42 #include <libxml/xmlreader.h>
43 #include <libxml/xpath.h>
60 #include "libhsmdns.h"
66 log_msg(NULL, LOG_ERR,
"Error in server_init, no config provided");
72 config->
pidfile = OPENDNSSEC_ENFORCER_PIDFILE;
90 hsm_ctx_t *ctx = NULL;
91 char *hsm_error_message = NULL;
94 char *lock_filename = NULL;
97 log_msg(NULL, LOG_ERR,
"Error in server_main, no config provided");
102 if (policy == NULL) {
103 log_msg(config, LOG_ERR,
"Malloc for policy struct failed");
111 log_msg(config, LOG_ERR,
"Error reading config");
119 result = hsm_open(config->
configfile, hsm_prompt_pin, NULL);
121 result = hsm_open(OPENDNSSEC_CONFIG_FILE, hsm_prompt_pin, NULL);
124 hsm_error_message = hsm_get_error(ctx);
125 if (hsm_error_message) {
126 log_msg(config, LOG_ERR,
"%s", hsm_error_message);
127 free(hsm_error_message);
133 log_msg(config, LOG_ERR,
"hsm_open() result: HSM error");
135 case HSM_PIN_INCORRECT:
136 log_msg(config, LOG_ERR,
"hsm_open() result: incorrect PIN");
138 case HSM_CONFIG_FILE_ERROR:
139 log_msg(config, LOG_ERR,
"hsm_open() result: config file error");
141 case HSM_REPOSITORY_NOT_FOUND:
142 log_msg(config, LOG_ERR,
"hsm_open() result: repository not found");
144 case HSM_NO_REPOSITORIES:
145 log_msg(config, LOG_ERR,
"hsm_open() result: no repositories");
148 log_msg(config, LOG_ERR,
"hsm_open() result: %d", result);
153 log_msg(config, LOG_INFO,
"HSM opened successfully.");
154 ctx = hsm_create_context();
157 log_msg(config, LOG_INFO,
"Checking database connection...");
159 log_msg(config, LOG_ERR,
"Database connection failed");
162 log_msg(config, LOG_INFO,
"Database connection ok.");
166 log_msg(config, LOG_ERR,
"cannot write the pidfile %s: %s",
167 config->
pidfile, strerror(errno));
176 log_msg(config, LOG_ERR,
"Error reading config");
186 lock_filename = NULL;
190 lock_fd = fopen(lock_filename,
"w");
194 log_msg(config, LOG_ERR,
"Error getting db lock");
200 log_msg(config, LOG_INFO,
"Connecting to Database...");
208 while (status == 0) {
209 log_msg(config, LOG_INFO,
"Policy %s found.", policy->name);
217 if (policy->denial->version == 3)
222 log_msg(config, LOG_ERR,
"Error (%d) updating salt for %s", status, policy->name);
235 if (policy->keys->purge != -1) {
236 status =
do_purge(policy->keys->purge, policy->id);
243 log_msg(config, LOG_ERR,
"Error querying KASP DB for policies.");
256 log_msg(config, LOG_INFO,
"Disconnecting from Database...");
263 log_msg(config, LOG_ERR,
"Error releasing db lock");
270 if (config->
once ==
true ){
271 log_msg(config, LOG_INFO,
"Running once only, exiting...");
276 if (config->
term == 1 ){
277 log_msg(config, LOG_INFO,
"Received SIGTERM, exiting...");
281 if (config->
term == 2 ){
282 log_msg(config, LOG_INFO,
"Received SIGINT, exiting...");
289 log_msg(config, LOG_INFO,
"Sleeping for %i seconds.",config->
interval);
290 select(0, NULL, NULL, NULL, &tv);
293 if (config->
term == 1 ){
294 log_msg(config, LOG_INFO,
"Received SIGTERM, exiting...");
298 if (config->
term == 2 ){
299 log_msg(config, LOG_INFO,
"Received SIGINT, exiting...");
313 hsm_destroy_context(ctx);
316 result = hsm_close();
317 log_msg(config, LOG_INFO,
"all done! hsm_close result: %d", result);
321 if (unlink(config->
pidfile) == -1) {
322 log_msg(config, LOG_ERR,
"unlink pidfile %s failed: %s",
338 hsm_key_t *key = NULL;
339 char *hsm_error_message = NULL;
343 int keys_in_queue = 0;
345 unsigned int current_count = 0;
348 int ksks_created = 0;
354 log_msg(config, LOG_INFO,
"Key sharing is On");
356 log_msg(config, LOG_INFO,
"Key sharing is Off.");
362 if (rightnow == NULL) {
363 log_msg(config, LOG_DEBUG,
"Couldn't turn \"now\" into a date, quitting...");
383 if (zone_count == 0) {
384 log_msg(config, LOG_INFO,
"No zones on policy %s, skipping...", policy->
name);
389 log_msg(NULL, LOG_ERR,
"Could not count zones on policy %s", policy->
name);
393 log_msg(config, LOG_INFO,
"%d zone(s) found on policy \"%s\"\n", zone_count, policy->
name);
398 log_msg(NULL, LOG_ERR,
"Could not predict ksk requirement for next interval for %s", policy->
name);
404 log_msg(NULL, LOG_ERR,
"Could not count current ksk numbers for policy %s", policy->
name);
409 new_keys = ksks_needed - keys_in_queue;
414 current_count = hsm_count_keys_repository(ctx, policy->
ksk->
sm_name);
416 log_msg(config, LOG_ERR,
"Repository %s is full, cannot create more KSKs for policy %s\n", policy->
ksk->
sm_name, policy->
name);
420 log_msg(config, LOG_WARNING,
"Repository %s is nearly full, will create %lu KSKs for policy %s (reduced from %d)\n", policy->
ksk->
sm_name, policy->
ksk->
sm_capacity - current_count, policy->
name, new_keys);
424 if (new_keys <= 0 ) {
425 log_msg(config, LOG_INFO,
"No new KSKs need to be created.\n");
428 log_msg(config, LOG_INFO,
"%d new KSK(s) (%d bits) need to be created.\n", new_keys, policy->
ksk->
bits);
432 for (i=new_keys ; i > 0 ; i--){
433 if (hsm_supported_algorithm(policy->
ksk->
algorithm) == 0) {
437 log_msg(config, LOG_DEBUG,
"Created key in repository %s", policy->
ksk->
sm_name);
439 log_msg(config, LOG_ERR,
"Error creating key in repository %s", policy->
ksk->
sm_name);
440 hsm_error_message = hsm_get_error(ctx);
441 if (hsm_error_message) {
442 log_msg(config, LOG_ERR,
"%s", hsm_error_message);
443 free(hsm_error_message);
448 id = hsm_get_key_id(ctx, key);
452 log_msg(config, LOG_ERR,
"Error creating key in Database");
453 hsm_error_message = hsm_get_error(ctx);
454 if (hsm_error_message) {
455 log_msg(config, LOG_ERR,
"%s", hsm_error_message);
456 free(hsm_error_message);
461 log_msg(config, LOG_INFO,
"Created KSK size: %i, alg: %i with id: %s in repository: %s and database.", policy->
ksk->
bits,
465 log_msg(config, LOG_ERR,
"Key algorithm %d unsupported by libhsm, exiting...", policy->
ksk->
algorithm);
470 ksks_created = new_keys;
480 log_msg(NULL, LOG_ERR,
"Could not predict zsk requirement for next intervalfor %s", policy->
name);
486 log_msg(NULL, LOG_ERR,
"Could not count current zsk numbers for policy %s", policy->
name);
492 keys_in_queue -= ksks_needed;
495 new_keys = zsks_needed - keys_in_queue;
500 current_count = hsm_count_keys_repository(ctx, policy->
zsk->
sm_name);
502 log_msg(config, LOG_ERR,
"Repository %s is full, cannot create more ZSKs for policy %s\n", policy->
zsk->
sm_name, policy->
name);
506 log_msg(config, LOG_WARNING,
"Repository %s is nearly full, will create %lu ZSKs for policy %s (reduced from %d)\n", policy->
zsk->
sm_name, policy->
zsk->
sm_capacity - current_count, policy->
name, new_keys);
511 if (new_keys <= 0 ) {
513 log_msg(config, LOG_INFO,
"No new ZSKs need to be created.\n");
516 log_msg(config, LOG_INFO,
"%d new ZSK(s) (%d bits) need to be created.\n", new_keys, policy->
zsk->
bits);
520 for (i = new_keys ; i > 0 ; i--) {
521 if (hsm_supported_algorithm(policy->
zsk->
algorithm) == 0) {
525 log_msg(config, LOG_DEBUG,
"Created key in repository %s", policy->
zsk->
sm_name);
527 log_msg(config, LOG_ERR,
"Error creating key in repository %s", policy->
zsk->
sm_name);
528 hsm_error_message = hsm_get_error(ctx);
529 if (hsm_error_message) {
530 log_msg(config, LOG_ERR,
"%s", hsm_error_message);
531 free(hsm_error_message);
537 id = hsm_get_key_id(ctx, key);
541 log_msg(config, LOG_ERR,
"Error creating key in Database");
542 hsm_error_message = hsm_get_error(ctx);
543 if (hsm_error_message) {
544 log_msg(config, LOG_ERR,
"%s", hsm_error_message);
545 free(hsm_error_message);
550 log_msg(config, LOG_INFO,
"Created ZSK size: %i, alg: %i with id: %s in repository: %s and database.", policy->
zsk->
bits,
554 log_msg(config, LOG_ERR,
"Key algorithm %d unsupported by libhsm, exiting...", policy->
zsk->
algorithm);
563 log_msg(config, LOG_INFO,
"NOTE: keys generated in repository %s will not become active until they have been backed up", policy->
ksk->
sm_name);
566 log_msg(config, LOG_INFO,
"NOTE: keys generated in repository %s will not become active until they have been backed up", policy->
zsk->
sm_name);
577 xmlTextReaderPtr reader = NULL;
578 xmlDocPtr doc = NULL;
579 xmlXPathContextPtr xpathCtx = NULL;
580 xmlXPathObjectPtr xpathObj = NULL;
583 char* zonelist_filename = NULL;
585 char* current_policy;
586 char* current_filename;
590 char* ksk_expected = NULL;
592 xmlChar *name_expr = (
unsigned char*)
"name";
593 xmlChar *policy_expr = (
unsigned char*)
"//Zone/Policy";
594 xmlChar *filename_expr = (
unsigned char*)
"//Zone/SignerConfiguration";
596 char* temp_char = NULL;
599 char* datetime = NULL;
610 log_msg(NULL, LOG_ERR,
"couldn't read zonelist filename");
616 reader = xmlNewTextReaderFilename(zonelist_filename);
617 if (reader != NULL) {
618 ret = xmlTextReaderRead(reader);
620 tag_name = (
char*) xmlTextReaderLocalName(reader);
622 if (strncmp(tag_name,
"Zone", 4) == 0
623 && strncmp(tag_name,
"ZoneList", 8) != 0
624 && xmlTextReaderNodeType(reader) == 1) {
627 temp_char = (
char*) xmlTextReaderGetAttribute(reader, name_expr);
631 if (zone_name == NULL) {
633 log_msg(NULL, LOG_ERR,
"Error extracting zone name from %s", zonelist_filename);
635 ret = xmlTextReaderRead(reader);
641 log_msg(config, LOG_INFO,
"Zone %s found.", zone_name);
645 if (status != 0 || zone_id == -1)
648 log_msg(NULL, LOG_ERR,
"Error looking up zone \"%s\" in database (please make sure that the zonelist file is up to date)", zone_name);
650 ret = xmlTextReaderRead(reader);
657 xmlTextReaderExpand(reader);
658 doc = xmlTextReaderCurrentDoc(reader);
660 log_msg(config, LOG_ERR,
"Error: can not read zone \"%s\"; skipping", zone_name);
662 ret = xmlTextReaderRead(reader);
670 xpathCtx = xmlXPathNewContext(doc);
671 if(xpathCtx == NULL) {
672 log_msg(config, LOG_ERR,
"Error: can not create XPath context for \"%s\"; skipping zone", zone_name);
674 ret = xmlTextReaderRead(reader);
682 xpathObj = xmlXPathEvalExpression(policy_expr, xpathCtx);
683 if(xpathObj == NULL) {
684 log_msg(config, LOG_ERR,
"Error: unable to evaluate xpath expression: %s; skipping zone", policy_expr);
686 ret = xmlTextReaderRead(reader);
691 current_policy = NULL;
692 temp_char = (
char*) xmlXPathCastToString(xpathObj);
695 log_msg(config, LOG_INFO,
"Policy for %s set to %s.", zone_name, current_policy);
696 xmlXPathFreeObject(xpathObj);
698 if (strcmp(current_policy, policy->
name) != 0) {
706 log_msg(config, LOG_ERR,
"Error reading policy");
707 ret = xmlTextReaderRead(reader);
712 log_msg(config, LOG_INFO,
"Policy %s found in DB.", policy->
name);
720 xpathObj = xmlXPathEvalExpression(filename_expr, xpathCtx);
721 xmlXPathFreeContext(xpathCtx);
723 if(xpathObj == NULL) {
724 log_msg(config, LOG_ERR,
"Error: unable to evaluate xpath expression: %s; skipping zone", filename_expr);
726 ret = xmlTextReaderRead(reader);
731 current_filename = NULL;
732 temp_char = (
char*)xmlXPathCastToString(xpathObj);
735 log_msg(config, LOG_INFO,
"Config will be output to %s.", current_filename);
736 xmlXPathFreeObject(xpathObj);
741 log_msg(config, LOG_ERR,
"Error allocating zsks to zone %s", zone_name);
743 ret = xmlTextReaderRead(reader);
751 log_msg(config, LOG_ERR,
"Error allocating ksks to zone %s", zone_name);
753 ret = xmlTextReaderRead(reader);
763 log_msg(config, LOG_ERR,
"Signconf not written for %s", zone_name);
765 ret = xmlTextReaderRead(reader);
771 else if (status2 != 0) {
772 log_msg(config, LOG_ERR,
"Error writing signconf for %s", zone_name);
774 ret = xmlTextReaderRead(reader);
786 if (datetime == NULL) {
787 log_msg(config, LOG_DEBUG,
"Couldn't turn \"now\" into a date, quitting...");
795 log_msg(config, LOG_INFO,
"No active KSKs yet for zone %s, can't check for impending rollover", zone_name);
797 else if (status2 != 0) {
798 log_msg(config, LOG_ERR,
"Error checking for impending rollover for %s", zone_name);
801 status2 =
DtDateDiff(ksk_expected, datetime, &roll_time);
803 log_msg(config, LOG_ERR,
"Error checking for impending rollover for %s", zone_name);
806 if (roll_time <= config->rolloverNotify) {
807 log_msg(config, LOG_INFO,
"Rollover of KSK expected at %s for %s", ksk_expected, zone_name);
819 ret = xmlTextReaderRead(reader);
822 xmlFreeTextReader(reader);
824 log_msg(config, LOG_ERR,
"%s : failed to parse", zonelist_filename);
827 log_msg(config, LOG_ERR,
"Unable to open %s", zonelist_filename);
842 int commGenSignConf(
char* zone_name,
int zone_id,
char* current_filename,
KSM_POLICY *policy,
int* signer_flag,
int run_interval,
int man_key_gen,
const char* DSSubmitCmd)
854 char *signer_command;
860 if (datetime == NULL) {
861 log_msg(NULL, LOG_DEBUG,
"Couldn't turn \"now\" into a date, quitting...");
865 if (zone_name == NULL || current_filename == NULL || policy == NULL)
868 log_msg(NULL, LOG_ERR,
"commGenSignConf, NULL policy or zone provided");
874 StrAppend(&old_filename, current_filename);
877 temp_filename = NULL;
878 StrAppend(&temp_filename, current_filename);
881 file = fopen(temp_filename,
"w");
886 log_msg(NULL, LOG_ERR,
"Could not open: %s", temp_filename);
893 fprintf(file,
"<SignerConfiguration>\n");
894 fprintf(file,
"\t<Zone name=\"%s\">\n", zone_name);
896 fprintf(file,
"\t\t<Signatures>\n");
897 fprintf(file,
"\t\t\t<Resign>PT%dS</Resign>\n", policy->
signature->
resign);
898 fprintf(file,
"\t\t\t<Refresh>PT%dS</Refresh>\n", policy->
signer->
refresh);
899 fprintf(file,
"\t\t\t<Validity>\n");
902 fprintf(file,
"\t\t\t</Validity>\n");
903 fprintf(file,
"\t\t\t<Jitter>PT%dS</Jitter>\n", policy->
signer->
jitter);
904 fprintf(file,
"\t\t\t<InceptionOffset>PT%dS</InceptionOffset>\n", policy->
signature->
clockskew);
905 fprintf(file,
"\t\t</Signatures>\n");
909 fprintf(file,
"\t\t<Denial>\n");
912 fprintf(file,
"\t\t\t<NSEC3>\n");
915 fprintf(file,
"\t\t\t\t<OptOut />\n");
917 fprintf(file,
"\t\t\t\t<Hash>\n");
918 fprintf(file,
"\t\t\t\t\t<Algorithm>%d</Algorithm>\n", policy->
denial->
algorithm);
919 fprintf(file,
"\t\t\t\t\t<Iterations>%d</Iterations>\n", policy->
denial->
iteration);
921 fprintf(file,
"\t\t\t\t\t<Salt>-</Salt>\n");
923 fprintf(file,
"\t\t\t\t\t<Salt>%s</Salt>\n", policy->
denial->
salt);
925 fprintf(file,
"\t\t\t\t</Hash>\n");
926 fprintf(file,
"\t\t\t</NSEC3>\n");
928 fprintf(file,
"\t\t\t<NSEC />\n");
931 fprintf(file,
"\t\t</Denial>\n");
936 fprintf(file,
"\t\t<Keys>\n");
937 fprintf(file,
"\t\t\t<TTL>PT%dS</TTL>\n", policy->
ksk->
ttl);
946 log_msg(NULL, LOG_ERR,
"KsmRequestKeys returned: %d", status);
952 if (status2 == 0 && gencnt == 0) {
953 if(man_key_gen == 1) {
954 log_msg(NULL, LOG_ERR,
"There are no KSKs in the generate state; please use \"ods-ksmutil key generate\" to create some.");
956 log_msg(NULL, LOG_WARNING,
"There are no KSKs in the generate state; ods-enforcerd will create some on its next run.");
959 else if (status2 == 0) {
961 if (status2 == 0 && gencnt == 0) {
962 if(man_key_gen == 1) {
963 log_msg(NULL, LOG_ERR,
"There are no ZSKs in the generate state; please use \"ods-ksmutil key generate\" to create some.");
965 log_msg(NULL, LOG_WARNING,
"There are no ZSKs in the generate state; ods-enforcerd will create some on its next run.");
970 log_msg(NULL, LOG_ERR,
"KsmRequestGenerateCount returned: %d", status2);
974 status = fclose(file);
975 unlink(temp_filename);
983 fprintf(file,
"\t\t</Keys>\n");
987 fprintf(file,
"\t\t<SOA>\n");
988 fprintf(file,
"\t\t\t<TTL>PT%dS</TTL>\n", policy->
signer->
soattl);
989 fprintf(file,
"\t\t\t<Minimum>PT%dS</Minimum>\n", policy->
signer->
soamin);
991 fprintf(file,
"\t\t</SOA>\n");
993 if (strncmp(policy->
audit,
"NULL", 4) != 0) {
995 fprintf(file,
"\t\t<Audit />\n");
999 fprintf(file,
"\t</Zone>\n");
1000 fprintf(file,
"</SignerConfiguration>\n");
1019 status = fclose(file);
1024 log_msg(NULL, LOG_ERR,
"Could not close: %s", temp_filename);
1031 file = fopen(temp_filename,
"rb");
1035 log_msg(NULL, LOG_ERR,
"Could not reopen: %s", temp_filename);
1041 file2 = fopen(current_filename,
"rb");
1044 if (file2 != NULL) {
1046 while(!feof(file)) {
1047 char1 = fgetc(file);
1049 log_msg(NULL, LOG_ERR,
"Could not read: %s", temp_filename);
1056 char2 = fgetc(file2);
1058 log_msg(NULL, LOG_ERR,
"Could not read: %s", current_filename);
1065 if(char1 != char2) {
1071 status = fclose(file2);
1074 log_msg(NULL, LOG_ERR,
"Could not close: %s", current_filename);
1082 status = fclose(file);
1085 log_msg(NULL, LOG_ERR,
"Could not close: %s", temp_filename);
1096 status = rename(current_filename, old_filename);
1097 if (status != 0 && status != -1)
1100 log_msg(NULL, LOG_ERR,
"Could not rename: %s -> %s", current_filename, old_filename);
1107 if (rename(temp_filename, current_filename) != 0)
1109 log_msg(NULL, LOG_ERR,
"Could not rename: %s -> %s", temp_filename, current_filename);
1115 if (*signer_flag == 1) {
1121 signer_command = NULL;
1122 StrAppend(&signer_command, SIGNER_CLI_UPDATE);
1126 status = system(signer_command);
1129 log_msg(NULL, LOG_ERR,
"Could not call signer engine");
1130 log_msg(NULL, LOG_INFO,
"Will continue: call 'ods-signer update' to manually update zones");
1138 log_msg(NULL, LOG_INFO,
"No change to: %s", current_filename);
1139 if (
remove(temp_filename) != 0)
1141 log_msg(NULL, LOG_ERR,
"Could not remove: %s", temp_filename);
1150 log_msg(NULL, LOG_INFO,
"DSChanged");
1151 status =
NewDSSet(zone_id, zone_name, DSSubmitCmd);
1166 FILE *file = (FILE *)context;
1168 fprintf(file,
"\t\t\t<Key>\n");
1169 fprintf(file,
"\t\t\t\t<Flags>%d</Flags>\n", key_data->
keytype);
1170 fprintf(file,
"\t\t\t\t<Algorithm>%d</Algorithm>\n", key_data->
algorithm);
1171 fprintf(file,
"\t\t\t\t<Locator>%s</Locator>\n", key_data->
location);
1175 fprintf(file,
"\t\t\t\t<KSK />\n");
1179 fprintf(file,
"\t\t\t\t<ZSK />\n");
1183 fprintf(file,
"\t\t\t\t<Publish />\n");
1185 fprintf(file,
"\t\t\t</Key>\n");
1186 fprintf(file,
"\n");
1224 int keys_needed = 0;
1225 int keys_in_queue = 0;
1226 int keys_pending_retirement = 0;
1228 int key_pair_id = 0;
1235 if (datetime == NULL) {
1236 log_msg(NULL, LOG_DEBUG,
"Couldn't turn \"now\" into a date, quitting...");
1240 if (policy == NULL) {
1241 log_msg(NULL, LOG_ERR,
"NULL policy sent to allocateKeysToZone");
1247 log_msg(NULL, LOG_ERR,
"Unknown keytype: %i in allocateKeysToZone", key_type);
1261 status =
KsmKeyPredict(policy->
id, key_type, 1, interval, &keys_needed, rollover_scheme, 1);
1263 log_msg(NULL, LOG_ERR,
"Could not predict key requirement for next interval for %s", zone_name);
1271 log_msg(NULL, LOG_ERR,
"Could not count current key numbers for zone %s", zone_name);
1279 log_msg(NULL, LOG_ERR,
"Could not count keys which may retire before the next run (for zone %s)", zone_name);
1285 new_keys = keys_needed - (keys_in_queue - keys_pending_retirement);
1290 for (i=0 ; i < new_keys ; i++){
1294 if (status == -1 || key_pair_id == 0) {
1295 if (man_key_gen == 0) {
1296 log_msg(NULL, LOG_WARNING,
"Not enough keys to satisfy ksk policy for zone: %s", zone_name);
1297 log_msg(NULL, LOG_WARNING,
"ods-enforcerd will create some more keys on its next run");
1300 log_msg(NULL, LOG_ERR,
"Not enough keys to satisfy ksk policy for zone: %s", zone_name);
1301 log_msg(NULL, LOG_ERR,
"please use \"ods-ksmutil key generate\" to create some more keys.");
1305 else if (status != 0) {
1306 log_msg(NULL, LOG_ERR,
"Could not get an unallocated ksk for zone: %s", zone_name);
1311 if (status == -1 || key_pair_id == 0) {
1312 if (man_key_gen == 0) {
1313 log_msg(NULL, LOG_WARNING,
"Not enough keys to satisfy zsk policy for zone: %s", zone_name);
1314 log_msg(NULL, LOG_WARNING,
"ods-enforcerd will create some more keys on its next run");
1317 log_msg(NULL, LOG_ERR,
"Not enough keys to satisfy zsk policy for zone: %s", zone_name);
1318 log_msg(NULL, LOG_ERR,
"please use \"ods-ksmutil key generate\" to create some more keys.");
1322 else if (status != 0) {
1323 log_msg(NULL, LOG_ERR,
"Could not get an unallocated zsk for zone: %s", zone_name);
1327 if(key_pair_id > 0) {
1332 log_msg(NULL, LOG_ERR,
"KsmKeyGetUnallocated returned bad key_id %d for zone: %s; exiting...", key_pair_id, zone_name);
1346 xmlTextReaderPtr reader = NULL;
1347 xmlDocPtr doc = NULL;
1348 xmlXPathContextPtr xpathCtx = NULL;
1349 xmlXPathObjectPtr xpathObj = NULL;
1351 char* temp_char = NULL;
1352 char* tag_name = NULL;
1354 xmlChar *zonelist_expr = (
unsigned char*)
"//Common/ZoneListFile";
1357 reader = xmlNewTextReaderFilename(filename);
1358 if (reader != NULL) {
1359 ret = xmlTextReaderRead(reader);
1361 tag_name = (
char*) xmlTextReaderLocalName(reader);
1363 if (strncmp(tag_name,
"Common", 6) == 0
1364 && xmlTextReaderNodeType(reader) == 1) {
1367 xmlTextReaderExpand(reader);
1368 doc = xmlTextReaderCurrentDoc(reader);
1370 log_msg(NULL, LOG_ERR,
"Error: can not read Common section of %s", filename);
1372 ret = xmlTextReaderRead(reader);
1376 xpathCtx = xmlXPathNewContext(doc);
1377 if(xpathCtx == NULL) {
1378 log_msg(NULL, LOG_ERR,
"Error: can not create XPath context for Common section");
1380 ret = xmlTextReaderRead(reader);
1385 xpathObj = xmlXPathEvalExpression(zonelist_expr, xpathCtx);
1386 if(xpathObj == NULL) {
1387 log_msg(NULL, LOG_ERR,
"Error: unable to evaluate xpath expression: %s", zonelist_expr);
1389 ret = xmlTextReaderRead(reader);
1392 *zone_list_filename = NULL;
1393 temp_char = (
char *)xmlXPathCastToString(xpathObj);
1394 StrAppend(zone_list_filename, temp_char);
1396 xmlXPathFreeObject(xpathObj);
1397 log_msg(NULL, LOG_INFO,
"zonelist filename set to %s.", *zone_list_filename);
1400 ret = xmlTextReaderRead(reader);
1403 xmlFreeTextReader(reader);
1405 log_msg(NULL, LOG_ERR,
"%s : failed to parse", filename);
1409 log_msg(NULL, LOG_ERR,
"Unable to open %s", filename);
1413 xmlXPathFreeContext(xpathCtx);
1455 char* temp_loc = NULL;
1461 hsm_key_t *key = NULL;
1463 log_msg(NULL, LOG_DEBUG,
"Purging keys...");
1468 if (rightnow == NULL) {
1469 log_msg(NULL, LOG_DEBUG,
"Couldn't turn \"now\" into a date, quitting...");
1474 StrAppend(&sql,
"select distinct id, location from KEYDATA_VIEW where state = 6 ");
1476 if (policy_id != -1) {
1488 while (status == 0) {
1490 DbInt(row, 0, &temp_id);
1498 nchar = snprintf(buffer,
sizeof(buffer),
1499 " or state = %d and DEAD > DATE_ADD('%s', INTERVAL -%d SECOND)) ",
KSM_STATE_DEAD, rightnow, interval);
1501 nchar = snprintf(buffer,
sizeof(buffer),
1502 " or state = %d and DEAD > DATETIME('%s', '-%d SECONDS')) ",
KSM_STATE_DEAD, rightnow, interval);
1505 if (nchar >=
sizeof(buffer)) {
1506 log_msg(NULL, LOG_ERR,
"Error: failed to create SQL statement to purge keys\n");
1563 key = hsm_find_key_by_id(NULL, temp_loc);
1566 log_msg(NULL, LOG_ERR,
"Key not found: %s\n", temp_loc);
1573 status = hsm_remove_key(NULL, key);
1578 log_msg(NULL, LOG_INFO,
"Key remove successful.\n");
1580 log_msg(NULL, LOG_ERR,
"Key remove failed.\n");
1610 int NewDSSet(
int zone_id,
const char* zone_name,
const char* DSSubmitCmd) {
1624 char* count_clause = NULL;
1625 char* where_clause = NULL;
1627 int active_count = -1;
1632 char* ds_buffer = NULL;
1633 char* ds_seen_buffer = NULL;
1634 char* temp_char = NULL;
1642 hsm_key_t *key = NULL;
1643 ldns_rr *dnskey_rr = NULL;
1644 hsm_sign_params_t *sign_params = NULL;
1647 int bytes_written = -1;
1649 nchar = snprintf(buffer,
sizeof(buffer),
"(%d, %d, %d, %d, %d, %d, %d, %d)",
1653 if (nchar >=
sizeof(buffer)) {
1664 if (zone_id != -1) {
1672 log_msg(NULL, LOG_ERR,
"Error: failed to find ID of key to retire\n");
1676 if (active_count > 0) {
1679 StrAppend(&where_clause,
"select id from KEYDATA_VIEW where state = 4 and keytype = 257 and zone_id = ");
1681 StrAppend(&where_clause,
" and retire = (select min(retire) from KEYDATA_VIEW where state = 4 and keytype = 257 and zone_id = ");
1690 log_msg(NULL, LOG_ERR,
"Error: failed to find ID of key to retire\n");
1700 if (zone_id != -1) {
1722 keyids =
MemMalloc(count *
sizeof(
int));
1730 if (zone_id != -1) {
1742 while (status == 0) {
1743 status =
KsmKey(result, &data);
1774 for (j = 0; j < i; ++j) {
1778 snprintf(buffer,
sizeof(buffer),
"%d", keyids[j]);
1791 log_msg(NULL, LOG_INFO,
"DS Record set has changed, the current set looks like:");
1796 status =
KsmKey(result3, &data3);
1797 while (status == 0) {
1800 key = hsm_find_key_by_id(NULL, data3.
location);
1803 log_msg(NULL, LOG_ERR,
"Key %s in DB but not repository.", data3.
location);
1811 sign_params = hsm_sign_params_new();
1812 sign_params->owner = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, zone_name);
1813 sign_params->algorithm = data3.
algorithm;
1814 sign_params->flags = LDNS_KEY_ZONE_KEY;
1815 sign_params->flags += LDNS_KEY_SEP_KEY;
1816 dnskey_rr = hsm_get_dnskey(NULL, key, sign_params);
1826 ldns_rr_set_ttl(dnskey_rr, rrttl);
1830 temp_char = ldns_rr2str(dnskey_rr);
1831 ldns_rr_free(dnskey_rr);
1834 for (i = 0; temp_char[i]; ++i) {
1835 if (temp_char[i] ==
'\t') {
1839 log_msg(NULL, LOG_INFO,
"%s", temp_char);
1843 for (i = 0; temp_char[i]; ++i) {
1844 if (temp_char[i] ==
';') {
1845 temp_char[i] =
'\n';
1846 temp_char[i+1] =
'\0';
1866 hsm_sign_params_free(sign_params);
1868 status =
KsmKey(result3, &data3);
1878 if (DSSubmitCmd[0] !=
'\0') {
1880 fp = popen(DSSubmitCmd,
"w");
1882 log_msg(NULL, LOG_ERR,
"Failed to run command: %s: %s", DSSubmitCmd, strerror(errno));
1885 bytes_written = fprintf(fp,
"%s", ds_buffer);
1886 if (bytes_written < 0) {
1887 log_msg(NULL, LOG_ERR,
"Failed to write to %s: %s", DSSubmitCmd, strerror(errno));
1891 if (pclose(fp) == -1) {
1892 log_msg(NULL, LOG_ERR,
"Failed to close %s: %s", DSSubmitCmd, strerror(errno));
1899 log_msg(NULL, LOG_INFO,
"Once the new DS records are seen in DNS please issue the ds-seen command for zone %s with the following cka_ids%s", zone_name, ds_seen_buffer);
1911 char *hsm_error_message = NULL;
1913 result = hsm_check_context(*ctx);
1916 if (result != HSM_OK) {
1919 hsm_destroy_context(*ctx);
1922 result = hsm_close();
1925 result = hsm_open(config->
configfile, hsm_prompt_pin, NULL);
1927 result = hsm_open(OPENDNSSEC_CONFIG_FILE, hsm_prompt_pin, NULL);
1930 hsm_error_message = hsm_get_error(*ctx);
1931 if (hsm_error_message) {
1932 log_msg(config, LOG_ERR, hsm_error_message);
1933 free(hsm_error_message);
1940 log_msg(config, LOG_ERR,
"hsm_open() result: HSM error");
1942 case HSM_PIN_INCORRECT:
1943 log_msg(config, LOG_ERR,
"hsm_open() result: incorrect PIN");
1945 case HSM_CONFIG_FILE_ERROR:
1946 log_msg(config, LOG_ERR,
"hsm_open() result: config file error");
1948 case HSM_REPOSITORY_NOT_FOUND:
1949 log_msg(config, LOG_ERR,
"hsm_open() result: repository not found");
1951 case HSM_NO_REPOSITORIES:
1952 log_msg(config, LOG_ERR,
"hsm_open() result: no repositories");
1955 log_msg(config, LOG_ERR,
"hsm_open() result: %d", result);
1961 log_msg(config, LOG_INFO,
"HSM reopened successfully.");
1962 *ctx = hsm_create_context();
1964 log_msg(config, LOG_INFO,
"HSM connection open.");