 0;
124 static int force_flag = 0;
125 static int hsm_flag = 1;
127 static int restart_enforcerd(
void);
134 #if defined(HAVE_SYSLOG_R) && defined(HAVE_OPENLOG_R) && defined(HAVE_CLOSELOG_R)
135 struct syslog_data sdata = SYSLOG_DATA_INIT;
138 #undef HAVE_OPENLOG_R
139 #undef HAVE_CLOSELOG_R
147 " --version aka -V\n");
155 "\tImport config into a database (deletes current contents)\n");
162 " start|stop|notify\n"
163 "\tStart, stop or SIGHUP the ods-enforcerd\n");
174 "\tUpdate database from config\n");
182 "\t--zone <zone> aka -z\n"
183 "\t[--policy <policy>] aka -p\n"
184 "\t[--signerconf <signerconf.xml>] aka -s\n"
185 "\t[--input <input>] aka -i\n"
186 "\t[--in-type <input type>] aka -j\n"
187 "\t[--output <output>] aka -o\n"
188 "\t[--out-type <output type>] aka -q\n"
189 "\t[--no-xml] aka -m\n");
197 "\t--zone <zone> | --all aka -z / -a\n"
198 "\t[--no-xml] aka -m\n");
212 "usage: %s [-c <config> | --config <config>] zone \n\n",
223 " repository list\n");
231 "\t--policy [policy_name] | --all aka -p / -a\n");
259 "usage: %s [-c <config> | --config <config>] \n\n",
273 "\t--zone <zone> | --all aka -z / -a\n"
275 "\t(will appear soon:\n"
276 "\t[--keystate <state>] aka -e\n"
277 "\t[--keytype <type>] aka -t\n"
288 "\t--zone <zone> | --all aka -z / -a\n"
289 "\t[--keystate <state>] aka -e\n"
290 "\t[--keytype <type>] aka -t\n"
291 "\t[--ds] aka -d\n");
299 "\t--cka_id <CKA_ID> aka -k\n"
300 "\t--repository <repository> aka -r\n"
301 "\t--zone <zone> aka -z\n"
302 "\t--bits <size> aka -b\n"
303 "\t--algorithm <algorithm> aka -g\n"
304 "\t--keystate <state> aka -e\n"
305 "\t--keytype <type> aka -t\n"
306 "\t--time <time> aka -w\n"
307 "\t[--retire <retire>] aka -y\n");
315 "\t--zone zone aka -z\n"
316 "\t--keytype <type> | --all aka -t / -a\n"
318 "\t--policy policy aka -p\n"
319 "\t--keytype <type> | --all aka -t / -a\n");
327 "\t--zone <zone> aka -z\n"
329 "\t--policy <policy> aka -p\n");
337 "\t--policy <policy>\n"
338 "\t--interval <interval>\n"
339 "\t--auto-accept\n");
347 "\t--zone <zone> aka -z\n"
348 "\t--keytag <keytag> | --cka_id <CKA_ID> aka -x / -k\n");
357 "\t--zone <zone> aka -z\n"
358 "\t--keytag <keytag> | --cka_id <CKA_ID> aka -x / -k\n"
367 "\t--cka_id <CKA_ID> aka -k\n"
375 "usage: %s [-c <config> | --config <config>] \n\n",
393 "\t--repository <repository> aka -r\n"
395 "\t--repository <repository> aka -r\n"
397 "\t--repository <repository> aka -r\n"
399 "\t--repository <repository> aka -r\n"
401 "\t--repository <repository> aka -r\n"
403 "\t[NOTE: backup done is deprecated]\n");
411 "\t[--zone <zone>]\n");
419 "\t[--output <output>] aka -o\n");
427 " zonelist import\n");
434 "usage: %s [-c <config> | --config <config>] command [options]\n\n",
468 "\n\tAllowed date/time strings are of the form:\n"
470 "\tYYYYMMDD[HH[MM[SS]]] (all numeric)\n"
472 "\tor D-MMM-YYYY[:| ]HH[:MM[:SS]] (alphabetic month)\n"
473 "\tor DD-MMM-YYYY[:| ]HH[:MM[:SS]] (alphabetic month)\n"
474 "\tor YYYY-MMM-DD[:| ]HH[:MM[:SS]] (alphabetic month)\n"
476 "\tD-MM-YYYY[:| ]HH[:MM[:SS]] (numeric month)\n"
477 "\tDD-MM-YYYY[:| ]HH[:MM[:SS]] (numeric month)\n"
478 "\tor YYYY-MM-DD[:| ]HH[:MM[:SS]] (numeric month)\n"
480 "\t... and the distinction between them is given by the location of the\n"
488 "key states: GENERATE|PUBLISH|READY|ACTIVE|RETIRE|DEAD\n");
495 "key types: KSK|ZSK\n");
505 FILE* lock_fd = NULL;
506 char* zone_list_filename;
511 char *dbschema = NULL;
515 char *password = NULL;
520 char* setup_command = NULL;
521 char* lock_filename = NULL;
524 printf(
"*WARNING* This will erase all data in the database; are you sure? [y/N] ");
526 user_certain = getchar();
527 if (user_certain !=
'y' && user_certain !=
'Y') {
528 printf(
"Okay, quitting...\n");
535 status =
get_db_details(&dbschema, &host, &port, &user, &password);
554 lock_fd = fopen(lock_filename,
"w");
557 printf(
"Error getting db lock\n");
558 if (lock_fd != NULL) {
579 if (system(setup_command) != 0)
581 printf(
"Could not call db setup command:\n\t%s\n", setup_command);
597 printf(
"Couldn't fix permissions on file %s\n", dbschema);
598 printf(
"Will coninue with setup, but you may need to manually change ownership\n");
607 printf(
"Failed to connect to database, username too long.\n");
618 if (password != NULL) {
621 printf(
"Failed to connect to database, password too long.\n");
644 if (password != NULL) {
646 StrAppend(&setup_command, quoted_password);
654 if (system(setup_command) != 0)
656 printf(
"Could not call db setup command:\n\t%s\n", setup_command);
669 status =
DbConnect(&dbhandle, dbschema, host, password, user, port);
671 printf(
"Failed to connect to database\n");
694 printf(
"Failed to read conf.xml\n");
705 printf(
"Failed to update repositories\n");
718 printf(
"Failed to update policies\n");
719 printf(
"SETUP FAILED\n");
735 printf(
"Failed to update zones\n");
758 FILE* lock_fd = NULL;
759 char* zone_list_filename = NULL;
760 char* kasp_filename = NULL;
762 int done_something = 0;
767 printf(
"Failed to connect to database\n");
776 if (strncmp(qualifier,
"ZONELIST", 8) == 0 ||
777 strncmp(qualifier,
"KASP", 4) == 0 ||
778 strncmp(qualifier,
"ALL", 3) == 0) {
781 printf(
"Failed to read conf.xml\n");
791 if (strncmp(qualifier,
"CONF", 4) == 0 ||
792 strncmp(qualifier,
"ALL", 3) == 0) {
795 printf(
"Failed to update repositories\n");
797 if (strncmp(qualifier,
"ALL", 3) == 0) {
810 if (strncmp(qualifier,
"KASP", 4) == 0 ||
811 strncmp(qualifier,
"ALL", 3) == 0) {
814 printf(
"Failed to update policies\n");
827 if (strncmp(qualifier,
"ZONELIST", 8) == 0 ||
828 strncmp(qualifier,
"ALL", 3) == 0) {
831 printf(
"Failed to update zones\n");
843 if (done_something == 0) {
844 printf(
"Unrecognised command update %s. Please specify one of:\n", qualifier);
848 if (restart_enforcerd() != 0)
850 fprintf(stderr,
"Could not HUP ods-enforcerd\n");
859 if (kasp_filename != NULL) {
862 if (zone_list_filename != NULL) {
881 FILE* lock_fd = NULL;
882 char* zonelist_filename = NULL;
883 char* backup_filename = NULL;
885 char* sig_conf_name = NULL;
886 char* input_name = NULL;
887 char* output_name = NULL;
888 char* input_type = NULL;
889 char* output_type = NULL;
896 xmlDocPtr doc = NULL;
902 printf(
"Couldn't malloc path: %s\n", strerror(errno));
908 printf(
"Please specify a zone with the --zone option\n");
921 StrAppend(&sig_conf_name, OPENDNSSEC_STATE_DIR);
935 StrAppend(&input_name, OPENDNSSEC_STATE_DIR);
954 StrAppend(&output_name, OPENDNSSEC_STATE_DIR);
977 printf(
"couldn't read zonelist\n");
994 printf(
"Failed to connect to database\n");
1008 printf(
"Error, can't find policy : %s\n",
o_policy);
1009 printf(
"Failed to update zones\n");
1019 status =
KsmImportZone(
o_zone, policy_id, 1, &new_zone, sig_conf_name, input_name, output_name, input_type, output_type);
1022 printf(
"Failed to Import zone %s; it already exists\n",
o_zone);
1023 }
else if (status == -3) {
1024 printf(
"Failed to Import zone %s; it already exists both with and without a trailing dot\n",
o_zone);
1026 printf(
"Failed to Import zone\n");
1042 printf(
"Can't retrieve shared-keys parameter for policy\n");
1054 printf(
"Can't retrieve shared-keys parameter for policy\n");
1067 if (data.
value == 1) {
1070 printf(
"Failed to Link Keys to zone\n");
1090 if (xml_flag == 1) {
1093 xmlKeepBlanksDefault(0);
1094 xmlTreeIndentString =
"\t";
1109 StrAppend(&backup_filename, zonelist_filename);
1111 status =
backup_file(zonelist_filename, backup_filename);
1119 status = xmlSaveFormatFile(zonelist_filename, doc, 1);
1124 printf(
"couldn't save zonelist\n");
1132 if (xml_flag == 0) {
1133 printf(
"Imported zone: %s into database only, please run \"ods-ksmutil zonelist export\" to update zonelist.xml\n",
o_zone);
1135 printf(
"Imported zone: %s\n",
o_zone);
1152 char* zonelist_filename = NULL;
1153 char* backup_filename = NULL;
1158 xmlDocPtr doc = NULL;
1165 FILE* lock_fd = NULL;
1168 if (all_flag &&
o_zone != NULL) {
1169 printf(
"can not use --all with --zone\n");
1172 else if (!all_flag &&
o_zone == NULL) {
1173 printf(
"please specify either --zone <zone> or --all\n");
1178 if (all_flag == 1) {
1179 printf(
"*WARNING* This will remove all zones from OpenDNSSEC; are you sure? [y/N] ");
1181 user_certain = getchar();
1182 if (user_certain !=
'y' && user_certain !=
'Y') {
1183 printf(
"Okay, quitting...\n");
1191 printf(
"Failed to connect to database\n");
1204 if (xml_flag == 1) {
1208 printf(
"couldn't read zonelist\n");
1233 StrAppend(&backup_filename, zonelist_filename);
1235 status =
backup_file(zonelist_filename, backup_filename);
1244 status = xmlSaveFormatFile(zonelist_filename, doc, 1);
1248 printf(
"Could not save %s\n", zonelist_filename);
1259 if (all_flag == 0) {
1262 printf(
"Couldn't find zone %s\n",
o_zone);
1271 printf(
"Error: failed to mark keys as dead in database\n");
1280 printf(
"Error: failed to remove zone%s from database\n", (all_flag == 1) ?
"s" :
"");
1286 if (all_flag == 0) {
1287 if (system(SIGNER_CLI_UPDATE) != 0)
1289 printf(
"Could not call signer engine\n");
1296 if (xml_flag == 0) {
1297 printf(
"Deleted zone: %s from database only, please run \"ods-ksmutil zonelist export\" to update zonelist.xml\n",
o_zone);
1311 FILE* lock_fd = NULL;
1313 char* zonelist_filename = NULL;
1316 xmlTextReaderPtr reader = NULL;
1318 char* tag_name = NULL;
1320 int file_zone_count = 0;
1326 char* temp_name = NULL;
1333 printf(
"couldn't read zonelist\n");
1334 if (zonelist_filename != NULL) {
1343 printf(
"Failed to connect to database\n");
1349 reader = xmlNewTextReaderFilename(zonelist_filename);
1350 if (reader != NULL) {
1351 ret = xmlTextReaderRead(reader);
1353 tag_name = (
char*) xmlTextReaderLocalName(reader);
1355 if (strncmp(tag_name,
"Zone", 4) == 0
1356 && strncmp(tag_name,
"ZoneList", 8) != 0
1357 && xmlTextReaderNodeType(reader) == 1) {
1361 ret = xmlTextReaderRead(reader);
1364 xmlFreeTextReader(reader);
1366 printf(
"%s : failed to parse\n", zonelist_filename);
1369 printf(
"Unable to open %s\n", zonelist_filename);
1373 zone_ids =
MemMalloc(file_zone_count *
sizeof(
int));
1379 if (file_zone_count != 0) {
1380 StrAppend(&sql,
"select name from zones where id not in (");
1381 for (j = 0; j < file_zone_count; ++j) {
1385 snprintf(buffer,
sizeof(buffer),
"%d", zone_ids[j]);
1390 StrAppend(&sql,
"select name from zones");
1396 while (status == 0) {
1400 printf(
"Found zone %s in DB but not zonelist.\n", temp_name);
1417 if (file_zone_count == 0) {
1418 printf(
"No zones in DB or zonelist.\n");
1446 int prev_zone_id = -1;
1448 char *case_keytype = NULL;
1449 char *case_keystate = NULL;
1450 char *zone_name = NULL;
1453 hsm_key_t *key = NULL;
1454 ldns_rr *dnskey_rr = NULL;
1455 ldns_rr *ds_sha1_rr = NULL;
1456 ldns_rr *ds_sha256_rr = NULL;
1457 hsm_sign_params_t *sign_params = NULL;
1470 int done_something = 0;
1477 if (strncmp(case_keystate,
"KEYPUBLISH", 10) == 0 || strncmp(
o_keystate,
"10", 2) == 0) {
1480 else if (strncmp(case_keystate,
"GENERATE", 8) == 0 || strncmp(
o_keystate,
"1", 1) == 0) {
1483 else if (strncmp(case_keystate,
"PUBLISH", 7) == 0 || strncmp(
o_keystate,
"2", 1) == 0) {
1486 else if (strncmp(case_keystate,
"READY", 5) == 0 || strncmp(
o_keystate,
"3", 1) == 0) {
1489 else if (strncmp(case_keystate,
"ACTIVE", 6) == 0 || strncmp(
o_keystate,
"4", 1) == 0) {
1492 else if (strncmp(case_keystate,
"RETIRE", 6) == 0 || strncmp(
o_keystate,
"5", 1) == 0) {
1495 else if (strncmp(case_keystate,
"DEAD", 4) == 0 || strncmp(
o_keystate,
"6", 1) == 0) {
1498 else if (strncmp(case_keystate,
"DSSUB", 5) == 0 || strncmp(
o_keystate,
"7", 1) == 0) {
1501 else if (strncmp(case_keystate,
"DSPUBLISH", 9) == 0 || strncmp(
o_keystate,
"8", 1) == 0) {
1504 else if (strncmp(case_keystate,
"DSREADY", 7) == 0 || strncmp(
o_keystate,
"9", 1) == 0) {
1508 printf(
"Error: Unrecognised state %s; should be one of GENERATE, PUBLISH, READY, ACTIVE, RETIRE, DEAD, DSSUB, DSPUBLISH, DSREADY or KEYPUBLISH\n",
o_keystate);
1520 if (strncmp(case_keytype,
"KSK", 3) == 0 || strncmp(
o_keytype,
"257", 3) == 0) {
1523 else if (strncmp(case_keytype,
"ZSK", 3) == 0 || strncmp(
o_keytype,
"256", 3) == 0) {
1527 printf(
"Error: Unrecognised keytype %s; should be one of KSK or ZSK\n",
o_keytype);
1538 printf(
"Failed to connect to database\n");
1550 printf(
"Error: unable to find a zone named \"%s\" in database\n",
o_zone);
1556 status = hsm_open(
config, hsm_prompt_pin);
1558 hsm_print_error(NULL);
1563 if (state_id != -1) {
1566 nchar = snprintf(buffer,
sizeof(buffer),
"(%d, %d, %d, %d, %d, %d)",
1569 if (nchar >=
sizeof(buffer)) {
1577 if (zone_id != -1) {
1585 status =
KsmKey(result, &data);
1586 while (status == 0) {
1588 if (ds_flag == 1 && data.
zone_id != prev_zone_id) {
1590 if (red_seen == 0 && act_seen == 0) {
1591 printf(
"\nWARNING: No active or ready keys seen for this zone. Do not load any DS records to the parent unless you understand the possible consequences.\n");
1592 }
else if (red_seen == 1 && act_seen == 1) {
1593 printf(
"\nWARNING: BOTH ready and active keys seen for this zone. Probably a key rollover is happening and you may only want the ready key to be submitted.\n");
1607 key = hsm_find_key_by_id(NULL, data.
location);
1610 printf(
"Key %s in DB but not repository\n", data.
location);
1614 sign_params = hsm_sign_params_new();
1616 if (zone_id == -1) {
1619 printf(
"Error: unable to find zone name for id %d\n", zone_id);
1620 hsm_sign_params_free(sign_params);
1623 sign_params->owner = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, zone_name);
1627 sign_params->owner = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME,
o_zone);
1630 sign_params->algorithm = data.
algorithm;
1631 sign_params->flags = LDNS_KEY_ZONE_KEY;
1633 sign_params->flags += LDNS_KEY_SEP_KEY;
1635 dnskey_rr = hsm_get_dnskey(NULL, key, sign_params);
1636 sign_params->keytag = ldns_calc_keytag(dnskey_rr);
1652 ldns_rr_set_ttl(dnskey_rr, rrttl);
1657 ldns_rr_print(stdout, dnskey_rr);
1669 ldns_rr_set_ttl(dnskey_rr, rrttl);
1674 ds_sha1_rr = ldns_key_rr2ds(dnskey_rr, LDNS_SHA1);
1675 ldns_rr_print(stdout, ds_sha1_rr);
1678 ds_sha256_rr = ldns_key_rr2ds(dnskey_rr, LDNS_SHA256);
1679 ldns_rr_print(stdout, ds_sha256_rr);
1684 hsm_sign_params_free(sign_params);
1686 status =
KsmKey(result, &data);
1696 if (ds_flag == 1 && red_seen == 0 && act_seen == 0) {
1697 printf(
"\nWARNING: No active or ready keys seen for this zone. Do not load any DS records to the parent unless you understand the possible consequences.\n");
1698 }
else if (ds_flag == 1 && red_seen == 1 && act_seen == 1) {
1699 printf(
"\nWARNING: BOTH ready and active keys seen for this zone. Probably a key rollover is happening and you may only want the ready key to be submitted.\n");
1703 if (!done_something) {
1704 if (state_id != -1) {
1707 printf(
"No keys in READY state or higher to export.\n");
1713 if (dnskey_rr != NULL) {
1714 ldns_rr_free(dnskey_rr);
1716 if (ds_sha1_rr != NULL) {
1717 ldns_rr_free(ds_sha1_rr);
1719 if (ds_sha256_rr != NULL) {
1720 ldns_rr_free(ds_sha256_rr);
1739 xmlDocPtr doc = xmlNewDoc((
const xmlChar *)
"1.0");
1746 if (all_flag &&
o_policy != NULL) {
1747 printf(
"can not use --all with --policy\n");
1750 else if (!all_flag &&
o_policy == NULL) {
1751 printf(
"please specify either --policy <policy> or --all\n");
1758 printf(
"Failed to connect to database\n");
1764 if (policy == NULL) {
1765 fprintf(stderr,
"Malloc for policy struct failed\n");
1780 policy->
zone == NULL || policy->
parent == NULL ||
1781 policy->
keys == NULL ||
1782 policy->
ksk == NULL || policy->
zsk == NULL ||
1784 fprintf(stderr,
"Malloc for policy struct failed\n");
1789 xmlKeepBlanksDefault(0);
1790 xmlTreeIndentString =
" ";
1791 root = xmlNewDocNode(doc, NULL, (
const xmlChar *)
"KASP", NULL);
1792 (void) xmlDocSetRootElement(doc, root);
1801 while (status == 0) {
1811 xmlSaveFormatFile(
"-", doc, 1);
1832 xmlDocPtr doc = xmlNewDoc((
const xmlChar *)
"1.0");
1835 int prev_policy_id = -1;
1842 printf(
"Failed to connect to database\n");
1849 fprintf(stderr,
"Malloc for zone struct failed\n");
1854 xmlKeepBlanksDefault(0);
1855 xmlTreeIndentString =
" ";
1856 root = xmlNewDocNode(doc, NULL, (
const xmlChar *)
"ZoneList", NULL);
1857 (void) xmlDocSetRootElement(doc, root);
1863 status =
KsmZone(result, zone);
1865 while (status == 0) {
1866 if (zone->
policy_id != prev_policy_id) {
1870 fprintf(stderr,
"Couldn't get name for policy with ID: %d, exiting...\n", zone->
policy_id);
1877 status =
KsmZone(result, zone);
1882 xmlSaveFormatFile(
"-", doc, 1);
1900 FILE* lock_fd = NULL;
1922 printf(
"Failed to connect to database\n");
1933 printf(
"Error, can't find zone : %s\n",
o_zone);
1953 if (data.
value == 1) {
1954 printf(
"*WARNING* This zone shares keys with others, all instances of the active key on this zone will be retired; are you sure? [y/N] ");
1956 user_certain = getchar();
1957 if (user_certain !=
'y' && user_certain !=
'Y') {
1958 printf(
"Okay, quitting...\n");
1964 status =
keyRoll(zone_id, -1, key_type);
1971 snprintf(logmsg, 256,
"Manual key rollover for key type %s on zone %s initiated" , (
o_keytype == NULL) ?
"all" :
o_keytype,
o_zone);
1972 printf(
"\n%s\n", logmsg);
1975 #ifdef HAVE_OPENLOG_R
1980 #ifdef HAVE_SYSLOG_R
1981 syslog_r(LOG_INFO, &sdata,
"%s", logmsg);
1983 syslog(LOG_INFO,
"%s", logmsg);
1985 #ifdef HAVE_CLOSELOG_R
1995 if (restart_enforcerd() != 0)
1997 fprintf(stderr,
"Could not HUP ods-enforcerd\n");
2013 FILE* lock_fd = NULL;
2017 int zone_count = -1;
2036 printf(
"Failed to connect to database\n");
2043 printf(
"Error, can't find policy : %s\n",
o_policy);
2049 printf(
"*WARNING* This will roll all keys on the policy; are you sure? [y/N] ");
2051 user_certain = getchar();
2052 if (user_certain !=
'y' && user_certain !=
'Y') {
2053 printf(
"Okay, quitting...\n");
2068 if (zone_count == 0) {
2069 printf(
"No zones on policy; nothing to roll\n");
2074 printf(
"Couldn't count zones on policy; quitting...\n");
2079 status =
keyRoll(-1, policy_id, key_type);
2086 snprintf(logmsg, 256,
"Manual key rollover for key type %s on policy %s initiated" , (
o_keytype == NULL) ?
"all" :
o_keytype,
o_policy);
2087 printf(
"%s\n", logmsg);
2090 #ifdef HAVE_OPENLOG_R
2095 #ifdef HAVE_SYSLOG_R
2096 syslog_r(LOG_INFO, &sdata,
"%s", logmsg);
2098 syslog(LOG_INFO,
"%s", logmsg);
2100 #ifdef HAVE_CLOSELOG_R
2110 if (restart_enforcerd() != 0)
2112 fprintf(stderr,
"Could not HUP ods-enforcerd\n");
2133 FILE* lock_fd = NULL;
2138 printf(
"Failed to connect to database\n");
2147 printf(
"Error: unable to find a policy named \"%s\" in database\n",
o_policy);
2161 printf(
"Error: unable to find a zone named \"%s\" in database\n",
o_zone);
2171 printf(
"Error: failed to purge dead keys\n");
2197 FILE* lock_fd = NULL;
2202 if (datetime == NULL) {
2203 printf(
"Couldn't turn \"now\" into a date, quitting...\n");
2208 if ( strncmp(qualifier,
"DONE", 4) == 0 ) {
2209 printf(
"*WARNING* One-step backups are deprecated in favour of a two-step process; see the documentation on key management for the explanation.\n");
2212 if (force_flag == 0) {
2213 printf(
"Do you wish to continue? [y/N] ");
2215 user_certain = getchar();
2216 if (user_certain !=
'y' && user_certain !=
'Y') {
2217 printf(
"Okay, quitting...\n");
2226 printf(
"Failed to connect to database\n");
2236 printf(
"Error: unable to find a repository named \"%s\" in database\n",
o_repository);
2244 if (strncmp(qualifier,
"PREPARE", 7) == 0 ||
2245 strncmp(qualifier,
"DONE", 4) == 0 ) {
2248 printf(
"There were no keys to mark\n");
2250 else if (status != 0) {
2251 printf(
"Error: failed to mark pre_backup as done\n");
2256 if (strncmp(qualifier,
"PREPARE", 7) == 0) {
2258 printf(
"Marked repository %s as pre-backed up at %s\n",
o_repository, datetime);
2260 printf(
"Marked all repositories as pre-backed up at %s\n", datetime);
2267 if (strncmp(qualifier,
"COMMIT", 6) == 0 ||
2268 strncmp(qualifier,
"DONE", 4) == 0 ) {
2271 printf(
"There were no keys to mark\n");
2273 else if (status != 0) {
2274 printf(
"Error: failed to mark backup as done\n");
2280 printf(
"Marked repository %s as backed up at %s\n",
o_repository, datetime);
2282 printf(
"Marked all repositories as backed up at %s\n", datetime);
2288 if (strncmp(qualifier,
"ROLLBACK", 6) == 0 ) {
2291 printf(
"There were no keys to rollback\n");
2293 else if (status != 0) {
2294 printf(
"Error: failed to mark backup as done\n");
2300 printf(
"Rolled back pre-backup of repository %s\n",
o_repository);
2302 printf(
"Rolled back pre-backup of all repositories\n");
2324 int qualifier_id = -1;
2328 FILE* lock_fd = NULL;
2333 printf(
"Failed to connect to database\n");
2346 printf(
"Error: unable to find a zone named \"%s\" in database\n",
o_zone);
2353 printf(
"Rollovers:\n");
2358 printf(
"Error: failed to list rollovers\n");
2367 if (verbose_flag && ds_count > 0) {
2369 status =
ListDS(qualifier_id);
2372 printf(
"Error: failed to list DS records\n");
2393 int qualifier_id = -1;
2397 FILE* lock_fd = NULL;
2402 printf(
"Failed to connect to database\n");
2411 printf(
"Error: unable to find a repository named \"%s\" in database\n",
o_repository);
2417 printf(
"Backups:\n");
2421 printf(
"Error: failed to list backups\n");
2444 FILE* lock_fd = NULL;
2449 printf(
"Failed to connect to database\n");
2454 printf(
"Repositories:\n");
2459 printf(
"Error: failed to list repositories\n");
2460 if (lock_fd != NULL) {
2485 FILE* lock_fd = NULL;
2490 printf(
"Failed to connect to database\n");
2495 printf(
"Policies:\n");
2500 printf(
"Error: failed to list policies\n");
2521 int qualifier_id = -1;
2525 FILE* lock_fd = NULL;
2530 printf(
"Failed to connect to database\n");
2543 printf(
"Error: unable to find a zone named \"%s\" in database\n",
o_zone);
2555 printf(
"Error: failed to list keys\n");
2582 int keytag_int = -1;
2583 int temp_key_state = -1;
2584 int temp_keypair_id = -1;
2585 char* temp_cka_id = NULL;
2590 FILE* lock_fd = NULL;
2595 if (datetime == NULL) {
2596 printf(
"Couldn't turn \"now\" into a date, quitting...\n");
2602 printf(
"*WARNING* This will retire the currently active KSK; are you sure? [y/N] ");
2604 user_certain = getchar();
2605 if (user_certain !=
'y' && user_certain !=
'Y') {
2606 printf(
"Okay, quitting...\n");
2613 printf(
"Failed to connect to database\n");
2627 printf(
"Error: unable to find a zone named \"%s\" in database\n",
o_zone);
2640 printf(
"Error: Unable to convert keytag \"%s\"; to an integer\n",
o_keytag);
2646 printf(
"Error: keytag \"%s\"; should be numeric only\n",
o_keytag);
2656 printf(
"Please provide a zone or details of the key to roll\n");
2665 printf(
"Error: failed to count active keys\n");
2672 if (key_count < 2) {
2673 printf(
"Error: completing this action would leave no active keys on zone, quitting...\n");
2682 printf(
"Error: failed to find policy for zone\n");
2691 printf(
"Old key retired\n");
2693 printf(
"Old key NOT retired\n");
2701 status =
CountKeys(&zone_id, keytag_int,
o_cka_id, &key_count, &temp_cka_id, &temp_key_state, &temp_keypair_id);
2703 printf(
"Error: failed to count keys\n");
2710 if (key_count > 1) {
2711 printf(
"More than one key matched your parameters, please include more information from the above keys\n");
2719 printf(
"No keys in the ACTIVE state matched your parameters, please check the parameters\n");
2727 printf(
"Error: failed to count active keys\n");
2734 if (key_count < 2) {
2735 printf(
"Error: completing this action would leave no active keys on zone, quitting...\n");
2744 printf(
"Error: failed to find policy for zone\n");
2755 printf(
"Key %s retired\n", temp_cka_id);
2782 int retired_count = -1;
2783 int keytag_int = -1;
2784 int temp_key_state = -1;
2785 int temp_keypair_id = -1;
2786 char* temp_cka_id = NULL;
2791 FILE* lock_fd = NULL;
2798 if (datetime == NULL) {
2799 printf(
"Couldn't turn \"now\" into a date, quitting...\n");
2806 printf(
"Please provide a keytag or a CKA_ID for the key (CKA_ID will be used if both are provided\n");
2814 printf(
"*WARNING* This will retire the currently active KSK; are you sure? [y/N] ");
2816 user_certain = getchar();
2817 if (user_certain !=
'y' && user_certain !=
'Y') {
2818 printf(
"Okay, quitting...\n");
2825 printf(
"Failed to connect to database\n");
2836 printf(
"Please specify a zone using the --zone flag\n");
2842 else if (
o_zone != NULL) {
2849 printf(
"Error: unable to find a zone named \"%s\" in database\n",
o_zone);
2856 else if (all_flag) {
2857 printf(
"*WARNING* This will act on every zone where this key is in use; are you sure? [y/N] ");
2859 user_certain = getchar();
2860 if (user_certain !=
'y' && user_certain !=
'Y') {
2861 printf(
"Okay, quitting...\n");
2873 printf(
"Error: Unable to convert keytag \"%s\"; to an integer\n",
o_keytag);
2879 printf(
"Error: keytag \"%s\"; should be numeric only\n",
o_keytag);
2890 status =
CountKeys(&zone_id, keytag_int,
o_cka_id, &key_count, &temp_cka_id, &temp_key_state, &temp_keypair_id);
2892 printf(
"Error: failed to count keys\n");
2899 if (key_count > 1) {
2900 printf(
"More than one key matched your parameters, please include more information from the above keys\n");
2908 printf(
"Key is already active\n");
2915 if (key_count == 0) {
2916 printf(
"No keys in the READY state matched your parameters, please check the parameters\n");
2925 printf(
"Error: failed to find policy for zone\n");
2932 status =
MarkDSSeen(temp_keypair_id, zone_id, policy_id, datetime, temp_key_state);
2936 snprintf(logmsg, 256,
"Key %s made %s", temp_cka_id, (temp_key_state ==
KSM_STATE_READY) ?
"active" :
"into standby");
2937 printf(
"%s\n", logmsg);
2940 #ifdef HAVE_OPENLOG_R
2945 #ifdef HAVE_SYSLOG_R
2946 syslog_r(LOG_INFO, &sdata,
"%s", logmsg);
2948 syslog(LOG_INFO,
"%s", logmsg);
2950 #ifdef HAVE_CLOSELOG_R
2960 if (retire_flag == 1) {
2965 printf(
"Error: failed to count active keys\n");
2972 if (key_count < 2) {
2976 printf(
"Error: failed to count retired keys\n");
2985 if (retired_count != 0) {
2986 printf(
"Error: retiring a key would leave no active keys on zone, skipping...\n");
2991 if (restart_enforcerd() != 0)
2993 fprintf(stderr,
"Could not HUP ods-enforcerd\n");
3003 printf(
"Old key retired\n");
3005 printf(
"Old key NOT retired\n");
3008 printf(
"Old key NOT retired\n");
3013 if (restart_enforcerd() != 0)
3015 fprintf(stderr,
"Could not HUP ods-enforcerd\n");
3037 char* case_keytype = NULL;
3038 char* case_algorithm = NULL;
3039 char* case_state = NULL;
3044 int cka_id_exists = -1;
3045 int keytype_id = -1;
3052 DB_ID keypair_id = 0;
3061 FILE* lock_fd = NULL;
3071 printf(
"Error: please specify a CKA_ID with the --cka_id <CKA_ID>\n");
3075 printf(
"Error: please specify a repository with the --repository <repository>\n");
3079 printf(
"Error: please specify a zone with the --zone <zone>\n");
3083 printf(
"Error: please specify the number of bits with the --bits <size>\n");
3087 printf(
"Error: please specify the algorithm with the --algorithm <algorithm>\n");
3091 printf(
"Error: please specify the state with the --keystate <state>\n");
3095 printf(
"Error: please specify a keytype, KSK or ZSK, with the --keytype <type>\n");
3099 printf(
"Error: please specify the time of when the key entered the given state with the --time <time>\n");
3106 printf(
"Failed to connect to database\n");
3114 printf(
"Error: unable to find a repository named \"%s\" in database\n",
o_repository);
3126 printf(
"Error: unable to find a zone named \"%s\" in database\n",
o_zone);
3138 if (cka_id_exists == 1) {
3139 printf(
"Error: key with CKA_ID \"%s\" already exists in database\n",
o_cka_id);
3147 if (strncmp(case_keytype,
"KSK", 3) == 0 || strncmp(
o_keytype,
"257", 3) == 0) {
3150 else if (strncmp(case_keytype,
"ZSK", 3) == 0 || strncmp(
o_keytype,
"256", 3) == 0) {
3154 printf(
"Error: Unrecognised keytype %s; should be one of KSK or ZSK\n",
o_keytype);
3166 printf(
"Error: Unable to convert bits \"%s\"; to an integer\n",
o_size);
3171 printf(
"Error: Bits \"%s\"; should be numeric only\n",
o_size);
3189 if (status != 0 || algo_id == 0 || hsm_supported_algorithm(algo_id) != 0) {
3190 printf(
"Error: Key algorithm %s not supported; try one of RSASHA1, RSASHA1-NSEC3-SHA1 or RSASHA256\n",
o_algo);
3198 if (strncmp(case_state,
"GENERATE", 8) == 0 || strncmp(
o_keystate,
"1", 1) == 0) {
3201 else if (strncmp(case_state,
"PUBLISH", 7) == 0 || strncmp(
o_keystate,
"2", 1) == 0) {
3204 else if (strncmp(case_state,
"READY", 5) == 0 || strncmp(
o_keystate,
"3", 1) == 0) {
3207 else if (strncmp(case_state,
"ACTIVE", 6) == 0 || strncmp(
o_keystate,
"4", 1) == 0) {
3210 else if (strncmp(case_state,
"RETIRE", 6) == 0 || strncmp(
o_keystate,
"5", 1) == 0) {
3214 printf(
"Error: Unrecognised state %s; should be one of GENERATE, PUBLISH, READY, ACTIVE or RETIRE\n",
o_keystate);
3225 printf(
"Error: unable to convert \"%s\" into a date\n",
o_time);
3232 snprintf(form_time,
KSM_TIME_LENGTH,
"%4.4d-%2.2d-%2.2d %2.2d:%2.2d:%2.2d",
3233 datetime.tm_year + 1900, datetime.tm_mon + 1, datetime.tm_mday,
3234 datetime.tm_hour, datetime.tm_min, datetime.tm_sec);
3240 printf(
"Error: unable to specify retire time for a key in state \"%s\"\n",
o_keystate);
3247 printf(
"Error: unable to convert retire time \"%s\" into a date\n",
o_retire);
3254 snprintf(form_opt_time,
KSM_TIME_LENGTH,
"%4.4d-%2.2d-%2.2d %2.2d:%2.2d:%2.2d",
3255 datetime.tm_year + 1900, datetime.tm_mon + 1, datetime.tm_mday,
3256 datetime.tm_hour, datetime.tm_min, datetime.tm_sec);
3260 form_opt_time[0] =
'\0';
3277 if (data.
value == 1) {
3278 printf(
"*WARNING* This zone shares keys with others, the key will be added to all; are you sure? [y/N] ");
3280 user_certain = getchar();
3281 if (user_certain !=
'y' && user_certain !=
'Y') {
3282 printf(
"Okay, quitting...\n");
3289 status =
KsmImportKeyPair(policy_id,
o_cka_id, repo_id, size_int, algo_id, state_id, form_time, fix_time, &keypair_id);
3291 printf(
"Error: couldn't import key\n");
3301 status =
KsmDnssecKeyCreate(zone_id, (
int) keypair_id, keytype_id, state_id, form_time, form_opt_time, &ignore);
3304 printf(
"Error: couldn't allocate key to zone(s)\n");
3309 printf(
"Key imported into zone(s)\n");
3325 FILE* lock_fd = NULL;
3328 char *dbschema = NULL;
3332 char *password = NULL;
3336 char* backup_filename = NULL;
3337 char* lock_filename;
3339 char *path = getenv(
"PWD");
3342 printf(
"Sorry, currently this utility can only backup a sqlite database file\n");
3347 status =
get_db_details(&dbschema, &host, &port, &user, &password);
3358 lock_filename = NULL;
3362 lock_fd = fopen(lock_filename,
"w");
3365 printf(
"Error getting db lock\n");
3366 if (lock_fd != NULL) {
3416 char* kasp_filename = NULL;
3417 char* zonelist_filename = NULL;
3418 char* backup_filename = NULL;
3421 FILE* lock_fd = NULL;
3430 int zone_count = -1;
3432 xmlDocPtr doc = NULL;
3435 printf(
"*WARNING* This feature is experimental and has not been fully tested; are you sure? [y/N] ");
3437 user_certain = getchar();
3438 if (user_certain !=
'y' && user_certain !=
'Y') {
3439 printf(
"Okay, quitting...\n");
3446 printf(
"Failed to read conf.xml\n");
3452 StrAppend(&backup_filename, kasp_filename);
3454 status =
backup_file(kasp_filename, backup_filename);
3464 if ((test = fopen(kasp_filename,
"ab"))==NULL) {
3465 printf(
"Cannot open kasp.xml for writing: %s\n", strerror(errno));
3476 printf(
"Failed to connect to database\n");
3497 if (policy == NULL) {
3498 printf(
"Malloc for policy struct failed\n");
3507 while (status == 0) {
3517 if (zone_count == 0) {
3518 printf(
"No zones on policy %s; purging...\n", policy->
name);
3520 size = snprintf(sql,
KSM_SQL_SIZE,
"update dnsseckeys set state = %d where keypair_id in (select id from keypairs where policy_id = %d)",
KSM_STATE_DEAD, policy->
id);
3524 printf(
"Couldn't construct SQL to kill orphaned keys\n");
3547 printf(
"Key purge failed for policy %s\n", policy->
name);
3556 sql2 =
DdsInit(
"parameters_policies");
3600 status = xmlSaveFormatFile(kasp_filename, doc, 1);
3603 printf(
"Could not save %s\n", kasp_filename);
3613 printf(
"Couldn't count zones on policy; quitting...\n");
3651 char* ods_control_cmd = NULL;
3652 char* ptr = command;
3657 *ptr = tolower((
int) *ptr);
3663 StrAppend(&ods_control_cmd, ODS_EN_CONTROL);
3666 status = system(ods_control_cmd);
3669 fprintf(stderr,
"Couldn't run %s\n", ods_control_cmd);
3685 char* case_command = NULL;
3686 char* case_verb = NULL;
3688 int option_index = 0;
3689 static struct option long_options[] =
3691 {
"all", no_argument, 0,
'a'},
3692 {
"auto-accept", no_argument, 0,
'A'},
3693 {
"bits", required_argument, 0,
'b'},
3694 {
"config", required_argument, 0,
'c'},
3695 {
"ds", no_argument, 0,
'd'},
3696 {
"keystate", required_argument, 0,
'e'},
3697 {
"no-retire", no_argument, 0,
'f'},
3698 {
"force", no_argument, 0,
'F'},
3699 {
"algorithm", required_argument, 0,
'g'},
3700 {
"help", no_argument, 0,
'h'},
3701 {
"input", required_argument, 0,
'i'},
3702 {
"in-type", required_argument, 0,
'j'},
3703 {
"cka_id", required_argument, 0,
'k'},
3704 {
"no-xml", no_argument, 0,
'm'},
3705 {
"no-hsm", no_argument, 0,
'M'},
3706 {
"interval", required_argument, 0,
'n'},
3707 {
"output", required_argument, 0,
'o'},
3708 {
"policy", required_argument, 0,
'p'},
3709 {
"out-type", required_argument, 0,
'q'},
3710 {
"repository", required_argument, 0,
'r'},
3711 {
"signerconf", required_argument, 0,
's'},
3712 {
"keytype", required_argument, 0,
't'},
3713 {
"time", required_argument, 0,
'w'},
3714 {
"verbose", no_argument, 0,
'v'},
3715 {
"version", no_argument, 0,
'V'},
3716 {
"keytag", required_argument, 0,
'x'},
3717 {
"retire", required_argument, 0,
'y'},
3718 {
"zone", required_argument, 0,
'z'},
3724 while ((ch = getopt_long(argc, argv,
"aAb:c:de:fFg:hi:j:k:mMn:o:p:q:r:s:t:vVw:x:y:z:", long_options, &option_index)) != -1) {
3730 auto_accept_flag = 1;
3797 printf(
"%s version %s\n", PACKAGE_NAME, PACKAGE_VERSION);
3852 if (!strncmp(case_command,
"SETUP", 5)) {
3856 }
else if (!strncmp(case_command,
"UPDATE", 6)) {
3860 }
else if (!strncmp(case_command,
"START", 5) ||
3861 !strncmp(case_command,
"STOP", 4) ||
3862 !strncmp(case_command,
"NOTIFY", 6)) {
3866 }
else if (!strncmp(case_command,
"ZONE", 4) && strlen(case_command) == 4) {
3871 if (!strncmp(case_verb,
"ADD", 3)) {
3873 }
else if (!strncmp(case_verb,
"DELETE", 6)) {
3875 }
else if (!strncmp(case_verb,
"LIST", 4)) {
3878 printf(
"Unknown command: zone %s\n", case_verb);
3882 }
else if (!strncmp(case_command,
"REPOSITORY", 10)) {
3886 if (!strncmp(case_verb,
"LIST", 4)) {
3889 printf(
"Unknown command: repository %s\n", case_verb);
3893 }
else if (!strncmp(case_command,
"POLICY", 6)) {
3897 if (!strncmp(case_verb,
"EXPORT", 6)) {
3899 }
else if (!strncmp(case_verb,
"IMPORT", 6)) {
3901 }
else if (!strncmp(case_verb,
"LIST", 4)) {
3903 }
else if (!strncmp(case_verb,
"PURGE", 5)) {
3906 printf(
"Unknown command: policy %s\n", case_verb);
3910 }
else if (!strncmp(case_command,
"KEY", 3)) {
3914 if (!strncmp(case_verb,
"LIST", 4)) {
3917 else if (!strncmp(case_verb,
"EXPORT", 6)) {
3920 else if (!strncmp(case_verb,
"IMPORT", 6)) {
3923 else if (!strncmp(case_verb,
"ROLLOVER", 8)) {
3925 if (all_flag == 0 &&
o_keytype == NULL) {
3926 printf(
"Please specify either a keytype, KSK or ZSK, with the --keytype <type> option or use the --all option\n");
3939 printf(
"Please provide either a zone OR a policy to rollover\n");
3945 else if (!strncmp(case_verb,
"PURGE", 5)) {
3951 printf(
"Please provide either a zone OR a policy to key purge\n");
3956 else if (!strncmp(case_verb,
"GENERATE", 8)) {
3959 else if (!strncmp(case_verb,
"KSK-RETIRE", 10)) {
3962 else if (!strncmp(case_verb,
"DS-SEEN", 7)) {
3964 }
else if (!strncmp(case_verb,
"DELETE", 6)) {
3967 printf(
"Unknown command: key %s\n", case_verb);
3971 }
else if (!strncmp(case_command,
"BACKUP", 6)) {
3975 if (!strncmp(case_verb,
"DONE", 4) ||
3976 !strncmp(case_verb,
"PREPARE", 7) ||
3977 !strncmp(case_verb,
"COMMIT", 6) ||
3978 !strncmp(case_verb,
"ROLLBACK", 8)) {
3981 else if (!strncmp(case_verb,
"LIST", 4)) {
3984 printf(
"Unknown command: backup %s\n", case_verb);
3988 }
else if (!strncmp(case_command,
"ROLLOVER", 8)) {
3991 if (!strncmp(case_verb,
"LIST", 4)) {
3994 printf(
"Unknown command: rollover %s\n", case_verb);
3998 }
else if (!strncmp(case_command,
"DATABASE", 8)) {
4002 if (!strncmp(case_verb,
"BACKUP", 6)) {
4005 printf(
"Unknown command: database %s\n", case_verb);
4009 }
else if (!strncmp(case_command,
"ZONELIST", 8)) {
4013 if (!strncmp(case_verb,
"EXPORT", 6)) {
4016 else if (!strncmp(case_verb,
"IMPORT", 6)) {
4019 printf(
"Unknown command: zonelist %s\n", case_verb);
4024 printf(
"Unknown command: %s\n", argv[0]);
4036 xmlCleanupGlobals();
4037 xmlCleanupThreads();
4059 char *dbschema = NULL;
4063 char *password = NULL;
4067 char* backup_filename = NULL;
4068 char* lock_filename;
4071 status =
get_db_details(&dbschema, &host, &port, &user, &password);
4087 if (lock_fd != NULL) {
4088 lock_filename = NULL;
4092 *lock_fd = fopen(lock_filename,
"w");
4095 printf(
"Error getting db lock\n");
4096 if (*lock_fd != NULL) {
4120 if (lock_fd != NULL) {
4135 status =
DbConnect(dbhandle, dbschema, host, password, user, port);
4157 if (lock_fd != NULL) {
4160 printf(
"Error releasing db lock");
4182 if (lock_fd == NULL) {
4183 printf(
"%s could not be opened\n", lock_filename);
4187 memset(&fl, 0,
sizeof(
struct flock));
4188 fl.l_type = F_WRLCK;
4189 fl.l_whence = SEEK_SET;
4190 fl.l_pid = getpid();
4192 while (fcntl(fileno(lock_fd), F_SETLK, &fl) == -1) {
4194 printf(
"couldn't get lock on %s; %s\n", lock_filename, strerror(errno));
4197 if (errno == EACCES || errno == EAGAIN) {
4198 printf(
"%s already locked, sleep\n", lock_filename);
4203 select(0, NULL, NULL, NULL, &tv);
4208 printf(
"couldn't get lock on %s; %s\n", lock_filename, strerror(errno));
4221 if (lock_fd == NULL) {
4225 memset(&fl, 0,
sizeof(
struct flock));
4226 fl.l_type = F_UNLCK;
4227 fl.l_whence = SEEK_SET;
4229 if (fcntl(fileno(lock_fd), F_SETLK, &fl) == -1) {
4242 xmlTextReaderPtr reader = NULL;
4243 xmlDocPtr doc = NULL;
4244 xmlXPathContextPtr xpathCtx = NULL;
4245 xmlXPathObjectPtr xpathObj = NULL;
4247 char* tag_name = NULL;
4248 char* temp_char = NULL;
4250 xmlChar *zonelist_expr = (
unsigned char*)
"//Common/ZoneListFile";
4251 xmlChar *kaspfile_expr = (
unsigned char*)
"//Common/PolicyFile";
4254 reader = xmlNewTextReaderFilename(
config);
4255 if (reader != NULL) {
4256 ret = xmlTextReaderRead(reader);
4258 tag_name = (
char*) xmlTextReaderLocalName(reader);
4260 if (strncmp(tag_name,
"Common", 6) == 0
4261 && xmlTextReaderNodeType(reader) == 1) {
4264 xmlTextReaderExpand(reader);
4265 doc = xmlTextReaderCurrentDoc(reader);
4267 printf(
"Error: can not read Common section\n");
4269 ret = xmlTextReaderRead(reader);
4273 xpathCtx = xmlXPathNewContext(doc);
4274 if(xpathCtx == NULL) {
4275 printf(
"Error: can not create XPath context for Common section\n");
4277 ret = xmlTextReaderRead(reader);
4282 xpathObj = xmlXPathEvalExpression(zonelist_expr, xpathCtx);
4283 if(xpathObj == NULL) {
4284 printf(
"Error: unable to evaluate xpath expression: %s\n", zonelist_expr);
4286 ret = xmlTextReaderRead(reader);
4289 *zone_list_filename = NULL;
4290 temp_char = (
char*) xmlXPathCastToString(xpathObj);
4291 StrAppend(zone_list_filename, temp_char);
4293 xmlXPathFreeObject(xpathObj);
4294 printf(
"zonelist filename set to %s.\n", *zone_list_filename);
4297 xpathObj = xmlXPathEvalExpression(kaspfile_expr, xpathCtx);
4298 xmlXPathFreeContext(xpathCtx);
4299 if(xpathObj == NULL) {
4300 printf(
"Error: unable to evaluate xpath expression: %s\n", kaspfile_expr);
4302 ret = xmlTextReaderRead(reader);
4305 *kasp_filename = NULL;
4306 if (xpathObj->nodesetval != NULL && xpathObj->nodesetval->nodeNr > 0) {
4310 temp_char = (
char*) xmlXPathCastToString(xpathObj);
4318 StrAppend(kasp_filename, OPENDNSSEC_CONFIG_DIR);
4321 printf(
"kasp filename set to %s.\n", *kasp_filename);
4323 xmlXPathFreeObject(xpathObj);
4326 ret = xmlTextReaderRead(reader);
4330 xmlFreeTextReader(reader);
4332 printf(
"%s : failed to parse\n",
config);
4336 printf(
"Unable to open %s\n",
config);
4353 xmlDocPtr doc = NULL;
4354 xmlXPathContextPtr xpathCtx = NULL;
4355 xmlXPathObjectPtr xpathObj = NULL;
4357 char* repo_name = NULL;
4358 char* repo_capacity = NULL;
4359 int require_backup = 0;
4362 xmlChar *node_expr = (
unsigned char*)
"//Configuration/RepositoryList/Repository";
4366 doc = xmlParseFile(
config);
4368 printf(
"Unable to open %s\n",
config);
4373 xpathCtx = xmlXPathNewContext(doc);
4374 if(xpathCtx == NULL) {
4380 xpathObj = xmlXPathEvalExpression(node_expr, xpathCtx);
4381 if(xpathObj == NULL) {
4382 xmlXPathFreeContext(xpathCtx);
4387 if (xpathObj->nodesetval) {
4388 for (i = 0; i < xpathObj->nodesetval->nodeNr; i++) {
4393 curNode = xpathObj->nodesetval->nodeTab[i]->xmlChildrenNode;
4394 repo_name = (
char *) xmlGetProp(xpathObj->nodesetval->nodeTab[i],
4395 (
const xmlChar *)
"name");
4397 if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Capacity")) {
4398 repo_capacity = (
char *) xmlNodeGetContent(curNode);
4400 if (xmlStrEqual(curNode->name, (
const xmlChar *)
"RequireBackup")) {
4404 curNode = curNode->next;
4407 if (strlen(repo_name) != 0) {
4409 printf(
"Repository %s found\n", repo_name);
4410 if (strlen(repo_capacity) == 0) {
4411 printf(
"No Maximum Capacity set.\n");
4417 printf(
"Capacity set to %s.\n", repo_capacity);
4423 if (require_backup == 0) {
4424 printf(
"RequireBackup NOT set; please make sure that you know the potential problems of using keys which are not recoverable\n");
4426 printf(
"RequireBackup set.\n");
4430 printf(
"Error Importing Repository %s", repo_name);
4434 printf(
"WARNING: Repository found with NULL name, skipping...\n");
4442 xmlXPathFreeObject(xpathObj);
4445 xmlXPathFreeContext(xpathCtx);
4460 char *policy_name = NULL;
4461 char *policy_description = NULL;
4464 xmlDocPtr doc = NULL;
4465 xmlDocPtr pol_doc = NULL;
4466 xmlDocPtr rngdoc = NULL;
4469 xmlNode *childNode2;
4470 xmlNode *childNode3;
4471 xmlChar *opt_out_flag = (xmlChar *)
"N";
4472 xmlChar *share_keys_flag = (xmlChar *)
"N";
4473 xmlChar *man_roll_flag = (xmlChar *)
"N";
4474 xmlChar *rfc5011_flag = (xmlChar *)
"N";
4475 int standby_keys_flag = 0;
4476 xmlXPathContextPtr xpathCtx = NULL;
4477 xmlXPathObjectPtr xpathObj = NULL;
4478 xmlRelaxNGParserCtxtPtr rngpctx = NULL;
4479 xmlRelaxNGValidCtxtPtr rngctx = NULL;
4480 xmlRelaxNGPtr schema = NULL;
4483 xmlChar *node_expr = (
unsigned char*)
"//Policy";
4489 int algo_change = 0;
4491 char* changes_made = NULL;
4496 const char* rngfilename = OPENDNSSEC_SCHEMA_DIR
"/kasp.rng";
4497 char* kaspcheck_cmd = NULL;
4498 char* kaspcheck_cmd_version = NULL;
4500 StrAppend(&kaspcheck_cmd, ODS_EN_KASPCHECK);
4504 StrAppend(&kaspcheck_cmd_version, ODS_EN_KASPCHECK);
4505 StrAppend(&kaspcheck_cmd_version,
" --version > /dev/null");
4508 status = system(kaspcheck_cmd_version);
4511 status = system(kaspcheck_cmd);
4514 fprintf(stderr,
"ods-kaspcheck returned an error, please check your policy\n");
4516 StrFree(kaspcheck_cmd_version);
4522 fprintf(stderr,
"Couldn't run ods-kaspcheck, will carry on\n");
4526 StrFree(kaspcheck_cmd_version);
4529 doc = xmlParseFile(kasp_filename);
4531 printf(
"Error: unable to parse file \"%s\"\n", kasp_filename);
4536 rngdoc = xmlParseFile(rngfilename);
4537 if (rngdoc == NULL) {
4538 printf(
"Error: unable to parse file \"%s\"\n", rngfilename);
4543 rngpctx = xmlRelaxNGNewDocParserCtxt(rngdoc);
4544 if (rngpctx == NULL) {
4545 printf(
"Error: unable to create XML RelaxNGs parser context\n");
4550 schema = xmlRelaxNGParse(rngpctx);
4551 if (schema == NULL) {
4552 printf(
"Error: unable to parse a schema definition resource\n");
4557 rngctx = xmlRelaxNGNewValidCtxt(schema);
4558 if (rngctx == NULL) {
4559 printf(
"Error: unable to create RelaxNGs validation context based on the schema\n");
4564 status = xmlRelaxNGValidateDoc(rngctx,doc);
4566 printf(
"Error validating file \"%s\"\n", kasp_filename);
4572 if (policy == NULL) {
4573 printf(
"Malloc for policy struct failed");
4578 xpathCtx = xmlXPathNewContext(doc);
4579 if(xpathCtx == NULL) {
4586 xpathObj = xmlXPathEvalExpression(node_expr, xpathCtx);
4587 if(xpathObj == NULL) {
4588 xmlXPathFreeContext(xpathCtx);
4594 if (xpathObj->nodesetval) {
4600 for (i = 0; i < xpathObj->nodesetval->nodeNr; i++) {
4602 curNode = xpathObj->nodesetval->nodeTab[i]->xmlChildrenNode;
4603 policy_name = (
char *) xmlGetProp(xpathObj->nodesetval->nodeTab[i], (
const xmlChar *)
"name");
4604 if (strlen(policy_name) == 0) {
4606 printf(
"Error extracting policy name from %s\n", kasp_filename);
4619 printf(
"Error: unable to read policy %s; skipping\n", policy_name);
4624 if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Keys")) {
4625 childNode = curNode->children;
4627 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"KSK")) {
4628 childNode2 = childNode->children;
4630 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Algorithm")) {
4633 status =
StrStrtoi((
char *)xmlNodeGetContent(childNode2), &value);
4635 printf(
"Error extracting KSK algorithm for policy %s, exiting...", policy_name);
4641 printf(
"\n\nAlgorithm change attempted... details:\n");
4642 StrAppend(&changes_made,
"Algorithm changes made, details:");
4645 size = snprintf(tmp_change,
KSM_MSG_LENGTH,
"Policy: %s, KSK algorithm changed from %d to %d.", policy_name, policy->
ksk->
algorithm, value);
4648 printf(
"Error constructing log message for policy %s, exiting...", policy_name);
4651 printf(
"%s\n", tmp_change);
4657 childNode2 = childNode2->next;
4662 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"ZSK")) {
4663 childNode2 = childNode->children;
4665 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Algorithm")) {
4668 status =
StrStrtoi((
char *)xmlNodeGetContent(childNode2), &value);
4670 printf(
"Error extracting ZSK algorithm for policy %s, exiting...", policy_name);
4676 printf(
"\n\nAlgorithm change attempted... details:\n");
4677 StrAppend(&changes_made,
"Algorithm changes made, details:");
4680 size = snprintf(tmp_change,
KSM_MSG_LENGTH,
"Policy: %s, ZSK algorithm changed from %d to %d.", policy_name, policy->
zsk->
algorithm, value);
4683 printf(
"Error constructing log message for policy %s, exiting...", policy_name);
4686 printf(
"%s\n", tmp_change);
4692 childNode2 = childNode2->next;
4697 childNode = childNode->next;
4700 curNode = curNode->next;
4712 if (algo_change == 1 && force_flag == 0) {
4713 printf(
"*WARNING* This will change the algorithms used as noted above. Algorithm rollover is _not_ supported by OpenDNSSEC and zones may break. Are you sure? [y/N] ");
4715 user_certain = getchar();
4716 if (user_certain !=
'y' && user_certain !=
'Y') {
4717 printf(
"\nOkay, quitting...\n");
4718 xmlXPathFreeContext(xpathCtx);
4731 #ifdef HAVE_OPENLOG_R
4736 #ifdef HAVE_SYSLOG_R
4737 syslog_r(LOG_INFO, &sdata,
"%s", changes_made);
4739 syslog(LOG_INFO,
"%s", changes_made);
4741 #ifdef HAVE_CLOSELOG_R
4752 for (i = 0; i < xpathObj->nodesetval->nodeNr; i++) {
4754 curNode = xpathObj->nodesetval->nodeTab[i]->xmlChildrenNode;
4755 policy_name = (
char *) xmlGetProp(xpathObj->nodesetval->nodeTab[i], (
const xmlChar *)
"name");
4756 if (strlen(policy_name) == 0) {
4758 printf(
"Error extracting policy name from %s\n", kasp_filename);
4762 printf(
"Policy %s found\n", policy_name);
4764 if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Description")) {
4765 policy_description = (
char *) xmlNodeGetContent(curNode);
4775 printf(
"Error: unable to read policy %s; skipping\n", policy_name);
4776 curNode = curNode->next;
4784 printf(
"Error: unable to update policy description for %s; skipping\n", policy_name);
4786 curNode = curNode->next;
4795 printf(
"Error: unable to insert policy %s; skipping\n", policy_name);
4797 curNode = curNode->next;
4803 printf(
"Error: unable to get policy id for %s; skipping\n", policy_name);
4804 curNode = curNode->next;
4810 else if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Signatures")) {
4811 childNode = curNode->children;
4813 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"Resign")) {
4816 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"Refresh")) {
4819 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"Validity")) {
4820 childNode2 = childNode->children;
4822 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Default")) {
4825 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Denial")) {
4828 childNode2 = childNode2->next;
4831 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"Jitter")) {
4834 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"InceptionOffset")) {
4837 childNode = childNode->next;
4840 else if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Denial")) {
4841 opt_out_flag = (xmlChar *)
"N";
4842 childNode = curNode->children;
4844 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"NSEC3")) {
4848 printf(
"Error: unable to insert/update %s for policy\n",
"Denial version");
4850 childNode2 = childNode->children;
4852 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"OptOut")) {
4853 opt_out_flag = (xmlChar *)
"Y";
4855 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Resalt")) {
4858 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Hash")) {
4859 childNode3 = childNode2->children;
4861 if (xmlStrEqual(childNode3->name, (
const xmlChar *)
"Algorithm")) {
4864 else if (xmlStrEqual(childNode3->name, (
const xmlChar *)
"Iterations")) {
4867 else if (xmlStrEqual(childNode3->name, (
const xmlChar *)
"Salt")) {
4870 childNode3 = childNode3->next;
4874 childNode2 = childNode2->next;
4879 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"NSEC")) {
4882 printf(
"Error: unable to insert/update %s for policy\n",
"Denial version");
4885 childNode = childNode->next;
4888 else if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Keys")) {
4889 share_keys_flag = (xmlChar *)
"N";
4890 childNode = curNode->children;
4892 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"TTL")) {
4895 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"RetireSafety")) {
4898 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"PublishSafety")) {
4901 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"ShareKeys")) {
4902 share_keys_flag = (xmlChar *)
"Y";
4904 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"Purge")) {
4908 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"KSK")) {
4909 man_roll_flag = (xmlChar *)
"N";
4910 rfc5011_flag = (xmlChar *)
"N";
4911 childNode2 = childNode->children;
4913 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Algorithm")) {
4918 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Lifetime")) {
4921 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Repository")) {
4923 printf(
"Please either add the repository to conf.xml or remove the reference to it from kasp.xml\n");
4925 xmlFreeDoc(pol_doc);
4926 xmlXPathFreeContext(xpathCtx);
4927 xmlRelaxNGFree(schema);
4928 xmlRelaxNGFreeValidCtxt(rngctx);
4929 xmlRelaxNGFreeParserCtxt(rngpctx);
4937 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Standby")) {
4939 standby_keys_flag = 1;
4941 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"ManualRollover")) {
4942 man_roll_flag = (xmlChar *)
"Y";
4944 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"RFC5011")) {
4945 rfc5011_flag = (xmlChar *)
"Y";
4950 childNode2 = childNode2->next;
4955 if (standby_keys_flag == 0) {
4958 standby_keys_flag = 0;
4962 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"ZSK")) {
4963 man_roll_flag = (xmlChar *)
"N";
4964 childNode2 = childNode->children;
4966 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Algorithm")) {
4971 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Lifetime")) {
4974 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Repository")) {
4976 printf(
"Please either add the repository to conf.xml or remove the reference to it from kasp.xml\n");
4978 xmlFreeDoc(pol_doc);
4979 xmlXPathFreeContext(xpathCtx);
4980 xmlRelaxNGFree(schema);
4981 xmlRelaxNGFreeValidCtxt(rngctx);
4982 xmlRelaxNGFreeParserCtxt(rngpctx);
4990 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Standby")) {
4992 standby_keys_flag = 1;
4994 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"ManualRollover")) {
4995 man_roll_flag = (xmlChar *)
"Y";
4997 childNode2 = childNode2->next;
5003 childNode = childNode->next;
5007 if (standby_keys_flag == 0) {
5010 standby_keys_flag = 0;
5015 else if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Zone")) {
5016 childNode = curNode->children;
5018 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"PropagationDelay")) {
5021 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"SOA")) {
5022 childNode2 = childNode->children;
5024 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"TTL")) {
5027 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Minimum")) {
5030 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Serial")) {
5033 childNode2 = childNode2->next;
5036 childNode = childNode->next;
5040 else if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Parent")) {
5041 childNode = curNode->children;
5043 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"PropagationDelay")) {
5046 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"DS")) {
5047 childNode2 = childNode->children;
5049 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"TTL")) {
5052 childNode2 = childNode2->next;
5055 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"SOA")) {
5056 childNode2 = childNode->children;
5058 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"TTL")) {
5061 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Minimum")) {
5064 childNode2 = childNode2->next;
5067 childNode = childNode->next;
5071 curNode = curNode->next;
5082 xmlXPathFreeContext(xpathCtx);
5083 xmlRelaxNGFree(schema);
5084 xmlRelaxNGFreeValidCtxt(rngctx);
5085 xmlRelaxNGFreeParserCtxt(rngpctx);
5099 xmlDocPtr doc = NULL;
5100 xmlDocPtr rngdoc = NULL;
5103 xmlNode *childNode2;
5104 xmlXPathContextPtr xpathCtx = NULL;
5105 xmlXPathObjectPtr xpathObj = NULL;
5106 xmlRelaxNGParserCtxtPtr rngpctx = NULL;
5107 xmlRelaxNGValidCtxtPtr rngctx = NULL;
5108 xmlRelaxNGPtr schema = NULL;
5110 char* zone_name = NULL;
5111 char* policy_name = NULL;
5112 char* current_policy = NULL;
5113 char* current_signconf = NULL;
5114 char* current_input = NULL;
5115 char* current_output = NULL;
5116 char* current_in_type = NULL;
5117 char* current_out_type = NULL;
5120 int file_zone_count = 0;
5121 int db_zone_count = 0;
5135 xmlChar *node_expr = (
unsigned char*)
"//Zone";
5136 const char* rngfilename = OPENDNSSEC_SCHEMA_DIR
"/zonelist.rng";
5139 doc = xmlParseFile(zone_list_filename);
5141 printf(
"Error: unable to parse file \"%s\"\n", zone_list_filename);
5146 rngdoc = xmlParseFile(rngfilename);
5147 if (rngdoc == NULL) {
5148 printf(
"Error: unable to parse file \"%s\"\n", rngfilename);
5153 rngpctx = xmlRelaxNGNewDocParserCtxt(rngdoc);
5154 if (rngpctx == NULL) {
5155 printf(
"Error: unable to create XML RelaxNGs parser context\n");
5160 schema = xmlRelaxNGParse(rngpctx);
5161 if (schema == NULL) {
5162 printf(
"Error: unable to parse a schema definition resource\n");
5167 rngctx = xmlRelaxNGNewValidCtxt(schema);
5168 if (rngctx == NULL) {
5169 printf(
"Error: unable to create RelaxNGs validation context based on the schema\n");
5174 status = xmlRelaxNGValidateDoc(rngctx,doc);
5176 printf(
"Error validating file \"%s\"\n", zone_list_filename);
5181 xpathCtx = xmlXPathNewContext(doc);
5182 if(xpathCtx == NULL) {
5188 xpathObj = xmlXPathEvalExpression(node_expr, xpathCtx);
5189 if(xpathObj == NULL) {
5190 xmlXPathFreeContext(xpathCtx);
5195 if (xpathObj->nodesetval) {
5196 file_zone_count = xpathObj->nodesetval->nodeNr;
5198 printf(
"Error extracting zone count from %s\n", zone_list_filename);
5199 xmlXPathFreeContext(xpathCtx);
5205 zone_ids =
MemMalloc(file_zone_count *
sizeof(
int));
5207 if (xpathObj->nodesetval) {
5208 for (i = 0; i < file_zone_count; i++) {
5210 curNode = xpathObj->nodesetval->nodeTab[i]->xmlChildrenNode;
5211 zone_name = (
char *) xmlGetProp(xpathObj->nodesetval->nodeTab[i], (
const xmlChar *)
"name");
5212 if (strlen(zone_name) == 0) {
5214 printf(
"Error extracting zone name from %s\n", zone_list_filename);
5227 printf(
"Zone %s found; ", zone_name);
5230 if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Policy")) {
5231 current_policy = (
char *) xmlNodeGetContent(curNode);
5233 printf(
"policy set to %s\n", current_policy);
5236 if (policy_name == NULL || strcmp(current_policy, policy_name) != 0) {
5238 StrAppend(&policy_name, current_policy);
5242 printf(
"ERROR, can't find policy %s.\n", policy_name);
5249 else if (xmlStrEqual(curNode->name, (
const xmlChar *)
"SignerConfiguration")) {
5250 current_signconf = (
char *) xmlNodeGetContent(curNode);
5253 else if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Adapters")) {
5254 childNode = curNode->children;
5257 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"Input")) {
5258 childNode2 = childNode->children;
5260 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Adapter")) {
5261 current_input = (
char *) xmlNodeGetContent(childNode2);
5262 current_in_type = (
char *) xmlGetProp(childNode2, (
const xmlChar *)
"type");
5264 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"File")) {
5265 current_input = (
char *) xmlNodeGetContent(childNode2);
5266 current_in_type = (
char *) childNode2->name;
5268 childNode2 = childNode2->next;
5272 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"Output")) {
5273 childNode2 = childNode->children;
5275 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Adapter")) {
5276 current_output = (
char *) xmlNodeGetContent(childNode2);
5277 current_out_type = (
char *) xmlGetProp(childNode2, (
const xmlChar *)
"type");
5279 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"File")) {
5280 current_output = (
char *) xmlNodeGetContent(childNode2);
5281 current_out_type = (
char *) childNode2->name;
5283 childNode2 = childNode2->next;
5286 childNode = childNode->next;
5289 curNode = curNode->next;
5295 status =
KsmImportZone(zone_name, policy_id, 0, &new_zone, current_signconf, current_input, current_output, current_in_type, current_out_type);
5298 printf(
"Error Importing zone %s; it already exists both with and without a trailing dot\n", zone_name);
5300 printf(
"Error Importing Zone %s\n", zone_name);
5306 if (new_zone == 1) {
5307 printf(
"Added zone %s to database\n", zone_name);
5313 printf(
"Error: unable to find a zone named \"%s\" in database\n", zone_name);
5314 printf(
"Error: Possibly two domains differ only by having a trailing dot or not?\n");
5320 zone_ids[i] = temp_id;
5328 xmlXPathFreeContext(xpathCtx);
5329 xmlRelaxNGFree(schema);
5330 xmlRelaxNGFreeValidCtxt(rngctx);
5331 xmlRelaxNGFreeParserCtxt(rngpctx);
5344 if (file_zone_count == db_zone_count) {
5349 else if (file_zone_count > db_zone_count) {
5350 printf(
"Failed to add all zones from zonelist\n");
5366 while (status == 0) {
5367 DbInt(row, 0, &temp_id);
5369 DbInt(row, 2, &policy_id);
5372 for (i = 0; i < db_zone_count; ++i) {
5373 if (temp_id == zone_ids[i]) {
5379 if (seen_zone == 0) {
5382 printf(
"Removing zone %s from database\n", zone_name);
5384 status =
KsmParameterInit(&result2,
"zones_share_keys",
"keys", policy_id);
5410 if ((shared.
value == 1 && temp_count == 1) || shared.
value == 0) {
5413 printf(
"Error: failed to mark keys as dead in database\n");
5448 int SetParamOnPolicy(
const xmlChar* new_value,
const char* name,
const char* category,
int current_value,
int policy_id,
int value_type)
5452 char* temp_char = (
char *)new_value;
5456 if (strlen(temp_char) != 0) {
5459 printf(
"Error: unable to convert interval %s to seconds, error: %i\n", temp_char, status);
5463 else if (status == -1) {
5464 printf(
"Info: converting %s to seconds; M interpreted as 31 days, Y interpreted as 365 days\n", temp_char);
5473 if (strncmp(temp_char,
"Y", 1) == 0) {
5483 printf(
"Error: unable to find repository %s\n", temp_char);
5493 printf(
"Error: unable to find serial type %s\n", temp_char);
5503 printf(
"Error: unable to find rollover scheme %s\n", temp_char);
5512 printf(
"Error: unable to convert %s to int\n", temp_char);
5522 if (value != current_value || current_value == 0) {
5525 printf(
"Error: unable to insert/update %s for policy\n", name);
5526 printf(
"Error: Is your database schema up to date?\n");
5532 if (strncmp(name,
"saltlength", 10) == 0) {
5535 printf(
"Error: unable to insert/update %s for policy\n", name);
5536 printf(
"Error: Is your database schema up to date?\n");
5547 if (policy == NULL) {
5548 printf(
"Error, no policy provided");
5585 policy->
ksk->
sm = 0;
5597 policy->
zsk->
sm = 0;
5634 if((from = fopen( orig_file,
"rb"))==NULL) {
5635 if (errno == ENOENT) {
5636 printf(
"File %s does not exist, nothing to backup\n", orig_file);
5640 printf(
"Cannot open source file.\n");
5646 if((to = fopen(backup_file,
"wb"))==NULL) {
5647 printf(
"Cannot open destination file, will not make backup.\n");
5653 while(!feof(from)) {
5656 printf(
"Error reading source file.\n");
5661 if(!feof(from)) fputc(ch, to);
5663 printf(
"Error writing destination file.\n");
5670 if(fclose(from)==EOF) {
5671 printf(
"Error closing source file.\n");
5676 if(fclose(to)==EOF) {
5677 printf(
"Error closing destination file.\n");
5695 get_db_details(
char** dbschema,
char** host,
char** port,
char** user,
char** password)
5700 xmlXPathContextPtr xpathCtx;
5701 xmlXPathObjectPtr xpathObj;
5702 xmlRelaxNGParserCtxtPtr rngpctx;
5703 xmlRelaxNGValidCtxtPtr rngctx;
5704 xmlRelaxNGPtr schema;
5705 xmlChar *litexpr = (
unsigned char*)
"//Configuration/Enforcer/Datastore/SQLite";
5706 xmlChar *mysql_host = (
unsigned char*)
"//Configuration/Enforcer/Datastore/MySQL/Host";
5707 xmlChar *mysql_port = (
unsigned char*)
"//Configuration/Enforcer/Datastore/MySQL/Host/@port";
5708 xmlChar *mysql_db = (
unsigned char*)
"//Configuration/Enforcer/Datastore/MySQL/Database";
5709 xmlChar *mysql_user = (
unsigned char*)
"//Configuration/Enforcer/Datastore/MySQL/Username";
5710 xmlChar *mysql_pass = (
unsigned char*)
"//Configuration/Enforcer/Datastore/MySQL/Password";
5714 char* temp_char = NULL;
5717 const char* rngfilename = OPENDNSSEC_SCHEMA_DIR
"/conf.rng";
5720 doc = xmlParseFile(
config);
5722 printf(
"Error: unable to parse file \"%s\"\n",
config);
5727 rngdoc = xmlParseFile(rngfilename);
5728 if (rngdoc == NULL) {
5729 printf(
"Error: unable to parse file \"%s\"\n", rngfilename);
5735 rngpctx = xmlRelaxNGNewDocParserCtxt(rngdoc);
5737 if (rngpctx == NULL) {
5738 printf(
"Error: unable to create XML RelaxNGs parser context\n");
5744 schema = xmlRelaxNGParse(rngpctx);
5745 xmlRelaxNGFreeParserCtxt(rngpctx);
5746 if (schema == NULL) {
5747 printf(
"Error: unable to parse a schema definition resource\n");
5753 rngctx = xmlRelaxNGNewValidCtxt(schema);
5754 if (rngctx == NULL) {
5755 printf(
"Error: unable to create RelaxNGs validation context based on the schema\n");
5756 xmlRelaxNGFree(schema);
5762 status = xmlRelaxNGValidateDoc(rngctx,doc);
5763 xmlRelaxNGFreeValidCtxt(rngctx);
5764 xmlRelaxNGFree(schema);
5766 printf(
"Error validating file \"%s\"\n",
config);
5773 xpathCtx = xmlXPathNewContext(doc);
5774 if(xpathCtx == NULL) {
5775 printf(
"Error: unable to create new XPath context\n");
5781 xpathObj = xmlXPathEvalExpression(litexpr, xpathCtx);
5782 if(xpathObj == NULL) {
5783 printf(
"Error: unable to evaluate xpath expression: %s\n", litexpr);
5784 xmlXPathFreeContext(xpathCtx);
5788 if(xpathObj->nodesetval != NULL && xpathObj->nodesetval->nodeNr > 0) {
5790 temp_char = (
char *)xmlXPathCastToString(xpathObj);
5794 fprintf(stderr,
"SQLite database set to: %s\n", *dbschema);
5797 xmlXPathFreeObject(xpathObj);
5799 if (db_found == 0) {
5804 xpathObj = xmlXPathEvalExpression(mysql_host, xpathCtx);
5805 if(xpathObj == NULL) {
5806 printf(
"Error: unable to evaluate xpath expression: %s\n", mysql_host);
5807 xmlXPathFreeContext(xpathCtx);
5811 if(xpathObj->nodesetval != NULL && xpathObj->nodesetval->nodeNr > 0) {
5812 temp_char = (
char *)xmlXPathCastToString(xpathObj);
5816 fprintf(stderr,
"MySQL database host set to: %s\n", *host);
5819 xmlXPathFreeObject(xpathObj);
5822 xpathObj = xmlXPathEvalExpression(mysql_port, xpathCtx);
5823 if(xpathObj == NULL) {
5824 printf(
"Error: unable to evaluate xpath expression: %s\n", mysql_port);
5825 xmlXPathFreeContext(xpathCtx);
5829 if(xpathObj->nodesetval != NULL && xpathObj->nodesetval->nodeNr > 0) {
5830 temp_char = (
char *)xmlXPathCastToString(xpathObj);
5834 fprintf(stderr,
"MySQL database port set to: %s\n", *port);
5837 xmlXPathFreeObject(xpathObj);
5840 xpathObj = xmlXPathEvalExpression(mysql_db, xpathCtx);
5841 if(xpathObj == NULL) {
5842 printf(
"Error: unable to evaluate xpath expression: %s\n", mysql_db);
5843 xmlXPathFreeContext(xpathCtx);
5847 if(xpathObj->nodesetval != NULL && xpathObj->nodesetval->nodeNr > 0) {
5848 temp_char = (
char *)xmlXPathCastToString(xpathObj);
5852 fprintf(stderr,
"MySQL database schema set to: %s\n", *dbschema);
5857 xmlXPathFreeObject(xpathObj);
5860 xpathObj = xmlXPathEvalExpression(mysql_user, xpathCtx);
5861 if(xpathObj == NULL) {
5862 printf(
"Error: unable to evaluate xpath expression: %s\n", mysql_user);
5863 xmlXPathFreeContext(xpathCtx);
5867 if(xpathObj->nodesetval != NULL && xpathObj->nodesetval->nodeNr > 0) {
5868 temp_char = (
char *)xmlXPathCastToString(xpathObj);
5872 fprintf(stderr,
"MySQL database user set to: %s\n", *user);
5877 xmlXPathFreeObject(xpathObj);
5880 xpathObj = xmlXPathEvalExpression(mysql_pass, xpathCtx);
5881 if(xpathObj == NULL) {
5882 printf(
"Error: unable to evaluate xpath expression: %s\n", mysql_pass);
5883 xmlXPathFreeContext(xpathCtx);
5888 temp_char = (
char *)xmlXPathCastToString(xpathObj);
5891 xmlXPathFreeObject(xpathObj);
5894 fprintf(stderr,
"MySQL database password set\n");
5899 xmlXPathFreeContext(xpathCtx);
5904 printf(
"Error: unable to find complete database connection expression\n");
5910 printf(
"Error: Config file %s specifies database type %s but system is compiled to use %s\n",
config, (db_found==1) ?
"MySQL" :
"sqlite3", (db_found==2) ?
"MySQL" :
"sqlite3");
5924 xmlTextReaderPtr reader = NULL;
5925 xmlDocPtr doc = NULL;
5926 xmlXPathContextPtr xpathCtx = NULL;
5927 xmlXPathObjectPtr xpathObj = NULL;
5929 char* temp_char = NULL;
5930 char* tag_name = NULL;
5932 xmlChar *zonelist_expr = (
unsigned char*)
"//Common/ZoneListFile";
5935 reader = xmlNewTextReaderFilename(
config);
5936 if (reader != NULL) {
5937 ret = xmlTextReaderRead(reader);
5939 tag_name = (
char*) xmlTextReaderLocalName(reader);
5941 if (strncmp(tag_name,
"Common", 6) == 0
5942 && xmlTextReaderNodeType(reader) == 1) {
5945 xmlTextReaderExpand(reader);
5946 doc = xmlTextReaderCurrentDoc(reader);
5948 printf(
"Error: can not read Common section\n");
5950 ret = xmlTextReaderRead(reader);
5954 xpathCtx = xmlXPathNewContext(doc);
5955 if(xpathCtx == NULL) {
5956 printf(
"Error: can not create XPath context for Common section\n");
5958 ret = xmlTextReaderRead(reader);
5963 xpathObj = xmlXPathEvalExpression(zonelist_expr, xpathCtx);
5964 if(xpathObj == NULL) {
5965 printf(
"Error: unable to evaluate xpath expression: %s\n", zonelist_expr);
5967 ret = xmlTextReaderRead(reader);
5970 *zone_list_filename = NULL;
5971 temp_char = (
char *)xmlXPathCastToString(xpathObj);
5972 xmlXPathFreeObject(xpathObj);
5973 StrAppend(zone_list_filename, temp_char);
5975 printf(
"zonelist filename set to %s.\n", *zone_list_filename);
5978 ret = xmlTextReaderRead(reader);
5981 xmlFreeTextReader(reader);
5983 printf(
"%s : failed to parse\n",
config);
5987 printf(
"Unable to open %s\n",
config);
5991 xmlXPathFreeContext(xpathCtx);
6001 const char *zone_name,
6002 const char *policy_name,
6003 const char *sig_conf_name,
6004 const char *input_name,
6005 const char *output_name,
6006 const char *input_type,
6007 const char *output_type)
6011 xmlNodePtr newzonenode;
6012 xmlNodePtr newadaptnode;
6013 xmlNodePtr newinputnode;
6014 xmlNodePtr newinadnode;
6015 xmlNodePtr newoutputnode;
6016 xmlNodePtr newoutadnode;
6017 doc = xmlParseFile(docname);
6019 fprintf(stderr,
"Document not parsed successfully. \n");
6022 cur = xmlDocGetRootElement(doc);
6024 fprintf(stderr,
"empty document\n");
6028 if (xmlStrcmp(cur->name, (
const xmlChar *)
"ZoneList")) {
6029 fprintf(stderr,
"document of the wrong type, root node != %s",
"ZoneList");
6033 newzonenode = xmlNewTextChild(cur, NULL, (
const xmlChar *)
"Zone", NULL);
6034 (void) xmlNewProp(newzonenode, (
const xmlChar *)
"name", (
const xmlChar *)zone_name);
6036 (void) xmlNewTextChild (newzonenode, NULL, (
const xmlChar *)
"Policy", (
const xmlChar *)policy_name);
6038 (void) xmlNewTextChild (newzonenode, NULL, (
const xmlChar *)
"SignerConfiguration", (
const xmlChar *)sig_conf_name);
6040 newadaptnode = xmlNewChild (newzonenode, NULL, (
const xmlChar *)
"Adapters", NULL);
6042 newinputnode = xmlNewChild (newadaptnode, NULL, (
const xmlChar *)
"Input", NULL);
6044 newinadnode = xmlNewTextChild (newinputnode, NULL, (
const xmlChar *)
"Adapter", (
const xmlChar *)input_name);
6045 (void) xmlNewProp(newinadnode, (
const xmlChar *)
"type", (
const xmlChar *)input_type);
6047 newoutputnode = xmlNewChild (newadaptnode, NULL, (
const xmlChar *)
"Output", NULL);
6049 newoutadnode = xmlNewTextChild (newoutputnode, NULL, (
const xmlChar *)
"Adapter", (
const xmlChar *)output_name);
6050 (void) xmlNewProp(newoutadnode, (
const xmlChar *)
"type", (
const xmlChar *)output_type);
6056 const char *zone_name)
6062 doc = xmlParseFile(docname);
6064 fprintf(stderr,
"Document not parsed successfully. \n");
6067 root = xmlDocGetRootElement(doc);
6069 fprintf(stderr,
"empty document\n");
6073 if (xmlStrcmp(root->name, (
const xmlChar *)
"ZoneList")) {
6074 fprintf(stderr,
"document of the wrong type, root node != %s",
"ZoneList");
6080 if (all_flag == 1) {
6081 cur = root->children;
6087 cur = root->children;
6093 for(cur = root->children; cur != NULL; cur = cur->next)
6096 if (xmlStrcmp( xmlGetProp(cur, (xmlChar *)
"name"), (
const xmlChar *) zone_name) == 0)
6100 cur = root->children;
6115 xmlChar *polChar = NULL;
6116 xmlChar *propChar = NULL;
6122 doc = xmlParseFile(docname);
6124 fprintf(stderr,
"Document not parsed successfully. \n");
6127 root = xmlDocGetRootElement(doc);
6129 fprintf(stderr,
"empty document\n");
6133 if (xmlStrcmp(root->name, (
const xmlChar *)
"ZoneList")) {
6134 fprintf(stderr,
"document of the wrong type, root node != %s",
"ZoneList");
6140 for(cur = root->children; cur != NULL; cur = cur->next)
6142 if (xmlStrcmp( cur->name, (
const xmlChar *)
"Zone") == 0) {
6143 propChar = xmlGetProp(cur, (xmlChar *)
"name");
6144 printf(
"Found Zone: %s", propChar);
6150 printf(
" (zone not in database)");
6153 zone_ids[i] = temp_id;
6158 for(pol = cur->children; pol != NULL; pol = pol->next)
6160 if (xmlStrcmp( pol->name, (
const xmlChar *)
"Policy") == 0)
6162 polChar = xmlNodeGetContent(pol);
6163 printf(
"; on policy %s\n", polChar);
6182 xmlNodePtr policy_node;
6183 xmlNodePtr signatures_node;
6184 xmlNodePtr validity_node;
6185 xmlNodePtr denial_node;
6186 xmlNodePtr nsec_node;
6187 xmlNodePtr hash_node;
6188 xmlNodePtr salt_node;
6189 xmlNodePtr keys_node;
6190 xmlNodePtr ksk_node;
6191 xmlNodePtr ksk_alg_node;
6192 xmlNodePtr zsk_node;
6193 xmlNodePtr zsk_alg_node;
6194 xmlNodePtr zone_node;
6195 xmlNodePtr zone_soa_node;
6196 xmlNodePtr parent_node;
6197 xmlNodePtr parent_ds_node;
6198 xmlNodePtr parent_soa_node;
6202 root = xmlDocGetRootElement(doc);
6204 fprintf(stderr,
"empty document\n");
6207 if (xmlStrcmp(root->name, (
const xmlChar *)
"KASP")) {
6208 fprintf(stderr,
"document of the wrong type, root node != %s",
"KASP");
6212 policy_node = xmlNewTextChild(root, NULL, (
const xmlChar *)
"Policy", NULL);
6213 (void) xmlNewProp(policy_node, (
const xmlChar *)
"name", (
const xmlChar *)policy->
name);
6214 (void) xmlNewTextChild(policy_node, NULL, (
const xmlChar *)
"Description", (
const xmlChar *)policy->
description);
6217 signatures_node = xmlNewTextChild(policy_node, NULL, (
const xmlChar *)
"Signatures", NULL);
6219 (void) xmlNewTextChild(signatures_node, NULL, (
const xmlChar *)
"Resign", (
const xmlChar *)temp_time);
6221 (void) xmlNewTextChild(signatures_node, NULL, (
const xmlChar *)
"Refresh", (
const xmlChar *)temp_time);
6222 validity_node = xmlNewTextChild(signatures_node, NULL, (
const xmlChar *)
"Validity", NULL);
6224 (void) xmlNewTextChild(validity_node, NULL, (
const xmlChar *)
"Default", (
const xmlChar *)temp_time);
6226 (void) xmlNewTextChild(validity_node, NULL, (
const xmlChar *)
"Denial", (
const xmlChar *)temp_time);
6227 snprintf(temp_time, 32,
"PT%dS", policy->
signer->
jitter);
6228 (void) xmlNewTextChild(signatures_node, NULL, (
const xmlChar *)
"Jitter", (
const xmlChar *)temp_time);
6230 (void) xmlNewTextChild(signatures_node, NULL, (
const xmlChar *)
"InceptionOffset", (
const xmlChar *)temp_time);
6233 denial_node = xmlNewTextChild(policy_node, NULL, (
const xmlChar *)
"Denial", NULL);
6236 (void) xmlNewTextChild(denial_node, NULL, (
const xmlChar *)
"NSEC", NULL);
6240 nsec_node = xmlNewTextChild(denial_node, NULL, (
const xmlChar *)
"NSEC3", NULL);
6243 (void) xmlNewTextChild(nsec_node, NULL, (
const xmlChar *)
"OptOut", NULL);
6245 snprintf(temp_time, 32,
"PT%dS", policy->
denial->
resalt);
6246 (void) xmlNewTextChild(nsec_node, NULL, (
const xmlChar *)
"Resalt", (
const xmlChar *)temp_time);
6247 hash_node = xmlNewTextChild(nsec_node, NULL, (
const xmlChar *)
"Hash", NULL);
6249 (void) xmlNewTextChild(hash_node, NULL, (
const xmlChar *)
"Algorithm", (
const xmlChar *)temp_time);
6251 (void) xmlNewTextChild(hash_node, NULL, (
const xmlChar *)
"Iterations", (
const xmlChar *)temp_time);
6253 salt_node = xmlNewTextChild(hash_node, NULL, (
const xmlChar *)
"Salt", NULL);
6254 (void) xmlNewProp(salt_node, (
const xmlChar *)
"length", (
const xmlChar *)temp_time);
6258 keys_node = xmlNewTextChild(policy_node, NULL, (
const xmlChar *)
"Keys", NULL);
6259 snprintf(temp_time, 32,
"PT%dS", policy->
keys->
ttl);
6260 (void) xmlNewTextChild(keys_node, NULL, (
const xmlChar *)
"TTL", (
const xmlChar *)temp_time);
6262 (void) xmlNewTextChild(keys_node, NULL, (
const xmlChar *)
"RetireSafety", (
const xmlChar *)temp_time);
6264 (void) xmlNewTextChild(keys_node, NULL, (
const xmlChar *)
"PublishSafety", (
const xmlChar *)temp_time);
6267 (void) xmlNewTextChild(keys_node, NULL, (
const xmlChar *)
"ShareKeys", NULL);
6270 snprintf(temp_time, 32,
"PT%dS", policy->
keys->
purge);
6271 (void) xmlNewTextChild(keys_node, NULL, (
const xmlChar *)
"Purge", (
const xmlChar *)temp_time);
6275 ksk_node = xmlNewTextChild(keys_node, NULL, (
const xmlChar *)
"KSK", NULL);
6277 ksk_alg_node = xmlNewTextChild(ksk_node, NULL, (
const xmlChar *)
"Algorithm", (
const xmlChar *)temp_time);
6278 snprintf(temp_time, 32,
"%d", policy->
ksk->
bits);
6279 (void) xmlNewProp(ksk_alg_node, (
const xmlChar *)
"length", (
const xmlChar *)temp_time);
6280 snprintf(temp_time, 32,
"PT%dS", policy->
ksk->
lifetime);
6281 (void) xmlNewTextChild(ksk_node, NULL, (
const xmlChar *)
"Lifetime", (
const xmlChar *)temp_time);
6282 (void) xmlNewTextChild(ksk_node, NULL, (
const xmlChar *)
"Repository", (
const xmlChar *)policy->
ksk->
sm_name);
6284 (void) xmlNewTextChild(ksk_node, NULL, (
const xmlChar *)
"Standby", (
const xmlChar *)temp_time);
6287 (void) xmlNewTextChild(ksk_node, NULL, (
const xmlChar *)
"ManualRollover", NULL);
6291 (void) xmlNewTextChild(ksk_node, NULL, (
const xmlChar *)
"RFC5011", NULL);
6299 zsk_node = xmlNewTextChild(keys_node, NULL, (
const xmlChar *)
"ZSK", NULL);
6301 zsk_alg_node = xmlNewTextChild(zsk_node, NULL, (
const xmlChar *)
"Algorithm", (
const xmlChar *)temp_time);
6302 snprintf(temp_time, 32,
"%d", policy->
zsk->
bits);
6303 (void) xmlNewProp(zsk_alg_node, (
const xmlChar *)
"length", (
const xmlChar *)temp_time);
6304 snprintf(temp_time, 32,
"PT%dS", policy->
zsk->
lifetime);
6305 (void) xmlNewTextChild(zsk_node, NULL, (
const xmlChar *)
"Lifetime", (
const xmlChar *)temp_time);
6306 (void) xmlNewTextChild(zsk_node, NULL, (
const xmlChar *)
"Repository", (
const xmlChar *)policy->
zsk->
sm_name);
6308 (void) xmlNewTextChild(zsk_node, NULL, (
const xmlChar *)
"Standby", (
const xmlChar *)temp_time);
6311 (void) xmlNewTextChild(zsk_node, NULL, (
const xmlChar *)
"ManualRollover", NULL);
6315 zone_node = xmlNewTextChild(policy_node, NULL, (
const xmlChar *)
"Zone", NULL);
6317 (void) xmlNewTextChild(zone_node, NULL, (
const xmlChar *)
"PropagationDelay", (
const xmlChar *)temp_time);
6318 zone_soa_node = xmlNewTextChild(zone_node, NULL, (
const xmlChar *)
"SOA", NULL);
6319 snprintf(temp_time, 32,
"PT%dS", policy->
zone->
soa_ttl);
6320 (void) xmlNewTextChild(zone_soa_node, NULL, (
const xmlChar *)
"TTL", (
const xmlChar *)temp_time);
6321 snprintf(temp_time, 32,
"PT%dS", policy->
zone->
soa_min);
6322 (void) xmlNewTextChild(zone_soa_node, NULL, (
const xmlChar *)
"Minimum", (
const xmlChar *)temp_time);
6326 parent_node = xmlNewTextChild(policy_node, NULL, (
const xmlChar *)
"Parent", NULL);
6328 (void) xmlNewTextChild(parent_node, NULL, (
const xmlChar *)
"PropagationDelay", (
const xmlChar *)temp_time);
6329 parent_ds_node = xmlNewTextChild(parent_node, NULL, (
const xmlChar *)
"DS", NULL);
6330 snprintf(temp_time, 32,
"PT%dS", policy->
parent->
ds_ttl);
6331 (void) xmlNewTextChild(parent_ds_node, NULL, (
const xmlChar *)
"TTL", (
const xmlChar *)temp_time);
6332 parent_soa_node = xmlNewTextChild(parent_node, NULL, (
const xmlChar *)
"SOA", NULL);
6334 (void) xmlNewTextChild(parent_soa_node, NULL, (
const xmlChar *)
"TTL", (
const xmlChar *)temp_time);
6336 (void) xmlNewTextChild(parent_soa_node, NULL, (
const xmlChar *)
"Minimum", (
const xmlChar *)temp_time);
6345 const char *policy_name)
6351 doc = xmlParseFile(docname);
6353 fprintf(stderr,
"Document not parsed successfully. \n");
6356 root = xmlDocGetRootElement(doc);
6358 fprintf(stderr,
"empty document\n");
6362 if (xmlStrcmp(root->name, (
const xmlChar *)
"KASP")) {
6363 fprintf(stderr,
"document of the wrong type, root node != %s",
"KASP");
6370 for(cur = root->children; cur != NULL; cur = cur->next)
6373 if (xmlStrcmp( xmlGetProp(cur, (xmlChar *)
"name"), (
const xmlChar *) policy_name) == 0)
6377 cur = root->children;
6393 fprintf(stdout,
"KSK:");
6397 fprintf(stdout,
"ZSK:");
6399 fprintf(stdout,
" %s Retired\n", key_data->
location);
6411 fprintf(stderr,
"%s\n", format);
6438 char* temp_zone = NULL;
6441 char* temp_ready = NULL;
6442 char* temp_active = NULL;
6443 char* temp_retire = NULL;
6444 char* temp_dead = NULL;
6445 char* temp_loc = NULL;
6446 char* temp_hsm = NULL;
6451 hsm_key_t *key = NULL;
6452 ldns_rr *dnskey_rr = NULL;
6453 hsm_sign_params_t *sign_params = NULL;
6457 status = hsm_open(
config, hsm_prompt_pin);
6459 hsm_print_error(NULL);
6465 StrAppend(&sql,
"select z.name, k.keytype, k.state, k.ready, k.active, k.retire, k.dead, k.location, s.name, k.algorithm, k.size from securitymodules s, zones z, KEYDATA_VIEW k where z.id = k.zone_id and s.id = k.securitymodule_id and state != 6 and zone_id is not null ");
6466 if (zone_id != -1) {
6479 if (verbose_flag == 1) {
6480 printf(
"Zone: Keytype: State: Date of next transition (to): Size: Algorithm: CKA_ID: Repository: Keytag:\n");
6483 printf(
"Zone: Keytype: State: Date of next transition:\n");
6485 while (status == 0) {
6488 DbInt(row, 1, &temp_type);
6489 DbInt(row, 2, &temp_state);
6496 DbInt(row, 9, &temp_alg);
6497 DbInt(row, 10, &temp_size);
6510 printf(
"(active) ");
6515 printf(
"%-31s %-13s %-9s %-20s", temp_zone, (temp_type ==
KSM_TYPE_KSK) ?
"KSK" :
"ZSK",
KsmKeywordStateValueToName(temp_state), (temp_retire == NULL) ?
"(not scheduled)" : temp_retire);
6517 printf(
"(retire) ");
6536 printf(
"%-31s %-13s %-9s %-20s", temp_zone,
"KSK",
KsmKeywordStateValueToName(temp_state), (temp_ready == NULL) ?
"(not scheduled)" : temp_ready);
6538 printf(
"(dsready) ");
6545 printf(
"(keypub) ");
6550 printf(
"%-31s %-13s %-9s %-20s", temp_zone,
"KSK",
KsmKeywordStateValueToName(temp_state), (temp_active == NULL) ?
"(not scheduled)" : temp_active);
6552 printf(
"(active) ");
6557 if (done_row == 1 && verbose_flag == 1) {
6558 printf(
"%-7d %-12d", temp_size, temp_alg);
6559 key = hsm_find_key_by_id(NULL, temp_loc);
6561 printf(
"%-33s %s NOT IN repository\n", temp_loc, temp_hsm);
6563 sign_params = hsm_sign_params_new();
6564 sign_params->owner = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, temp_zone);
6565 sign_params->algorithm = temp_alg;
6566 sign_params->flags = LDNS_KEY_ZONE_KEY;
6568 sign_params->flags += LDNS_KEY_SEP_KEY;
6570 dnskey_rr = hsm_get_dnskey(NULL, key, sign_params);
6571 sign_params->keytag = ldns_calc_keytag(dnskey_rr);
6573 printf(
"%-33s %-33s %d\n", temp_loc, temp_hsm, sign_params->keytag);
6575 hsm_sign_params_free(sign_params);
6579 else if (done_row == 1) {
6606 if (dnskey_rr != NULL) {
6607 ldns_rr_free(dnskey_rr);
6645 char* temp_loc = NULL;
6648 int done_something = 0;
6651 hsm_key_t *key = NULL;
6653 if ((zone_id == -1 && policy_id == -1) ||
6654 (zone_id != -1 && policy_id != -1)){
6655 printf(
"Please provide either a zone OR a policy to key purge\n");
6661 status = hsm_open(
config, hsm_prompt_pin);
6663 hsm_print_error(NULL);
6668 StrAppend(&sql,
"select distinct id, location from KEYDATA_VIEW where state = 6 ");
6669 if (zone_id != -1) {
6674 if (policy_id != -1) {
6685 while (status == 0) {
6687 DbInt(row, 0, &temp_id);
6744 key = hsm_find_key_by_id(NULL, temp_loc);
6747 printf(
"Key not found: %s\n", temp_loc);
6754 status = hsm_remove_key(NULL, key);
6759 printf(
"Key remove successful: %s\n", temp_loc);
6761 printf(
"Key remove failed: %s\n", temp_loc);
6782 if (done_something == 0) {
6783 printf(
"No keys to purge.\n");
6801 hsm_ctx_t *ctx = NULL;
6806 hsm_key_t *key = NULL;
6807 char *hsm_error_message = NULL;
6809 int ksks_needed = 0;
6810 int zsks_needed = 0;
6811 int ksks_in_queue = 0;
6812 int zsks_in_queue = 0;
6815 unsigned int current_count = 0;
6821 int ksks_created = 0;
6825 FILE* lock_fd = NULL;
6833 printf(
"Failed to connect to database\n");
6839 if (policy == NULL) {
6840 printf(
"Malloc for policy struct failed\n");
6846 printf(
"Please provide a policy name with the --policy option\n");
6852 printf(
"Please provide an interval with the --interval option\n");
6865 printf(
"Error: unable to read policy %s from database\n",
o_policy);
6871 printf(
"Error: policy %s doesn't exist in database\n",
o_policy);
6878 printf(
"Key sharing is On\n");
6880 printf(
"Key sharing is Off\n");
6885 printf(
"Error: unable to convert Interval %s to seconds, error: ",
o_interval);
6888 printf(
"invalid interval-type.\n");
6891 printf(
"unable to translate string.\n");
6894 printf(
"interval too long to be an int. E.g. Maximum is ~68 years on a system with 32-bit integers.\n");
6897 printf(
"invalid pointers or text string NULL.\n");
6900 printf(
"unknown\n");
6906 else if (status == -1) {
6907 printf(
"Info: converting %s to seconds; M interpreted as 31 days, Y interpreted as 365 days\n",
o_interval);
6911 status = hsm_open(
config, hsm_prompt_pin);
6913 hsm_error_message = hsm_get_error(ctx);
6914 if (hsm_error_message) {
6915 printf(
"%s\n", hsm_error_message);
6916 free(hsm_error_message);
6922 printf(
"hsm_open() result: HSM error\n");
6924 case HSM_PIN_INCORRECT:
6925 printf(
"hsm_open() result: incorrect PIN\n");
6927 case HSM_CONFIG_FILE_ERROR:
6928 printf(
"hsm_open() result: config file error\n");
6930 case HSM_REPOSITORY_NOT_FOUND:
6931 printf(
"hsm_open() result: repository not found\n");
6933 case HSM_NO_REPOSITORIES:
6934 printf(
"hsm_open() result: no repositories\n");
6937 printf(
"hsm_open() result: %d", status);
6944 printf(
"HSM opened successfully.\n");
6945 ctx = hsm_create_context();
6950 if (rightnow == NULL) {
6951 printf(
"Couldn't turn \"now\" into a date, quitting...\n");
6972 if (zone_count == 0) {
6973 printf(
"No zones on policy %s, skipping...", policy->
name);
6976 hsm_destroy_context(ctx);
6983 printf(
"Could not count zones on policy %s", policy->
name);
6986 hsm_destroy_context(ctx);
6996 printf(
"Could not predict ksk requirement for next interval for %s\n", policy->
name);
7005 printf(
"Could not count current ksk numbers for policy %s\n", policy->
name);
7013 ksks_in_queue /= zone_count;
7016 new_ksks = ksks_needed - ksks_in_queue;
7022 printf(
"Could not predict zsk requirement for next interval for %s\n", policy->
name);
7031 printf(
"Could not count current zsk numbers for policy %s\n", policy->
name);
7039 zsks_in_queue /= zone_count;
7043 zsks_in_queue -= ksks_needed;
7046 new_zsks = zsks_needed - zsks_in_queue;
7052 if (policy->
ksk->
sm_capacity != 0 && (new_ksks + new_zsks) > 0) {
7053 current_count = hsm_count_keys_repository(ctx, policy->
ksk->
sm_name);
7055 printf(
"Repository %s is full, cannot create more keys for policy %s\n", policy->
ksk->
sm_name, policy->
name);
7059 printf(
"Repository %s is nearly full, will create %lu KSKs for policy %s (reduced from %d)\n", policy->
ksk->
sm_name, policy->
ksk->
sm_capacity - current_count, policy->
name, new_ksks);
7062 else if (current_count + new_ksks + new_zsks > policy->
ksk->
sm_capacity) {
7063 printf(
"Repository %s is nearly full, will create %lu ZSKs for policy %s (reduced from %d)\n", policy->
ksk->
sm_name, policy->
ksk->
sm_capacity - current_count, policy->
name, new_ksks);
7072 current_count = hsm_count_keys_repository(ctx, policy->
ksk->
sm_name);
7074 printf(
"Repository %s is full, cannot create more KSKs for policy %s\n", policy->
ksk->
sm_name, policy->
name);
7078 printf(
"Repository %s is nearly full, will create %lu KSKs for policy %s (reduced from %d)\n", policy->
ksk->
sm_name, policy->
ksk->
sm_capacity - current_count, policy->
name, new_ksks);
7085 current_count = hsm_count_keys_repository(ctx, policy->
zsk->
sm_name);
7087 printf(
"Repository %s is full, cannot create more ZSKs for policy %s\n", policy->
zsk->
sm_name, policy->
name);
7091 printf(
"Repository %s is nearly full, will create %lu ZSKs for policy %s (reduced from %d)\n", policy->
zsk->
sm_name, policy->
zsk->
sm_capacity - current_count, policy->
name, new_zsks);
7098 if (new_ksks == 0 && new_zsks == 0) {
7099 printf(
"No keys to create, quitting...\n");
7102 hsm_destroy_context(ctx);
7112 if (!auto_accept_flag) {
7113 printf(
"*WARNING* This will create %d KSKs (%d bits) and %d ZSKs (%d bits)\nAre you sure? [y/N] ", new_ksks, policy->
ksk->
bits, new_zsks, policy->
zsk->
bits);
7115 user_certain = getchar();
7116 if (user_certain !=
'y' && user_certain !=
'Y') {
7117 printf(
"Okay, quitting...\n");
7123 for (i=new_ksks ; i > 0 ; i--){
7124 if (hsm_supported_algorithm(policy->
ksk->
algorithm) == 0) {
7129 printf(
"Created key in repository %s\n", policy->
ksk->
sm_name);
7132 printf(
"Error creating key in repository %s\n", policy->
ksk->
sm_name);
7133 hsm_error_message = hsm_get_error(ctx);
7134 if (hsm_error_message) {
7135 printf(
"%s\n", hsm_error_message);
7136 free(hsm_error_message);
7142 id = hsm_get_key_id(ctx, key);
7146 printf(
"Error creating key in Database\n");
7147 hsm_error_message = hsm_get_error(ctx);
7148 if (hsm_error_message) {
7149 printf(
"%s\n", hsm_error_message);
7150 free(hsm_error_message);
7156 printf(
"Created KSK size: %i, alg: %i with id: %s in repository: %s and database.\n", policy->
ksk->
bits,
7160 printf(
"Key algorithm %d unsupported by libhsm.\n", policy->
ksk->
algorithm);
7166 ksks_created = new_ksks;
7169 for (i = new_zsks ; i > 0 ; i--) {
7170 if (hsm_supported_algorithm(policy->
zsk->
algorithm) == 0) {
7175 printf(
"Created key in repository %s\n", policy->
zsk->
sm_name);
7178 printf(
"Error creating key in repository %s\n", policy->
zsk->
sm_name);
7179 hsm_error_message = hsm_get_error(ctx);
7180 if (hsm_error_message) {
7181 printf(
"%s\n", hsm_error_message);
7182 free(hsm_error_message);
7188 id = hsm_get_key_id(ctx, key);
7192 printf(
"Error creating key in Database\n");
7193 hsm_error_message = hsm_get_error(ctx);
7194 if (hsm_error_message) {
7195 printf(
"%s\n", hsm_error_message);
7196 free(hsm_error_message);
7202 printf(
"Created ZSK size: %i, alg: %i with id: %s in repository: %s and database.\n", policy->
zsk->
bits,
7206 printf(
"Key algorithm %d unsupported by libhsm.\n", policy->
zsk->
algorithm);
7216 printf(
"NOTE: keys generated in repository %s will not become active until they have been backed up\n", policy->
ksk->
sm_name);
7219 printf(
"NOTE: keys generated in repository %s will not become active until they have been backed up\n", policy->
zsk->
sm_name);
7226 hsm_destroy_context(ctx);
7228 status = hsm_close();
7229 printf(
"all done! hsm_close result: %d\n", status);
7244 int keypair_id = -1;
7248 FILE* lock_fd = NULL;
7253 hsm_key_t *key = NULL;
7257 printf(
"Please provide a CKA_ID for the key to delete\n");
7265 printf(
"Failed to connect to database\n");
7273 if (status != 0 || key_state == -1) {
7274 printf(
"Failed to determine the state of the key\n");
7281 if (force_flag == 1) {
7282 printf(
"*WARNING* This will delete a key that the enforcer believes is in use; are you really sure? [y/N] ");
7284 user_certain = getchar();
7285 if (user_certain !=
'y' && user_certain !=
'Y') {
7286 printf(
"Okay, quitting...\n");
7291 printf(
"The enforcer believes that this key is in use, quitting...\n");
7324 if (hsm_flag == 1) {
7326 status = hsm_open(
config, hsm_prompt_pin);
7328 hsm_print_error(NULL);
7333 key = hsm_find_key_by_id(NULL,
o_cka_id);
7336 printf(
"Key not found in HSM: %s\n",
o_cka_id);
7340 status = hsm_remove_key(NULL, key);
7346 printf(
"Key delete successful: %s\n",
o_cka_id);
7348 printf(
"Key delete failed: %s\n",
o_cka_id);
7359 struct stat stat_ret;
7363 xmlDocPtr doc = NULL;
7364 xmlDocPtr rngdoc = NULL;
7365 xmlXPathContextPtr xpathCtx = NULL;
7366 xmlXPathObjectPtr xpathObj = NULL;
7367 xmlRelaxNGParserCtxtPtr rngpctx = NULL;
7368 xmlRelaxNGValidCtxtPtr rngctx = NULL;
7369 xmlRelaxNGPtr schema = NULL;
7370 xmlChar *user_expr = (
unsigned char*)
"//Configuration/Enforcer/Privileges/User";
7371 xmlChar *group_expr = (
unsigned char*)
"//Configuration/Enforcer/Privileges/Group";
7373 char* filename = OPENDNSSEC_CONFIG_FILE;
7374 char* rngfilename = OPENDNSSEC_SCHEMA_DIR
"/conf.rng";
7375 char* temp_char = NULL;
7382 char *username = NULL;
7383 char *groupname = NULL;
7385 printf(
"fixing permissions on file %s\n", dbschema);
7387 if (geteuid() != 0) {
7392 if (stat(dbschema, &stat_ret) != 0) {
7393 printf(
"cannot stat file %s: %s", dbschema, strerror(errno));
7399 doc = xmlParseFile(filename);
7401 printf(
"Error: unable to parse file \"%s\"", filename);
7406 rngdoc = xmlParseFile(rngfilename);
7407 if (rngdoc == NULL) {
7408 printf(
"Error: unable to parse file \"%s\"", rngfilename);
7413 rngpctx = xmlRelaxNGNewDocParserCtxt(rngdoc);
7414 if (rngpctx == NULL) {
7415 printf(
"Error: unable to create XML RelaxNGs parser context");
7420 schema = xmlRelaxNGParse(rngpctx);
7421 if (schema == NULL) {
7422 printf(
"Error: unable to parse a schema definition resource");
7427 rngctx = xmlRelaxNGNewValidCtxt(schema);
7428 if (rngctx == NULL) {
7429 printf(
"Error: unable to create RelaxNGs validation context based on the schema");
7434 status = xmlRelaxNGValidateDoc(rngctx,doc);
7436 printf(
"Error validating file \"%s\"", filename);
7442 xpathCtx = xmlXPathNewContext(doc);
7443 if(xpathCtx == NULL) {
7444 printf(
"Error: unable to create new XPath context");
7450 xpathObj = xmlXPathEvalExpression(group_expr, xpathCtx);
7451 if(xpathObj == NULL) {
7452 printf(
"Error: unable to evaluate xpath expression: %s", group_expr);
7453 xmlXPathFreeContext(xpathCtx);
7457 if (xpathObj->nodesetval != NULL && xpathObj->nodesetval->nodeNr > 0) {
7458 temp_char = (
char*) xmlXPathCastToString(xpathObj);
7461 xmlXPathFreeObject(xpathObj);
7467 xpathObj = xmlXPathEvalExpression(user_expr, xpathCtx);
7468 if(xpathObj == NULL) {
7469 printf(
"Error: unable to evaluate xpath expression: %s", user_expr);
7470 xmlXPathFreeContext(xpathCtx);
7474 if (xpathObj->nodesetval != NULL && xpathObj->nodesetval->nodeNr > 0) {
7475 temp_char = (
char*) xmlXPathCastToString(xpathObj);
7478 xmlXPathFreeObject(xpathObj);
7484 xmlXPathFreeContext(xpathCtx);
7485 xmlRelaxNGFree(schema);
7486 xmlRelaxNGFreeValidCtxt(rngctx);
7487 xmlRelaxNGFreeParserCtxt(rngpctx);
7492 if (username != NULL) {
7494 if ((pwd = getpwnam(username)) == NULL) {
7495 printf(
"user '%s' does not exist. cannot chown %s...\n", username, dbschema);
7504 if ((grp = getgrnam(groupname)) == NULL) {
7505 printf(
"group '%s' does not exist. cannot chown %s...\n", groupname, dbschema);
7514 if (chown(dbschema, uid, gid) == -1) {
7515 printf(
"cannot chown(%u,%u) %s: %s",
7516 (
unsigned) uid, (
unsigned) gid, dbschema, strerror(errno));
7525 if (chown(temp_char, uid, gid) == -1) {
7526 printf(
"cannot chown(%u,%u) %s: %s",
7527 (
unsigned) uid, (
unsigned) gid, temp_char, strerror(errno));
7569 int CountKeys(
int *zone_id,
int keytag,
const char *cka_id,
int *key_count,
char **temp_cka_id,
int *temp_key_state,
int *temp_keypair_id)
7582 int temp_zone_id = 0;
7583 char* temp_loc = NULL;
7586 int temp_keypair = 0;
7591 hsm_key_t *key = NULL;
7592 ldns_rr *dnskey_rr = NULL;
7593 hsm_sign_params_t *sign_params = NULL;
7596 status = hsm_open(
config, hsm_prompt_pin);
7598 hsm_print_error(NULL);
7603 nchar = snprintf(buffer,
sizeof(buffer),
"(%d, %d, %d)",
7605 if (nchar >=
sizeof(buffer)) {
7606 printf(
"Error: Overran buffer in CountKeys\n");
7611 StrAppend(&sql,
"select k.zone_id, k.location, k.algorithm, k.state, k.id from KEYDATA_VIEW k where state in ");
7613 StrAppend(&sql,
" and zone_id is not null and k.keytype = 257");
7615 if (*zone_id != -1) {
7620 if (cka_id != NULL) {
7638 while (status == 0) {
7640 DbInt(row, 0, &temp_zone_id);
7642 DbInt(row, 2, &temp_alg);
7643 DbInt(row, 3, &temp_state);
7644 DbInt(row, 4, &temp_keypair);
7648 if (keytag == -1 && cka_id == NULL)
7650 *temp_key_state = temp_state;
7653 key = hsm_find_key_by_id(NULL, temp_loc);
7655 printf(
"cka_id %-33s in DB but NOT IN repository\n", temp_loc);
7656 }
else if (keytag != -1) {
7657 sign_params = hsm_sign_params_new();
7658 sign_params->owner = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME,
"temp_zone");
7659 sign_params->algorithm = temp_alg;
7660 sign_params->flags = LDNS_KEY_ZONE_KEY;
7661 sign_params->flags += LDNS_KEY_SEP_KEY;
7663 dnskey_rr = hsm_get_dnskey(NULL, key, sign_params);
7664 sign_params->keytag = ldns_calc_keytag(dnskey_rr);
7667 if (keytag == sign_params->keytag) {
7670 *temp_cka_id = NULL;
7672 *zone_id = temp_zone_id;
7673 *temp_key_state = temp_state;
7674 *temp_keypair_id = temp_keypair;
7675 printf(
"Found key with CKA_ID %s\n", temp_loc);
7678 hsm_sign_params_free(sign_params);
7680 if (key && cka_id != NULL && strncmp(cka_id, temp_loc, strlen(temp_loc)) == 0) {
7682 if (done_row == 0) {
7684 *temp_cka_id = NULL;
7686 *zone_id = temp_zone_id;
7687 *temp_key_state = temp_state;
7688 *temp_keypair_id = temp_keypair;
7689 printf(
"Found key with CKA_ID %s\n", temp_loc);
7709 *key_count = temp_count;
7716 if (dnskey_rr != NULL) {
7717 ldns_rr_free(dnskey_rr);
7724 int GetKeyState(
const char *cka_id,
int *temp_key_state,
int *temp_keypair_id) {
7732 int temp_keypair = 0;
7734 nchar = snprintf(sql,
sizeof(sql),
"select k.id, k.state from KEYDATA_VIEW k where k.location = '%s'", cka_id);
7735 if (nchar >=
sizeof(sql)) {
7736 printf(
"Error: Overran buffer in CountKeys\n");
7745 while (status == 0) {
7747 DbInt(row, 0, &temp_keypair);
7748 DbInt(row, 1, &temp_state);
7751 if (temp_state == 0) {
7755 *temp_key_state = temp_state;
7756 *temp_keypair_id = temp_keypair;
7798 int MarkDSSeen(
int keypair_id,
int zone_id,
int policy_id,
const char *datetime,
int key_state)
7816 printf(
"Error: failed to read policy\n");
7839 printf(
"DbDateDiff failed\n");
7864 printf(
"DbDateDiff failed\n");
7927 char* where_clause = NULL;
7942 printf(
"Error: failed to read policy\n");
7958 StrAppend(&where_clause,
"select id from KEYDATA_VIEW where state = 4 and keytype = 257 and zone_id = ");
7960 StrAppend(&where_clause,
" and retire = (select min(retire) from KEYDATA_VIEW where state = 4 and keytype = 257 and zone_id = ");
7969 printf(
"Error: failed to find ID of key to retire\n");
7980 printf(
"DbDateDiff failed\n");
8049 if (zone_id != -1) {
8058 printf(
"Error in CountKeysInState\n");
8095 int ChangeKeyState(
int keytype,
const char *cka_id,
int zone_id,
int policy_id,
const char *datetime,
int keystate)
8123 printf(
"Error: failed to read policy\n");
8131 if (zone_id != -1) {
8150 keyids =
MemMalloc(count *
sizeof(
int));
8157 if (zone_id != -1) {
8166 while (status == 0) {
8167 status =
KsmKey(result, &data);
8198 for (j = 0; j < i; ++j) {
8202 snprintf(buffer,
sizeof(buffer),
"%d", keyids[j]);
8227 printf(
"DbDateDiff failed\n");
8239 if (zone_id != -1) {
8259 printf(
"DbDateDiff failed\n");
8271 if (zone_id != -1) {
8284 printf(
"DbDateDiff failed\n");
8296 if (zone_id != -1) {
8332 static int restart_enforcerd()
8336 return system(ODS_EN_NOTIFY);
8348 xmlDocPtr doc = NULL;
8349 xmlXPathContextPtr xpathCtx = NULL;
8350 xmlXPathObjectPtr xpathObj = NULL;
8351 char* temp_char = NULL;
8353 xmlChar *iv_expr = (
unsigned char*)
"//Configuration/Enforcer/Interval";
8354 xmlChar *mk_expr = (
unsigned char*)
"//Configuration/Enforcer/ManualKeyGeneration";
8357 doc = xmlParseFile(
config);
8359 printf(
"Error: unable to parse file \"%s\"\n",
config);
8364 xpathCtx = xmlXPathNewContext(doc);
8365 if(xpathCtx == NULL) {
8366 printf(
"Error: unable to create new XPath context\n");
8372 xpathObj = xmlXPathEvalExpression(iv_expr, xpathCtx);
8373 if(xpathObj == NULL) {
8374 printf(
"Error: unable to evaluate xpath expression: %s", iv_expr);
8375 xmlXPathFreeContext(xpathCtx);
8380 temp_char = (
char *)xmlXPathCastToString(xpathObj);
8383 printf(
"Error: unable to convert Interval %s to seconds, error: %i\n", temp_char, status);
8387 else if (status == -1) {
8388 printf(
"Info: converting %s to seconds; M interpreted as 31 days, Y interpreted as 365 days\n", temp_char);
8392 xmlXPathFreeObject(xpathObj);
8395 xpathObj = xmlXPathEvalExpression(mk_expr, xpathCtx);
8396 if(xpathObj == NULL) {
8397 printf(
"Error: unable to evaluate xpath expression: %s\n", mk_expr);
8398 xmlXPathFreeContext(xpathCtx);
8403 if (xpathObj->nodesetval != NULL && xpathObj->nodesetval->nodeNr > 0) {
8411 xmlXPathFreeObject(xpathObj);
8414 xmlXPathFreeContext(xpathCtx);
8454 int man_key_gen = -1;
8465 printf(
"Failed to Link Keys to zone\n");
8475 if (policy == NULL) {
8476 printf(
"Malloc for policy struct failed\n");
8486 printf(
"Error: unable to read policy %s from database\n",
o_policy);
8491 printf(
"Error: policy %s doesn't exist in database\n",
o_policy);
8499 printf(
"Error allocating zsks to zone %s", zone_name);
8505 printf(
"Error allocating ksks to zone %s", zone_name);
8547 int keys_needed = 0;
8548 int keys_in_queue = 0;
8549 int keys_pending_retirement = 0;
8551 int key_pair_id = 0;
8558 if (datetime == NULL) {
8559 printf(
"Couldn't turn \"now\" into a date, quitting...");
8563 if (policy == NULL) {
8564 printf(
"NULL policy sent to allocateKeysToZone");
8570 printf(
"Unknown keytype: %i in allocateKeysToZone", key_type);
8584 status =
KsmKeyPredict(policy->
id, key_type, 1, interval, &keys_needed, rollover_scheme, 1);
8586 printf(
"Could not predict key requirement for next interval for %s", zone_name);
8594 printf(
"Could not count current key numbers for zone %s", zone_name);
8602 printf(
"Could not count keys which may retire before the next run (for zone %s)", zone_name);
8608 new_keys = keys_needed - (keys_in_queue - keys_pending_retirement);
8613 for (i=0 ; i < new_keys ; i++){
8617 if (status == -1 || key_pair_id == 0) {
8618 if (man_key_gen == 0) {
8619 printf(
"Not enough keys to satisfy ksk policy for zone: %s", zone_name);
8620 printf(
"ods-enforcerd will create some more keys on its next run");
8623 printf(
"Not enough keys to satisfy ksk policy for zone: %s", zone_name);
8624 printf(
"please use \"ods-ksmutil key generate\" to create some more keys.");
8628 else if (status != 0) {
8629 printf(
"Could not get an unallocated ksk for zone: %s", zone_name);
8634 if (status == -1 || key_pair_id == 0) {
8635 if (man_key_gen == 0) {
8636 printf(
"Not enough keys to satisfy zsk policy for zone: %s", zone_name);
8637 printf(
"ods-enforcerd will create some more keys on its next run");
8640 printf(
"Not enough keys to satisfy zsk policy for zone: %s", zone_name);
8641 printf(
"please use \"ods-ksmutil key generate\" to create some more keys.");
8645 else if (status != 0) {
8646 printf(
"Could not get an unallocated zsk for zone: %s", zone_name);
8650 if(key_pair_id > 0) {
8655 printf(
"KsmKeyGetUnallocated returned bad key_id %d for zone: %s; exiting...", key_pair_id, zone_name);
8683 int keyRoll(
int zone_id,
int policy_id,
int key_type)
8696 int temp_zone_id = -1;
8702 char* insql1 = NULL;
8703 char* insql2 = NULL;
8709 if (datetime == NULL) {
8710 printf(
"Couldn't turn \"now\" into a date, quitting...\n");
8718 if (zone_id != -1) {
8721 if (policy_id != -1) {
8725 if (key_type != -1) {
8734 while (status == 0) {
8736 DbInt(row, 0, &temp_id);
8737 DbInt(row, 1, &temp_type);
8741 DusSetInt(&sql1,
"compromisedflag", 1, 1);
8802 size = snprintf(sql2,
KSM_SQL_SIZE,
"select zone_id from dnsseckeys where retire = \"%s\" and keypair_id = %d", datetime, temp_id);
8806 while (status == 0) {
8808 DbInt(row2, 0, &temp_zone_id);
8813 snprintf(buffer,
sizeof(buffer),
"%d", temp_zone_id);
8836 while (status == 0) {
8838 DbInt(row2, 0, &temp_zone_id);
8843 snprintf(buffer,
sizeof(buffer),
"%d", temp_zone_id);
8865 printf(
"Couldn't construct SQL to promote standby key\n");
8936 else if (status == -1) {}
8951 xmlNodePtr zone_node;
8952 xmlNodePtr adapters_node;
8953 xmlNodePtr input_node;
8954 xmlNodePtr in_ad_node;
8955 xmlNodePtr output_node;
8956 xmlNodePtr out_ad_node;
8958 root = xmlDocGetRootElement(doc);
8960 fprintf(stderr,
"empty document\n");
8963 if (xmlStrcmp(root->name, (
const xmlChar *)
"ZoneList")) {
8964 fprintf(stderr,
"document of the wrong type, root node != %s",
"ZoneList");
8968 zone_node = xmlNewTextChild(root, NULL, (
const xmlChar *)
"Zone", NULL);
8969 (void) xmlNewProp(zone_node, (
const xmlChar *)
"name", (
const xmlChar *)zone->
name);
8972 (void) xmlNewTextChild(zone_node, NULL, (
const xmlChar *)
"Policy", (
const xmlChar *)zone->
policy_name);
8975 (void) xmlNewTextChild(zone_node, NULL, (
const xmlChar *)
"SignerConfiguration", (
const xmlChar *)zone->
signconf);
8978 adapters_node = xmlNewTextChild(zone_node, NULL, (
const xmlChar *)
"Adapters", NULL);
8980 input_node = xmlNewTextChild(adapters_node, NULL, (
const xmlChar *)
"Input", NULL);
8981 in_ad_node = xmlNewTextChild (input_node, NULL, (
const xmlChar *)
"Adapter", (
const xmlChar *)zone->
input);
8983 if (zone->
in_type[0] ==
'\0') {
8984 (void) xmlNewProp(in_ad_node, (
const xmlChar *)
"type", (
const xmlChar *)
"File");
8986 (void) xmlNewProp(in_ad_node, (
const xmlChar *)
"type", (
const xmlChar *)zone->
in_type);
8990 output_node = xmlNewTextChild(adapters_node, NULL, (
const xmlChar *)
"Output", NULL);
8991 out_ad_node = xmlNewTextChild (output_node, NULL, (
const xmlChar *)
"Adapter", (
const xmlChar *)zone->
output);
8994 (void) xmlNewProp(out_ad_node, (
const xmlChar *)
"type", (
const xmlChar *)
"File");
8996 (void) xmlNewProp(out_ad_node, (
const xmlChar *)
"type", (
const xmlChar *)zone->
out_type);
9010 len = strlen(
string);
9012 for (i = 0; i < len; ++i) {
9013 if (
string[i] ==
'\'') {
9018 buffer[j++] =
string[i];
9022 return ( (j <= buflen) ? 0 : 1);
9027 char* signconf = NULL;
9028 char* moved_signconf = NULL;
9029 char* zone_name = NULL;
9033 xmlDocPtr doc = NULL;
9035 xmlXPathContextPtr xpathCtx = NULL;
9036 xmlXPathObjectPtr xpathObj = NULL;
9038 xmlChar *node_expr = (
unsigned char*)
"//Zone";
9040 doc = xmlParseFile(zonelist_filename);
9042 printf(
"Error: unable to parse file \"%s\"\n", zonelist_filename);
9046 xpathCtx = xmlXPathNewContext(doc);
9047 if(xpathCtx == NULL) {
9053 xpathObj = xmlXPathEvalExpression(node_expr, xpathCtx);
9054 if(xpathObj == NULL) {
9055 xmlXPathFreeContext(xpathCtx);
9060 if (xpathObj->nodesetval) {
9061 for (i = 0; i < xpathObj->nodesetval->nodeNr; i++) {
9063 curNode = xpathObj->nodesetval->nodeTab[i]->xmlChildrenNode;
9064 zone_name = (
char *) xmlGetProp(xpathObj->nodesetval->nodeTab[i], (
const xmlChar *)
"name");
9066 if (all_flag || (strlen(zone_name) == strlen(o_zone) &&
9067 strncmp(zone_name, o_zone, strlen(zone_name)) == 0)) {
9071 if (xmlStrEqual(curNode->name, (
const xmlChar *)
"SignerConfiguration")) {
9072 StrAppend(&signconf, (
char *) xmlNodeGetContent(curNode));
9074 StrAppend(&moved_signconf,
".ZONE_DELETED");
9076 status = rename(signconf, moved_signconf);
9077 if (status != 0 && errno != ENOENT)
9080 printf(
"Could not rename: %s -> %s", signconf, moved_signconf);
9090 curNode = curNode->next;
9126 char* temp_zone = NULL;
9127 int temp_policy = 0;
9128 char* temp_location = NULL;
9135 hsm_key_t *key = NULL;
9136 ldns_rr *dnskey_rr = NULL;
9137 hsm_sign_params_t *sign_params = NULL;
9141 char* ds_buffer = NULL;
9144 status = hsm_open(
config, hsm_prompt_pin);
9146 hsm_print_error(NULL);
9151 "select name, kv.policy_id, location, algorithm from KEYDATA_VIEW kv, zones z where keytype = 257 and state in (3,7) and zone_id = z.id ");
9152 if (zone_id != -1) {
9165 while (status == 0) {
9168 DbInt(row, 1, &temp_policy);
9170 DbInt(row, 3, &temp_algo);
9173 key = hsm_find_key_by_id(NULL, temp_location);
9176 printf(
"Key %s in DB but not repository.", temp_location);
9184 printf(
"\n*** Found DNSKEY RECORD involved with rollover:\n");
9186 sign_params = hsm_sign_params_new();
9187 sign_params->owner = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, temp_zone);
9188 sign_params->algorithm = temp_algo;
9189 sign_params->flags = LDNS_KEY_ZONE_KEY;
9190 sign_params->flags += LDNS_KEY_SEP_KEY;
9191 dnskey_rr = hsm_get_dnskey(NULL, key, sign_params);
9196 ldns_rr_set_ttl(dnskey_rr, rrttl);
9199 ds_buffer = ldns_rr2str(dnskey_rr);
9200 ldns_rr_free(dnskey_rr);
9203 for (i = 0; ds_buffer[i]; ++i) {
9204 if (ds_buffer[i] ==
'\t') {
9210 printf(
"%s", ds_buffer);
9211 printf(
"\nOnce the DS record for this DNSKEY is seen in DNS you can issue the ds-seen command for zone %s with the cka_id %s\n", temp_zone, temp_location);
9217 hsm_sign_params_free(sign_params);
void DbFreeResult(DB_RESULT result)
int KsmCheckHSMkeyID(int repo_id, const char *cka_id, int *exists)
int main(int argc, char *argv[])
int KsmPolicyInit(DB_RESULT *handle, const char *name)
char name[KSM_NAME_LENGTH]
unsigned long sm_capacity
char name[KSM_ZONE_NAME_LENGTH]
int KsmZoneIdAndPolicyFromName(const char *zone_name, int *policy_id, int *zone_id)
void SetPolicyDefaults(KSM_POLICY *policy, char *name)
int StrIsDigits(const char *string)
void DusConditionKeyword(char **query, const char *field, DQS_COMPARISON compare, const char *value, int clause)
char signconf[KSM_PATH_LENGTH]
int DbFetchRow(DB_RESULT result, DB_ROW *row)
int KsmPolicy(DB_RESULT handle, KSM_POLICY *data)
char * DqsSpecifyInit(const char *table, const char *fields)
char location[KSM_NAME_LENGTH]
void list_zone_node(const char *docname, int *zone_ids)
int KsmKeywordTypeNameToValue(const char *name)
void usage_policyimport()
int db_connect(DB_HANDLE *dbhandle, FILE **lock_fd, int backup)
int KsmMarkPreBackup(int repo_id, const char *datetime)
int get_conf_key_info(int *interval, int *man_key_gen)
int KsmKeyCountQueue(int keytype, int *count, int zone_id)
KSM_POLICY * KsmPolicyAlloc()
#define KSM_PAR_ZSKTTL_CAT
int KsmParameter(DB_RESULT result, KSM_PARAMETER *data)
KSM_COMMON_KEY_POLICY * keys
int KsmZoneInit(DB_RESULT *handle, int policy_id)
int KsmParameterCollection(KSM_PARCOLL *data, int policy_id)
int CountKeys(int *zone_id, int keytag, const char *cka_id, int *key_count, char **temp_cka_id, int *temp_key_state, int *temp_keypair_id)
int KsmSerialIdFromName(const char *name, int *id)
int get_db_details(char **dbschema, char **host, char **port, char **user, char **password)
int SetParamOnPolicy(const xmlChar *new_value, const char *name, const char *category, int current_value, int policy_id, int value_type)
char retire[KSM_TIME_LENGTH]
int KsmPolicySetIdFromName(KSM_POLICY *policy)
void DqsConditionKeyword(char **query, const char *field, DQS_COMPARISON compare, const char *value, int index)
void db_disconnect(FILE *lock_fd)
int KsmKeyPairCreate(int policy_id, const char *HSMKeyID, int smID, int size, int alg, const char *generate, DB_ID *id)
int KsmImportZone(const char *zone_name, int policy_id, int fail_if_exists, int *new_zone, const char *signconf, const char *input, const char *output, const char *input_type, const char *output_type)
int KsmZone(DB_RESULT handle, KSM_ZONE *data)
int KsmKeywordRollNameToValue(const char *name)
void DqsOrderBy(char **query, const char *field)
int KsmZoneCount(DB_RESULT handle, int *count)
char sm_name[KSM_NAME_LENGTH]
int MsgLog(int status,...)
int KsmRollbackMarkPreBackup(int repo_id)
int read_filenames(char **zone_list_filename, char **kasp_filename)
int KsmPolicyRead(KSM_POLICY *policy)
int get_policy_name_from_id(KSM_ZONE *zone)
int cmd_control(char *command)
int ShellQuoteString(const char *string, char *buffer, size_t buflen)
void usage_policyexport()
void DusSetInt(char **sql, const char *field, int data, int clause)
void DqsFree(char *query)
#define KSM_STATE_KEYPUBLISH
void DdsFree(char *query)
void DusConditionInt(char **query, const char *field, DQS_COMPARISON compare, int value, int clause)
int read_zonelist_filename(const char *filename, char **zone_list_filename)
const char * KsmKeywordStateValueToName(int value)
char * DqsCountInit(const char *table)
int append_policy(xmlDocPtr doc, KSM_POLICY *policy)
int KsmPolicyIdFromName(const char *name, int *id)
int DbString(DB_ROW row, int field_index, char **result)
#define KSM_PAR_DSTTL_CAT
int KsmSmIdFromName(const char *name, int *id)
char * StrStrdup(const char *string)
void DqsConditionInt(char **query, const char *field, DQS_COMPARISON compare, int value, int index)
void DdsConditionInt(char **query, const char *field, DQS_COMPARISON compare, int value, int index)
#define KSM_PAR_ZSKTTL_STRING
int LinkKeys(const char *zone_name, int policy_id)
int KsmPolicyIdFromZoneId(int zone_id, int *policy_id)
int printKey(void *context, KSM_KEYDATA *key_data)
char * DdsInit(const char *table)
int DtGeneral(const char *string, struct tm *datetime)
char * DtParseDateTimeString(const char *string)
#define KSM_STATE_DSPUBLISH
KSM_PARENT_POLICY * parent
char output[KSM_PATH_LENGTH]
KSM_DENIAL_POLICY * denial
int KsmZoneIdFromName(const char *zone_name, int *zone_id)
xmlDocPtr add_zone_node(const char *docname, const char *zone_name, const char *policy_name, const char *sig_conf_name, const char *input_name, const char *output_name, const char *input_type, const char *output_type)
int KsmListRollovers(int zone_id, int *ds_count)
int KsmParameterValue(const char *name, const char *category, int *value, int policy_id, int *parameter_id)
int KsmKeyInitSql(DB_RESULT *result, const char *sql)
int KsmCollectionInit(KSM_PARCOLL *data)
#define DB_KEYDATA_FIELDS
int ChangeKeyState(int keytype, const char *cka_id, int zone_id, int policy_id, const char *datetime, int key_state)
const char * DbErrmsg(DB_HANDLE handle)
int KsmImportPolicy(const char *policy_name, const char *policy_description)
char policy_name[KSM_NAME_LENGTH]
void KsmPolicyFree(KSM_POLICY *policy)
void DbFreeRow(DB_ROW row)
int KsmKey(DB_RESULT result, KSM_KEYDATA *data)
void MsgRegister(int min, int max, const char **message, MSG_OUTPUT_FUNCTION output)
KSM_SIGNER_POLICY * signer
size_t StrToLower(char *text)
int update_zones(char *zone_list_filename)
int cmd_update(const char *qualifier)
int GetKeyState(const char *cka_id, int *temp_key_state, int *temp_keypair_id)
char input[KSM_PATH_LENGTH]
int DbDisconnect(DB_HANDLE dbhandle)
int update_repositories()
int KsmPolicyUpdateDesc(int policy_id, const char *policy_description)
int KsmKeyPredict(int policy_id, int keytype, int shared_keys, int interval, int *count, int rollover_scheme, int zone_count)
int KsmMarkKeysAsDead(int zone_id)
const char * KsmKeywordSerialValueToName(int value)
int KsmDnssecKeyCreate(int zone_id, int keypair_id, int keytype, int state, const char *time, const char *retTime, DB_ID *id)
int KsmPolicyNullSaltStamp(int policy_id)
int DbExecuteSql(DB_HANDLE handle, const char *stmt_str, DB_RESULT *result)
#define KSM_POLICY_DESC_LENGTH
int release_lite_lock(FILE *lock_fd)
void ksm_log_msg(const char *format)
int DbStringBuffer(DB_ROW row, int field_index, char *buffer, size_t buflen)
void StrAppend(char **str1, const char *str2)
int StrStrtoi(const char *string, int *value)
int fix_file_perms(const char *dbschema)
int DbIntQuery(DB_HANDLE handle, int *value, const char *query)
void usage_keykskretire()
xmlDocPtr del_zone_node(const char *docname, const char *zone_name)
#define KSM_PAR_KSKTTL_CAT
#define KSM_STATE_PUBLISH
int DbDateDiff(const char *start, int delta, int sign, char *buffer, size_t buflen)
#define KSM_PAR_DSTTL_STRING
int KsmDeleteZone(int zone_id)
int RetireOldKey(int zone_id, int policy_id, const char *datetime)
int KsmZoneNameFromId(int zone_id, char **zone_name)
int backup_file(const char *orig_file, const char *backup_file)
char * DusInit(const char *table)
#define DEFAULT_LOG_FACILITY
void KsmParameterEnd(DB_RESULT result)
int KsmImportKeyPair(int policy_id, const char *HSMKeyID, int smID, int size, int alg, int state, const char *time, int fixDate, DB_ID *id)
int cmd_backup(const char *qualifier)
int KsmKeyGetUnallocated(int policy_id, int sm, int bits, int algorithm, int zone_id, int share_keys, int *keypair_id)
int PurgeKeys(int zone_id, int policy_id)
int keyRoll(int zone_id, int policy_id, int key_type)
int KsmParameterInit(DB_RESULT *result, const char *name, const char *category, int policy_id)
int get_lite_lock(char *lock_filename, FILE *lock_fd)
int rename_signconf(const char *zonelist_filename, const char *o_zone)
int KsmPolicyExists(const char *name)
int allocateKeysToZone(KSM_POLICY *policy, int key_type, int zone_id, uint16_t interval, const char *zone_name, int man_key_gen, int rollover_scheme)
int ListKeys(int zone_id)
int append_zone(xmlDocPtr doc, KSM_ZONE *zone)
#define KSM_PAR_KSKTTL_STRING
int KsmRequestPendingRetireCount(int keytype, const char *datetime, KSM_PARCOLL *parameters, int *count, int zone_id, int interval)
int KsmZoneCountInit(DB_RESULT *handle, int id)
void DdsEnd(char **query)
int KsmParameterSet(const char *name, const char *category, int value, int policy_id)
KSM_ENFORCER_POLICY * enforcer
int CountKeysInState(int keytype, int keystate, int *count, int zone_id)
int KsmImportRepository(const char *repo_name, const char *repo_capacity, int require_backup)
int KsmKeywordAlgorithmNameToValue(const char *name)
char in_type[KSM_ADAPTER_NAME_LENGTH]
int DbInt(DB_ROW row, int field_index, int *value)
void * MemMalloc(size_t size)
char out_type[KSM_ADAPTER_NAME_LENGTH]
int KsmListBackups(int repo_id, int verbose_flag)
#define KSM_STATE_DSREADY
int MarkDSSeen(int keypair_id, int zone_id, int policy_id, const char *datetime, int key_state)
int DtXMLIntervalSeconds(const char *text, int *interval)
size_t StrToUpper(char *text)
void KsmKeyEnd(DB_RESULT result)
int KsmMarkBackup(int repo_id, const char *datetime)
#define KSM_STATE_GENERATE
void DusSetString(char **sql, const char *field, const char *data, int clause)
void DqsEnd(char **query)
int DbBeginTransaction(void)
int DbExecuteSqlNoResult(DB_HANDLE handle, const char *stmt_str)
void DqsConditionString(char **query, const char *field, DQS_COMPARISON compare, const char *value, int index)
int KsmKeyCountStillGood(int policy_id, int sm, int bits, int algorithm, int interval, const char *datetime, int *count, int keytype)
KSM_SIGNATURE_POLICY * signature
int update_policies(char *kasp_filename)
xmlDocPtr del_policy_node(const char *docname, const char *policy_name)
int DbConnect(DB_HANDLE *dbhandle, const char *database,...)
void DbStringFree(char *string)