61 #include <libhsmdns.h>
62 #include <ldns/ldns.h>
64 #include <libxml/tree.h>
65 #include <libxml/parser.h>
66 #include <libxml/xpointer.h>
67 #include <libxml/xpath.h>
68 #include <libxml/xpathInternals.h>
69 #include <libxml/relaxng.h>
70 #include <libxml/xmlreader.h>
71 #include <libxml/xmlsave.h>
73 #define MAX(a, b) ((a) > (b) ? (a) : (b))
77 #define DURATION_TYPE 1
81 #define ROLLOVER_TYPE 5
82 #define INT_TYPE_NO_FREE 6
85 # define MAXPATHLEN 4096
90 #define DEFAULT_LOG_FACILITY LOG_DAEMON
92 #define DEFAULT_LOG_FACILITY LOG_USER
98 char *
config = (
char *) OPENDNSSEC_CONFIG_FILE;
116 static int all_flag = 0;
117 static int ds_flag = 0;
118 static int retire_flag = 1;
119 static int notify_flag = 1;
120 static int verbose_flag = 0;
121 static int xml_flag = 1;
122 static int td_flag = 0;
123 static int force_flag = 0;
124 static int check_repository_flag = 0;
126 static int restart_enforcerd(
void);
133 #if defined(HAVE_SYSLOG_R) && defined(HAVE_OPENLOG_R) && defined(HAVE_CLOSELOG_R)
134 struct syslog_data sdata = SYSLOG_DATA_INIT;
137 #undef HAVE_OPENLOG_R
138 #undef HAVE_CLOSELOG_R
146 " --version aka -V\n");
154 "\tImport config into a database (deletes current contents)\n");
161 " start|stop|notify\n"
162 "\tStart, stop or SIGHUP the ods-enforcerd\n");
173 "\tUpdate database from config\n");
181 "\t--zone <zone> aka -z\n"
182 "\t[--policy <policy>] aka -p\n"
183 "\t[--signerconf <signerconf.xml>] aka -s\n"
184 "\t[--input <input>] aka -i\n"
185 "\t[--output <output>] aka -o\n"
186 "\t[--no-xml] aka -m\n");
194 "\t--zone <zone> | --all aka -z / -a\n"
195 "\t[--no-xml] aka -m\n");
209 "usage: %s [-c <config> | --config <config>] zone \n\n",
220 " repository list\n");
228 "\t--policy [policy_name] | --all aka -p / -a\n");
256 "usage: %s [-c <config> | --config <config>] \n\n",
270 "\t--zone <zone> | --all aka -z / -a\n"
272 "\t(will appear soon:\n"
273 "\t[--keystate <state>] aka -e\n"
274 "\t[--keytype <type>] aka -t\n"
285 "\t--zone <zone> | --all aka -z / -a\n"
286 "\t[--keystate <state>] aka -e\n"
287 "\t[--keytype <type>] aka -t\n"
288 "\t[--ds] aka -d\n");
296 "\t--cka_id <CKA_ID> aka -k\n"
297 "\t--repository <repository> aka -r\n"
298 "\t--zone <zone> aka -z\n"
299 "\t--bits <size> aka -b\n"
300 "\t--algorithm <algorithm> aka -g\n"
301 "\t--keystate <state> aka -e\n"
302 "\t--keytype <type> aka -t\n"
303 "\t--time <time> aka -w\n"
304 "\t[--check-repository] aka -C\n"
305 "\t[--retire <retire>] aka -y\n");
313 "\t--zone zone aka -z\n"
314 "\t--keytype <type> | --all aka -t / -a\n"
316 "\t--policy policy aka -p\n"
317 "\t--keytype <type> | --all aka -t / -a\n");
325 "\t--zone <zone> aka -z\n"
327 "\t--policy <policy> aka -p\n");
335 "\t--policy <policy> aka -p\n"
336 "\t--interval <interval> aka -n\n"
337 "\t[--zonetotal <total no. of zones>] aka -Z\n");
345 "\t--zone <zone> aka -z\n"
346 "\t--keytag <keytag> | --cka_id <CKA_ID> aka -x / -k\n");
355 "\t--zone <zone> aka -z\n"
356 "\t--keytag <keytag> | --cka_id <CKA_ID> aka -x / -k\n"
357 "\t[--no-notify|-l] aka -l\n"
358 "\t[--no-retire|-f] aka -f\n");
365 "usage: %s [-c <config> | --config <config>] \n\n",
382 "\t--repository <repository> aka -r\n"
384 "\t--repository <repository> aka -r\n"
386 "\t--repository <repository> aka -r\n"
388 "\t--repository <repository> aka -r\n"
390 "\t--repository <repository> aka -r\n");
398 "\t[--zone <zone>]\n");
406 "\t[--output <output>] aka -o\n");
414 " zonelist import\n");
421 "usage: %s [-c <config> | --config <config>] command [options]\n\n",
455 "\n\tAllowed date/time strings are of the form:\n"
457 "\tYYYYMMDD[HH[MM[SS]]] (all numeric)\n"
459 "\tor D-MMM-YYYY[:| ]HH[:MM[:SS]] (alphabetic month)\n"
460 "\tor DD-MMM-YYYY[:| ]HH[:MM[:SS]] (alphabetic month)\n"
461 "\tor YYYY-MMM-DD[:| ]HH[:MM[:SS]] (alphabetic month)\n"
463 "\tD-MM-YYYY[:| ]HH[:MM[:SS]] (numeric month)\n"
464 "\tDD-MM-YYYY[:| ]HH[:MM[:SS]] (numeric month)\n"
465 "\tor YYYY-MM-DD[:| ]HH[:MM[:SS]] (numeric month)\n"
467 "\t... and the distinction between them is given by the location of the\n"
475 "key states: GENERATE|PUBLISH|READY|ACTIVE|RETIRE|DEAD\n");
482 "key types: KSK|ZSK\n");
492 exist_file(
const char* filename) {
494 FILE *file = fopen(filename,
"r");
509 FILE* lock_fd = NULL;
510 char* zone_list_filename;
515 char *dbschema = NULL;
519 char *password = NULL;
524 char* setup_command = NULL;
525 char* lock_filename = NULL;
528 printf(
"*WARNING* This will erase all data in the database; are you sure? [y/N] ");
530 user_certain = getchar();
531 if (user_certain !=
'y' && user_certain !=
'Y') {
532 printf(
"Okay, quitting...\n");
539 status =
get_db_details(&dbschema, &host, &port, &user, &password);
558 lock_fd = fopen(lock_filename,
"w");
561 printf(
"Error getting db lock\n");
562 if (lock_fd != NULL) {
583 if (system(setup_command) != 0)
585 printf(
"Could not call db setup command:\n\t%s\n", setup_command);
601 printf(
"Couldn't fix permissions on file %s\n", dbschema);
602 printf(
"Will coninue with setup, but you may need to manually change ownership\n");
612 printf(
"Failed to connect to database, username too long.\n");
625 printf(
"Failed to connect to database, password too long.\n");
647 if (password != NULL) {
649 StrAppend(&setup_command, quoted_password);
657 if (system(setup_command) != 0)
659 printf(
"Could not call db setup command:\n\t%s\n", setup_command);
672 status =
DbConnect(&dbhandle, dbschema, host, password, user, port);
674 printf(
"Failed to connect to database\n");
697 printf(
"Failed to read conf.xml\n");
708 printf(
"Failed to update repositories\n");
720 printf(
"Failed to update policies\n");
721 printf(
"SETUP FAILED\n");
736 printf(
"Failed to update zones\n");
759 FILE* lock_fd = NULL;
760 char* zone_list_filename = NULL;
761 char* kasp_filename = NULL;
763 int done_something = 0;
768 printf(
"Failed to connect to database\n");
777 if (strncmp(qualifier,
"ZONELIST", 8) == 0 ||
778 strncmp(qualifier,
"KASP", 4) == 0 ||
779 strncmp(qualifier,
"ALL", 3) == 0) {
782 printf(
"Failed to read conf.xml\n");
792 if (strncmp(qualifier,
"CONF", 4) == 0 ||
793 strncmp(qualifier,
"ALL", 3) == 0) {
796 printf(
"Failed to update repositories\n");
798 if (strncmp(qualifier,
"ALL", 3) == 0) {
811 if (strncmp(qualifier,
"KASP", 4) == 0 ||
812 strncmp(qualifier,
"ALL", 3) == 0) {
815 printf(
"Failed to update policies\n");
828 if (strncmp(qualifier,
"ZONELIST", 8) == 0 ||
829 strncmp(qualifier,
"ALL", 3) == 0) {
832 printf(
"Failed to update zones\n");
844 if (done_something == 0) {
845 printf(
"Unrecognised command update %s. Please specify one of:\n", qualifier);
849 if (restart_enforcerd() != 0)
851 fprintf(stderr,
"Could not HUP ods-enforcerd\n");
861 if (kasp_filename != NULL) {
864 if (zone_list_filename != NULL) {
883 FILE* lock_fd = NULL;
884 char* zonelist_filename = NULL;
885 char* backup_filename = NULL;
887 char* sig_conf_name = NULL;
888 char* input_name = NULL;
889 char* output_name = NULL;
896 xmlDocPtr doc = NULL;
902 printf(
"Couldn't malloc path: %s\n", strerror(errno));
908 printf(
"Please specify a zone with the --zone option\n");
921 StrAppend(&sig_conf_name, OPENDNSSEC_STATE_DIR);
935 StrAppend(&input_name, OPENDNSSEC_STATE_DIR);
948 StrAppend(&output_name, OPENDNSSEC_STATE_DIR);
961 if(!exist_file(input_name)){
962 printf(
"WARNING: The input file %s for zone %s does not currently exist, or is not readable. The zone will been added to the database anyway. \n",input_name,
o_zone);
970 printf(
"couldn't read zonelist\n");
985 printf(
"Failed to connect to database\n");
997 printf(
"Error, can't find policy : %s\n",
o_policy);
998 printf(
"Failed to update zones\n");
1006 status =
KsmImportZone(
o_zone, policy_id, 1, &new_zone, sig_conf_name, input_name, output_name);
1009 printf(
"Failed to Import zone %s; it already exists\n",
o_zone);
1010 }
else if (status == -3) {
1011 printf(
"Failed to Import zone %s; it already exists both with and without a trailing dot\n",
o_zone);
1013 printf(
"Failed to Import zone\n");
1027 printf(
"Can't retrieve shared-keys parameter for policy\n");
1037 printf(
"Can't retrieve shared-keys parameter for policy\n");
1048 if (data.
value == 1) {
1051 printf(
"Failed to Link Keys to zone\n");
1069 if (xml_flag == 1) {
1072 xmlKeepBlanksDefault(0);
1073 xmlTreeIndentString =
"\t";
1086 StrAppend(&backup_filename, zonelist_filename);
1088 status =
backup_file(zonelist_filename, backup_filename);
1096 status = xmlSaveFormatFile(zonelist_filename, doc, 1);
1101 printf(
"couldn't save zonelist\n");
1109 if (xml_flag == 0) {
1110 printf(
"Imported zone: %s into database only, please run \"ods-ksmutil zonelist export\" to update zonelist.xml\n",
o_zone);
1112 printf(
"Imported zone: %s\n",
o_zone);
1126 char* zonelist_filename = NULL;
1127 char* backup_filename = NULL;
1132 xmlDocPtr doc = NULL;
1139 FILE* lock_fd = NULL;
1142 if (all_flag &&
o_zone != NULL) {
1143 printf(
"can not use --all with --zone\n");
1146 else if (!all_flag &&
o_zone == NULL) {
1147 printf(
"please specify either --zone <zone> or --all\n");
1152 if (all_flag == 1) {
1153 printf(
"*WARNING* This will remove all zones from OpenDNSSEC; are you sure? [y/N] ");
1155 user_certain = getchar();
1156 if (user_certain !=
'y' && user_certain !=
'Y') {
1157 printf(
"Okay, quitting...\n");
1165 printf(
"Failed to connect to database\n");
1178 if (xml_flag == 1) {
1182 printf(
"couldn't read zonelist\n");
1207 StrAppend(&backup_filename, zonelist_filename);
1209 status =
backup_file(zonelist_filename, backup_filename);
1218 status = xmlSaveFormatFile(zonelist_filename, doc, 1);
1222 printf(
"Could not save %s\n", zonelist_filename);
1233 if (all_flag == 0) {
1236 printf(
"Couldn't find zone %s\n",
o_zone);
1246 printf(
"Error: failed to mark keys as dead in database\n");
1255 printf(
"Error: failed to remove zone%s from database\n", (all_flag == 1) ?
"s" :
"");
1261 if (all_flag == 0) {
1262 if (system(SIGNER_CLI_UPDATE) != 0)
1264 printf(
"Could not call signer engine\n");
1271 if (xml_flag == 0) {
1272 printf(
"Deleted zone: %s from database only, please run \"ods-ksmutil zonelist export\" to update zonelist.xml\n",
o_zone);
1286 FILE* lock_fd = NULL;
1288 char* zonelist_filename = NULL;
1291 xmlTextReaderPtr reader = NULL;
1293 char* tag_name = NULL;
1295 int file_zone_count = 0;
1301 char* temp_name = NULL;
1308 printf(
"couldn't read zonelist\n");
1309 if (zonelist_filename != NULL) {
1318 printf(
"Failed to connect to database\n");
1324 reader = xmlNewTextReaderFilename(zonelist_filename);
1325 if (reader != NULL) {
1326 ret = xmlTextReaderRead(reader);
1328 tag_name = (
char*) xmlTextReaderLocalName(reader);
1330 if (strncmp(tag_name,
"Zone", 4) == 0
1331 && strncmp(tag_name,
"ZoneList", 8) != 0
1332 && xmlTextReaderNodeType(reader) == 1) {
1336 ret = xmlTextReaderRead(reader);
1339 xmlFreeTextReader(reader);
1341 printf(
"%s : failed to parse\n", zonelist_filename);
1345 printf(
"Unable to open %s\n", zonelist_filename);
1350 zone_ids =
MemMalloc(file_zone_count *
sizeof(
int));
1356 if (file_zone_count != 0) {
1357 StrAppend(&sql,
"select name from zones where id not in (");
1358 for (j = 0; j < file_zone_count; ++j) {
1362 snprintf(buffer,
sizeof(buffer),
"%d", zone_ids[j]);
1367 StrAppend(&sql,
"select name from zones");
1373 while (status == 0) {
1377 printf(
"Found zone %s in DB but not zonelist.\n", temp_name);
1394 if (file_zone_count == 0) {
1395 printf(
"No zones in DB or zonelist.\n");
1421 char *case_keytype = NULL;
1422 char *case_keystate = NULL;
1423 char *zone_name = NULL;
1426 hsm_key_t *key = NULL;
1427 ldns_rr *dnskey_rr = NULL;
1428 ldns_rr *ds_sha1_rr = NULL;
1429 ldns_rr *ds_sha256_rr = NULL;
1430 hsm_sign_params_t *sign_params = NULL;
1443 int done_something = 0;
1450 if (strncmp(case_keystate,
"KEYPUBLISH", 10) == 0 || strncmp(
o_keystate,
"10", 2) == 0) {
1453 else if (strncmp(case_keystate,
"GENERATE", 8) == 0 || strncmp(
o_keystate,
"1", 1) == 0) {
1456 else if (strncmp(case_keystate,
"PUBLISH", 7) == 0 || strncmp(
o_keystate,
"2", 1) == 0) {
1459 else if (strncmp(case_keystate,
"READY", 5) == 0 || strncmp(
o_keystate,
"3", 1) == 0) {
1462 else if (strncmp(case_keystate,
"ACTIVE", 6) == 0 || strncmp(
o_keystate,
"4", 1) == 0) {
1465 else if (strncmp(case_keystate,
"RETIRE", 6) == 0 || strncmp(
o_keystate,
"5", 1) == 0) {
1468 else if (strncmp(case_keystate,
"DEAD", 4) == 0 || strncmp(
o_keystate,
"6", 1) == 0) {
1471 else if (strncmp(case_keystate,
"DSSUB", 5) == 0 || strncmp(
o_keystate,
"7", 1) == 0) {
1474 else if (strncmp(case_keystate,
"DSPUBLISH", 9) == 0 || strncmp(
o_keystate,
"8", 1) == 0) {
1477 else if (strncmp(case_keystate,
"DSREADY", 7) == 0 || strncmp(
o_keystate,
"9", 1) == 0) {
1481 printf(
"Error: Unrecognised state %s; should be one of GENERATE, PUBLISH, READY, ACTIVE, RETIRE, DEAD, DSSUB, DSPUBLISH, DSREADY or KEYPUBLISH\n",
o_keystate);
1493 if (strncmp(case_keytype,
"KSK", 3) == 0 || strncmp(
o_keytype,
"257", 3) == 0) {
1496 else if (strncmp(case_keytype,
"ZSK", 3) == 0 || strncmp(
o_keytype,
"256", 3) == 0) {
1500 printf(
"Error: Unrecognised keytype %s; should be one of KSK or ZSK\n",
o_keytype);
1511 printf(
"Failed to connect to database\n");
1523 printf(
"Error: unable to find a zone named \"%s\" in database\n",
o_zone);
1529 status = hsm_open(
config, hsm_prompt_pin, NULL);
1531 hsm_print_error(NULL);
1536 if (state_id != -1) {
1539 nchar = snprintf(buffer,
sizeof(buffer),
"(%d, %d, %d, %d, %d, %d)",
1542 if (nchar >=
sizeof(buffer)) {
1551 if (zone_id != -1) {
1559 status =
KsmKey(result, &data);
1560 while (status == 0) {
1563 key = hsm_find_key_by_id(NULL, data.
location);
1566 printf(
"Key %s in DB but not repository\n", data.
location);
1571 sign_params = hsm_sign_params_new();
1573 if (zone_id == -1) {
1576 printf(
"Error: unable to find zone name for id %d\n", zone_id);
1577 hsm_sign_params_free(sign_params);
1581 sign_params->owner = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, zone_name);
1585 sign_params->owner = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME,
o_zone);
1588 sign_params->algorithm = data.
algorithm;
1589 sign_params->flags = LDNS_KEY_ZONE_KEY;
1591 sign_params->flags += LDNS_KEY_SEP_KEY;
1593 dnskey_rr = hsm_get_dnskey(NULL, key, sign_params);
1594 sign_params->keytag = ldns_calc_keytag(dnskey_rr);
1610 ldns_rr_set_ttl(dnskey_rr, rrttl);
1615 ldns_rr_print(stdout, dnskey_rr);
1627 ldns_rr_set_ttl(dnskey_rr, rrttl);
1632 ds_sha1_rr = ldns_key_rr2ds(dnskey_rr, LDNS_SHA1);
1633 ldns_rr_print(stdout, ds_sha1_rr);
1636 ds_sha256_rr = ldns_key_rr2ds(dnskey_rr, LDNS_SHA256);
1637 ldns_rr_print(stdout, ds_sha256_rr);
1642 hsm_sign_params_free(sign_params);
1644 status =
KsmKey(result, &data);
1656 if (!done_something) {
1657 if (state_id != -1) {
1660 printf(
"No keys in READY state or higher to export.\n");
1666 if (dnskey_rr != NULL) {
1667 ldns_rr_free(dnskey_rr);
1669 if (ds_sha1_rr != NULL) {
1670 ldns_rr_free(ds_sha1_rr);
1672 if (ds_sha256_rr != NULL) {
1673 ldns_rr_free(ds_sha256_rr);
1693 xmlDocPtr doc = xmlNewDoc((
const xmlChar *)
"1.0");
1700 if (all_flag &&
o_policy != NULL) {
1701 printf(
"can not use --all with --policy\n");
1704 else if (!all_flag &&
o_policy == NULL) {
1705 printf(
"please specify either --policy <policy> or --all\n");
1712 printf(
"Failed to connect to database\n");
1731 policy->
zone == NULL || policy->
parent == NULL ||
1732 policy->
keys == NULL ||
1733 policy->
ksk == NULL || policy->
zsk == NULL ||
1735 fprintf(stderr,
"Malloc for policy struct failed\n");
1740 xmlKeepBlanksDefault(0);
1741 xmlTreeIndentString =
" ";
1742 root = xmlNewDocNode(doc, NULL, (
const xmlChar *)
"KASP", NULL);
1743 (void) xmlDocSetRootElement(doc, root);
1752 while (status == 0) {
1762 xmlSaveFormatFile(
"-", doc, 1);
1783 xmlDocPtr doc = xmlNewDoc((
const xmlChar *)
"1.0");
1786 int prev_policy_id = -1;
1793 printf(
"Failed to connect to database\n");
1800 fprintf(stderr,
"Malloc for zone struct failed\n");
1805 xmlKeepBlanksDefault(0);
1806 xmlTreeIndentString =
" ";
1807 root = xmlNewDocNode(doc, NULL, (
const xmlChar *)
"ZoneList", NULL);
1808 (void) xmlDocSetRootElement(doc, root);
1814 status =
KsmZone(result, zone);
1816 while (status == 0) {
1817 if (zone->
policy_id != prev_policy_id) {
1821 fprintf(stderr,
"Couldn't get name for policy with ID: %d, exiting...\n", zone->
policy_id);
1828 status =
KsmZone(result, zone);
1833 xmlSaveFormatFile(
"-", doc, 1);
1851 FILE* lock_fd = NULL;
1873 printf(
"Failed to connect to database\n");
1884 printf(
"Error, can't find zone : %s\n",
o_zone);
1904 if (data.
value == 1) {
1905 printf(
"*WARNING* This zone shares keys with others, all instances of the active key on this zone will be retired; are you sure? [y/N] ");
1907 user_certain = getchar();
1908 if (user_certain !=
'y' && user_certain !=
'Y') {
1909 printf(
"Okay, quitting...\n");
1915 status =
keyRoll(zone_id, -1, key_type);
1922 snprintf(logmsg, 256,
"Manual key rollover for key type %s on zone %s initiated" , (
o_keytype == NULL) ?
"all" :
o_keytype,
o_zone);
1923 printf(
"\n%s\n", logmsg);
1926 #ifdef HAVE_OPENLOG_R
1931 #ifdef HAVE_SYSLOG_R
1932 syslog_r(LOG_INFO, &sdata,
"%s", logmsg);
1934 syslog(LOG_INFO,
"%s", logmsg);
1936 #ifdef HAVE_CLOSELOG_R
1946 if (restart_enforcerd() != 0)
1948 fprintf(stderr,
"Could not HUP ods-enforcerd\n");
1964 FILE* lock_fd = NULL;
1968 int zone_count = -1;
1987 printf(
"Failed to connect to database\n");
1994 printf(
"Error, can't find policy : %s\n",
o_policy);
2000 printf(
"*WARNING* This will roll all keys on the policy; are you sure? [y/N] ");
2002 user_certain = getchar();
2003 if (user_certain !=
'y' && user_certain !=
'Y') {
2004 printf(
"Okay, quitting...\n");
2019 if (zone_count == 0) {
2020 printf(
"No zones on policy; nothing to roll\n");
2025 printf(
"Couldn't count zones on policy; quitting...\n");
2030 status =
keyRoll(-1, policy_id, key_type);
2037 snprintf(logmsg, 256,
"Manual key rollover for key type %s on policy %s initiated" , (
o_keytype == NULL) ?
"all" :
o_keytype,
o_policy);
2038 printf(
"%s\n", logmsg);
2041 #ifdef HAVE_OPENLOG_R
2046 #ifdef HAVE_SYSLOG_R
2047 syslog_r(LOG_INFO, &sdata,
"%s", logmsg);
2049 syslog(LOG_INFO,
"%s", logmsg);
2051 #ifdef HAVE_CLOSELOG_R
2061 if (restart_enforcerd() != 0)
2063 fprintf(stderr,
"Could not HUP ods-enforcerd\n");
2084 FILE* lock_fd = NULL;
2089 printf(
"Failed to connect to database\n");
2098 printf(
"Error: unable to find a policy named \"%s\" in database\n",
o_policy);
2112 printf(
"Error: unable to find a zone named \"%s\" in database\n",
o_zone);
2122 printf(
"Error: failed to purge dead keys\n");
2146 FILE* lock_fd = NULL;
2151 if (datetime == NULL) {
2152 printf(
"Couldn't turn \"now\" into a date, quitting...\n");
2159 printf(
"Failed to connect to database\n");
2169 printf(
"Error: unable to find a repository named \"%s\" in database\n",
o_repository);
2177 if (strncmp(qualifier,
"PREPARE", 7) == 0 ||
2178 strncmp(qualifier,
"DONE", 4) == 0 ) {
2181 printf(
"There were no keys to mark\n");
2183 else if (status != 0) {
2184 printf(
"Error: failed to mark pre_backup as done\n");
2189 if (strncmp(qualifier,
"PREPARE", 7) == 0) {
2191 printf(
"Marked repository %s as pre-backed up at %s\n",
o_repository, datetime);
2193 printf(
"Marked all repositories as pre-backed up at %s\n", datetime);
2200 if (strncmp(qualifier,
"COMMIT", 6) == 0 ||
2201 strncmp(qualifier,
"DONE", 4) == 0 ) {
2204 printf(
"There were no keys to mark\n");
2206 else if (status != 0) {
2207 printf(
"Error: failed to mark backup as done\n");
2213 printf(
"Marked repository %s as backed up at %s\n",
o_repository, datetime);
2215 printf(
"Marked all repositories as backed up at %s\n", datetime);
2221 if (strncmp(qualifier,
"ROLLBACK", 6) == 0 ) {
2224 printf(
"There were no keys to rollback\n");
2226 else if (status != 0) {
2227 printf(
"Error: failed to mark backup as done\n");
2233 printf(
"Rolled back pre-backup of repository %s\n",
o_repository);
2235 printf(
"Rolled back pre-backup of all repositories\n");
2256 int qualifier_id = -1;
2260 FILE* lock_fd = NULL;
2265 printf(
"Failed to connect to database\n");
2278 printf(
"Error: unable to find a zone named \"%s\" in database\n",
o_zone);
2285 printf(
"Rollovers:\n");
2290 printf(
"Error: failed to list rollovers\n");
2312 int qualifier_id = -1;
2316 FILE* lock_fd = NULL;
2321 printf(
"Failed to connect to database\n");
2330 printf(
"Error: unable to find a repository named \"%s\" in database\n",
o_repository);
2336 printf(
"Backups:\n");
2340 printf(
"Error: failed to list backups\n");
2363 FILE* lock_fd = NULL;
2368 printf(
"Failed to connect to database\n");
2373 printf(
"Repositories:\n");
2378 printf(
"Error: failed to list repositories\n");
2379 if (lock_fd != NULL) {
2404 FILE* lock_fd = NULL;
2409 printf(
"Failed to connect to database\n");
2414 printf(
"Policies:\n");
2419 printf(
"Error: failed to list policies\n");
2440 int qualifier_id = -1;
2444 FILE* lock_fd = NULL;
2449 printf(
"Failed to connect to database\n");
2462 printf(
"Error: unable to find a zone named \"%s\" in database\n",
o_zone);
2474 printf(
"Error: failed to list keys\n");
2501 int keytag_int = -1;
2502 int temp_key_state = -1;
2503 int temp_keypair_id = -1;
2504 char* temp_cka_id = NULL;
2509 FILE* lock_fd = NULL;
2514 if (datetime == NULL) {
2515 printf(
"Couldn't turn \"now\" into a date, quitting...\n");
2521 printf(
"*WARNING* This will retire the currently active KSK; are you sure? [y/N] ");
2523 user_certain = getchar();
2524 if (user_certain !=
'y' && user_certain !=
'Y') {
2525 printf(
"Okay, quitting...\n");
2532 printf(
"Failed to connect to database\n");
2546 printf(
"Error: unable to find a zone named \"%s\" in database\n",
o_zone);
2559 printf(
"Error: Unable to convert keytag \"%s\"; to an integer\n",
o_keytag);
2565 printf(
"Error: keytag \"%s\"; should be numeric only\n",
o_keytag);
2575 printf(
"Please provide a zone or details of the key to roll\n");
2584 printf(
"Error: failed to count active keys\n");
2591 if (key_count < 2) {
2592 printf(
"Error: completing this action would leave no active keys on zone, quitting...\n");
2601 printf(
"Error: failed to find policy for zone\n");
2610 printf(
"Old key retired\n");
2612 printf(
"Old key NOT retired\n");
2620 status =
CountKeys(&zone_id, keytag_int,
o_cka_id, &key_count, &temp_cka_id, &temp_key_state, &temp_keypair_id);
2622 printf(
"Error: failed to count keys\n");
2629 if (key_count > 1) {
2630 printf(
"More than one key matched your parameters, please include more information from the above keys\n");
2638 printf(
"No keys in the ACTIVE state matched your parameters, please check the parameters\n");
2646 printf(
"Error: failed to count active keys\n");
2653 if (key_count < 2) {
2654 printf(
"Error: completing this action would leave no active keys on zone, quitting...\n");
2663 printf(
"Error: failed to find policy for zone\n");
2674 printf(
"Key %s retired\n", temp_cka_id);
2701 int retired_count = -1;
2702 int keytag_int = -1;
2703 int temp_key_state = -1;
2704 int temp_keypair_id = -1;
2705 char* temp_cka_id = NULL;
2710 FILE* lock_fd = NULL;
2717 if (datetime == NULL) {
2718 printf(
"Couldn't turn \"now\" into a date, quitting...\n");
2725 printf(
"Please provide a keytag or a CKA_ID for the key (CKA_ID will be used if both are provided\n");
2733 printf(
"*WARNING* This will retire the currently active KSK; are you sure? [y/N] ");
2735 user_certain = getchar();
2736 if (user_certain !=
'y' && user_certain !=
'Y') {
2737 printf(
"Okay, quitting...\n");
2744 printf(
"Failed to connect to database\n");
2755 printf(
"Please specify a zone using the --zone flag\n");
2761 else if (
o_zone != NULL) {
2768 printf(
"Error: unable to find a zone named \"%s\" in database\n",
o_zone);
2775 else if (all_flag) {
2776 printf(
"*WARNING* This will act on every zone where this key is in use; are you sure? [y/N] ");
2778 user_certain = getchar();
2779 if (user_certain !=
'y' && user_certain !=
'Y') {
2780 printf(
"Okay, quitting...\n");
2792 printf(
"Error: Unable to convert keytag \"%s\"; to an integer\n",
o_keytag);
2798 printf(
"Error: keytag \"%s\"; should be numeric only\n",
o_keytag);
2809 status =
CountKeys(&zone_id, keytag_int,
o_cka_id, &key_count, &temp_cka_id, &temp_key_state, &temp_keypair_id);
2811 printf(
"Error: failed to count keys\n");
2818 if (key_count > 1) {
2819 printf(
"More than one key matched your parameters, please include more information from the above keys\n");
2827 printf(
"Key is already active\n");
2834 if (key_count == 0) {
2835 printf(
"No keys in the READY state matched your parameters, please check the parameters\n");
2844 printf(
"Error: failed to find policy for zone\n");
2851 status =
MarkDSSeen(temp_keypair_id, zone_id, policy_id, datetime, temp_key_state);
2855 snprintf(logmsg, 256,
"Key %s made %s", temp_cka_id, (temp_key_state ==
KSM_STATE_READY) ?
"active" :
"into standby");
2856 printf(
"%s\n", logmsg);
2859 #ifdef HAVE_OPENLOG_R
2864 #ifdef HAVE_SYSLOG_R
2865 syslog_r(LOG_INFO, &sdata,
"%s", logmsg);
2867 syslog(LOG_INFO,
"%s", logmsg);
2869 #ifdef HAVE_CLOSELOG_R
2879 if (retire_flag == 1) {
2884 printf(
"Error: failed to count active keys\n");
2891 if (key_count < 2) {
2896 printf(
"Error: failed to count retired keys\n");
2905 if (retired_count != 0) {
2906 printf(
"Error: retiring a key would leave no active keys on zone, skipping...\n");
2911 if (notify_flag == 1) {
2912 if (restart_enforcerd() != 0) {
2913 fprintf(stderr,
"Could not HUP ods-enforcerd\n");
2915 fprintf(stdout,
"Performed a HUP ods-enforcerd\n");
2918 fprintf(stdout,
"No HUP ods-enforcerd was performed as the '--no-notify' flag was specified.\n");
2919 fprintf(stdout,
"Warning: The enforcer must be manually notified or the changes will not take full effect until the next scheduled enforcer run.\n");
2929 printf(
"Old key retired\n");
2931 printf(
"Old key NOT retired\n");
2934 printf(
"Old key NOT retired\n");
2938 if (notify_flag == 1) {
2939 if (restart_enforcerd() != 0) {
2940 fprintf(stderr,
"Could not HUP ods-enforcerd\n");
2942 fprintf(stdout,
"Performed a HUP ods-enforcerd\n");
2945 fprintf(stdout,
"No HUP ods-enforcerd was performed as the '--no-notify' flag was specified.\n");
2946 fprintf(stdout,
"Warning: The enforcer must be manually notified or the changes will not take full effect until the next scheduled enforcer run.\n");
2968 char* case_keytype = NULL;
2969 char* case_algorithm = NULL;
2970 char* case_state = NULL;
2975 int cka_id_exists = -1;
2976 int keytype_id = -1;
2983 DB_ID keypair_id = 0;
2992 FILE* lock_fd = NULL;
2999 hsm_key_t *key = NULL;
3004 printf(
"Error: please specify a CKA_ID with the --cka_id <CKA_ID>\n");
3008 printf(
"Error: please specify a repository with the --repository <repository>\n");
3012 printf(
"Error: please specify a zone with the --zone <zone>\n");
3016 printf(
"Error: please specify the number of bits with the --bits <size>\n");
3020 printf(
"Error: please specify the algorithm with the --algorithm <algorithm>\n");
3024 printf(
"Error: please specify the state with the --keystate <state>\n");
3028 printf(
"Error: please specify a keytype, KSK or ZSK, with the --keytype <type>\n");
3032 printf(
"Error: please specify the time of when the key entered the given state with the --time <time>\n");
3037 status = hsm_open(
config, hsm_prompt_pin, NULL);
3039 hsm_print_error(NULL);
3042 key = hsm_find_key_by_id(NULL,
o_cka_id);
3045 if(check_repository_flag){
3046 fprintf(stderr,
"Error: No key with the CKA_ID %-33s exists in the repository %s. When the option [--check-repository] is used the key MUST exist in the repository for the key to be imported. \n",
o_cka_id,
o_repository);
3049 fprintf(stdout,
"Warning: No key with the CKA_ID %-33s exists in the repository %s. The key will be imported into the database anyway. \n",
o_cka_id,
o_repository);
3060 printf(
"Failed to connect to database\n");
3068 printf(
"Error: unable to find a repository named \"%s\" in database\n",
o_repository);
3080 printf(
"Error: unable to find a zone named \"%s\" in database\n",
o_zone);
3092 if (cka_id_exists == 1) {
3093 printf(
"Error: key with CKA_ID \"%s\" already exists in database\n",
o_cka_id);
3101 if (strncmp(case_keytype,
"KSK", 3) == 0 || strncmp(
o_keytype,
"257", 3) == 0) {
3104 else if (strncmp(case_keytype,
"ZSK", 3) == 0 || strncmp(
o_keytype,
"256", 3) == 0) {
3108 printf(
"Error: Unrecognised keytype %s; should be one of KSK or ZSK\n",
o_keytype);
3120 printf(
"Error: Unable to convert bits \"%s\"; to an integer\n",
o_size);
3125 printf(
"Error: Bits \"%s\"; should be numeric only\n",
o_size);
3143 if (status != 0 || algo_id == 0 || hsm_supported_algorithm(algo_id) != 0) {
3144 printf(
"Error: Key algorithm %s not supported; try one of RSASHA1, RSASHA1-NSEC3-SHA1 or RSASHA256\n",
o_algo);
3152 if (strncmp(case_state,
"GENERATE", 8) == 0 || strncmp(
o_keystate,
"1", 1) == 0) {
3155 else if (strncmp(case_state,
"PUBLISH", 7) == 0 || strncmp(
o_keystate,
"2", 1) == 0) {
3158 else if (strncmp(case_state,
"READY", 5) == 0 || strncmp(
o_keystate,
"3", 1) == 0) {
3161 else if (strncmp(case_state,
"ACTIVE", 6) == 0 || strncmp(
o_keystate,
"4", 1) == 0) {
3164 else if (strncmp(case_state,
"RETIRE", 6) == 0 || strncmp(
o_keystate,
"5", 1) == 0) {
3168 printf(
"Error: Unrecognised state %s; should be one of GENERATE, PUBLISH, READY, ACTIVE or RETIRE\n",
o_keystate);
3179 printf(
"Error: unable to convert \"%s\" into a date\n",
o_time);
3186 snprintf(form_time,
KSM_TIME_LENGTH,
"%4.4d-%2.2d-%2.2d %2.2d:%2.2d:%2.2d",
3187 datetime.tm_year + 1900, datetime.tm_mon + 1, datetime.tm_mday,
3188 datetime.tm_hour, datetime.tm_min, datetime.tm_sec);
3194 printf(
"Error: unable to specify retire time for a key in state \"%s\"\n",
o_keystate);
3201 printf(
"Error: unable to convert retire time \"%s\" into a date\n",
o_retire);
3208 snprintf(form_opt_time,
KSM_TIME_LENGTH,
"%4.4d-%2.2d-%2.2d %2.2d:%2.2d:%2.2d",
3209 datetime.tm_year + 1900, datetime.tm_mon + 1, datetime.tm_mday,
3210 datetime.tm_hour, datetime.tm_min, datetime.tm_sec);
3214 form_opt_time[0] =
'\0';
3231 if (data.
value == 1) {
3232 printf(
"*WARNING* This zone shares keys with others, the key will be added to all; are you sure? [y/N] ");
3234 user_certain = getchar();
3235 if (user_certain !=
'y' && user_certain !=
'Y') {
3236 printf(
"Okay, quitting...\n");
3243 status =
KsmImportKeyPair(policy_id,
o_cka_id, repo_id, size_int, algo_id, state_id, form_time, fix_time, &keypair_id);
3245 printf(
"Error: couldn't import key\n");
3255 status =
KsmDnssecKeyCreate(zone_id, (
int) keypair_id, keytype_id, state_id, form_time, form_opt_time, &ignore);
3258 printf(
"Error: couldn't allocate key to zone(s)\n");
3263 printf(
"Key imported into zone(s)\n");
3279 FILE* lock_fd = NULL;
3282 char *dbschema = NULL;
3286 char *password = NULL;
3290 char* backup_filename = NULL;
3291 char* lock_filename;
3293 char *path = getenv(
"PWD");
3296 printf(
"Sorry, currently this utility can only backup a sqlite database file\n");
3301 status =
get_db_details(&dbschema, &host, &port, &user, &password);
3312 lock_filename = NULL;
3316 lock_fd = fopen(lock_filename,
"w");
3319 printf(
"Error getting db lock\n");
3320 if (lock_fd != NULL) {
3369 char* kasp_filename = NULL;
3370 char* zonelist_filename = NULL;
3371 char* backup_filename = NULL;
3374 FILE* lock_fd = NULL;
3383 int zone_count = -1;
3385 xmlDocPtr doc = NULL;
3388 printf(
"*WARNING* This feature is experimental and has not been fully tested; are you sure? [y/N] ");
3390 user_certain = getchar();
3391 if (user_certain !=
'y' && user_certain !=
'Y') {
3392 printf(
"Okay, quitting...\n");
3399 printf(
"Failed to read conf.xml\n");
3405 StrAppend(&backup_filename, kasp_filename);
3407 status =
backup_file(kasp_filename, backup_filename);
3416 if ((test = fopen(kasp_filename,
"ab"))==NULL) {
3417 printf(
"Cannot open kasp.xml for writing: %s\n", strerror(errno));
3426 printf(
"Failed to connect to database\n");
3443 if (policy == NULL) {
3444 printf(
"Malloc for policy struct failed\n");
3453 while (status == 0) {
3463 if (zone_count == 0) {
3464 printf(
"No zones on policy %s; purging...\n", policy->
name);
3466 size = snprintf(sql,
KSM_SQL_SIZE,
"update dnsseckeys set state = %d where keypair_id in (select id from keypairs where policy_id = %d)",
KSM_STATE_DEAD, policy->
id);
3470 printf(
"Couldn't construct SQL to kill orphaned keys\n");
3489 printf(
"Key purge failed for policy %s\n", policy->
name);
3496 sql2 =
DdsInit(
"parameters_policies");
3535 status = xmlSaveFormatFile(kasp_filename, doc, 1);
3538 printf(
"Could not save %s\n", kasp_filename);
3547 printf(
"Couldn't count zones on policy; quitting...\n");
3584 char* ods_control_cmd = NULL;
3585 char* ptr = command;
3590 *ptr = tolower((
int) *ptr);
3596 StrAppend(&ods_control_cmd, ODS_EN_CONTROL);
3599 status = system(ods_control_cmd);
3602 fprintf(stderr,
"Couldn't run %s\n", ods_control_cmd);
3618 char* case_command = NULL;
3619 char* case_verb = NULL;
3621 int option_index = 0;
3622 static struct option long_options[] =
3624 {
"all", no_argument, 0,
'a'},
3625 {
"bits", required_argument, 0,
'b'},
3626 {
"config", required_argument, 0,
'c'},
3627 {
"check-repository", no_argument, 0,
'C'},
3628 {
"ds", no_argument, 0,
'd'},
3629 {
"keystate", required_argument, 0,
'e'},
3630 {
"no-retire", no_argument, 0,
'f'},
3631 {
"algorithm", required_argument, 0,
'g'},
3632 {
"help", no_argument, 0,
'h'},
3633 {
"input", required_argument, 0,
'i'},
3634 {
"cka_id", required_argument, 0,
'k'},
3635 {
"no-notify", no_argument, 0,
'l'},
3636 {
"no-xml", no_argument, 0,
'm'},
3637 {
"interval", required_argument, 0,
'n'},
3638 {
"output", required_argument, 0,
'o'},
3639 {
"policy", required_argument, 0,
'p'},
3640 {
"repository", required_argument, 0,
'r'},
3641 {
"signerconf", required_argument, 0,
's'},
3642 {
"keytype", required_argument, 0,
't'},
3643 {
"time", required_argument, 0,
'w'},
3644 {
"verbose", no_argument, 0,
'v'},
3645 {
"version", no_argument, 0,
'V'},
3646 {
"keytag", required_argument, 0,
'x'},
3647 {
"retire", required_argument, 0,
'y'},
3648 {
"zone", required_argument, 0,
'z'},
3649 {
"zonetotal", required_argument, 0,
'Z'},
3655 while ((ch = getopt_long(argc, argv,
"ab:c:de:fg:hi:k:ln:o:p:r:s:t:vVw:x:y:z:Z", long_options, &option_index)) != -1) {
3667 check_repository_flag = 1;
3719 printf(
"%s version %s\n", PACKAGE_NAME, PACKAGE_VERSION);
3777 if (!strncmp(case_command,
"SETUP", 5)) {
3781 }
else if (!strncmp(case_command,
"UPDATE", 6)) {
3785 }
else if (!strncmp(case_command,
"START", 5) ||
3786 !strncmp(case_command,
"STOP", 4) ||
3787 !strncmp(case_command,
"NOTIFY", 6)) {
3791 }
else if (!strncmp(case_command,
"ZONE", 4) && strlen(case_command) == 4) {
3796 if (!strncmp(case_verb,
"ADD", 3)) {
3798 }
else if (!strncmp(case_verb,
"DELETE", 6)) {
3800 }
else if (!strncmp(case_verb,
"LIST", 4)) {
3803 printf(
"Unknown command: zone %s\n", case_verb);
3807 }
else if (!strncmp(case_command,
"REPOSITORY", 10)) {
3811 if (!strncmp(case_verb,
"LIST", 4)) {
3814 printf(
"Unknown command: repository %s\n", case_verb);
3818 }
else if (!strncmp(case_command,
"POLICY", 6)) {
3822 if (!strncmp(case_verb,
"EXPORT", 6)) {
3824 }
else if (!strncmp(case_verb,
"IMPORT", 6)) {
3826 }
else if (!strncmp(case_verb,
"LIST", 4)) {
3828 }
else if (!strncmp(case_verb,
"PURGE", 5)) {
3831 printf(
"Unknown command: policy %s\n", case_verb);
3835 }
else if (!strncmp(case_command,
"KEY", 3)) {
3839 if (!strncmp(case_verb,
"LIST", 4)) {
3842 else if (!strncmp(case_verb,
"EXPORT", 6)) {
3845 else if (!strncmp(case_verb,
"IMPORT", 6)) {
3848 else if (!strncmp(case_verb,
"ROLLOVER", 8)) {
3850 if (all_flag == 0 &&
o_keytype == NULL) {
3851 printf(
"Please specify either a keytype, KSK or ZSK, with the --keytype <type> option or use the --all option\n");
3864 printf(
"Please provide either a zone OR a policy to rollover\n");
3870 else if (!strncmp(case_verb,
"PURGE", 5)) {
3876 printf(
"Please provide either a zone OR a policy to key purge\n");
3881 else if (!strncmp(case_verb,
"GENERATE", 8)) {
3884 else if (!strncmp(case_verb,
"KSK-RETIRE", 10)) {
3887 else if (!strncmp(case_verb,
"DS-SEEN", 7)) {
3890 printf(
"Unknown command: key %s\n", case_verb);
3894 }
else if (!strncmp(case_command,
"BACKUP", 6)) {
3898 if (!strncmp(case_verb,
"DONE", 4) ||
3899 !strncmp(case_verb,
"PREPARE", 7) ||
3900 !strncmp(case_verb,
"COMMIT", 6) ||
3901 !strncmp(case_verb,
"ROLLBACK", 8)) {
3904 else if (!strncmp(case_verb,
"LIST", 4)) {
3907 printf(
"Unknown command: backup %s\n", case_verb);
3911 }
else if (!strncmp(case_command,
"ROLLOVER", 8)) {
3914 if (!strncmp(case_verb,
"LIST", 4)) {
3917 printf(
"Unknown command: rollover %s\n", case_verb);
3921 }
else if (!strncmp(case_command,
"DATABASE", 8)) {
3925 if (!strncmp(case_verb,
"BACKUP", 6)) {
3928 printf(
"Unknown command: database %s\n", case_verb);
3932 }
else if (!strncmp(case_command,
"ZONELIST", 8)) {
3936 if (!strncmp(case_verb,
"EXPORT", 6)) {
3939 else if (!strncmp(case_verb,
"IMPORT", 6)) {
3942 printf(
"Unknown command: zonelist %s\n", case_verb);
3947 printf(
"Unknown command: %s\n", argv[0]);
3959 xmlCleanupGlobals();
3960 xmlCleanupThreads();
3982 char *dbschema = NULL;
3986 char *password = NULL;
3990 char* backup_filename = NULL;
3991 char* lock_filename;
3994 status =
get_db_details(&dbschema, &host, &port, &user, &password);
4010 if (lock_fd != NULL) {
4011 lock_filename = NULL;
4015 *lock_fd = fopen(lock_filename,
"w");
4018 printf(
"Error getting db lock\n");
4019 if (*lock_fd != NULL) {
4042 if (lock_fd != NULL) {
4057 status =
DbConnect(dbhandle, dbschema, host, password, user, port);
4079 if (lock_fd != NULL) {
4082 printf(
"Error releasing db lock");
4103 if (lock_fd == NULL) {
4104 printf(
"%s could not be opened\n", lock_filename);
4108 memset(&fl, 0,
sizeof(
struct flock));
4109 fl.l_type = F_WRLCK;
4110 fl.l_whence = SEEK_SET;
4111 fl.l_pid = getpid();
4113 while (fcntl(fileno(lock_fd), F_SETLK, &fl) == -1) {
4114 if (errno == EACCES || errno == EAGAIN) {
4115 printf(
"%s already locked, sleep\n", lock_filename);
4120 select(0, NULL, NULL, NULL, &tv);
4123 printf(
"couldn't get lock on %s; %s\n", lock_filename, strerror(errno));
4136 if (lock_fd == NULL) {
4140 memset(&fl, 0,
sizeof(
struct flock));
4141 fl.l_type = F_UNLCK;
4142 fl.l_whence = SEEK_SET;
4144 if (fcntl(fileno(lock_fd), F_SETLK, &fl) == -1) {
4157 xmlTextReaderPtr reader = NULL;
4158 xmlDocPtr doc = NULL;
4159 xmlXPathContextPtr xpathCtx = NULL;
4160 xmlXPathObjectPtr xpathObj = NULL;
4162 char* tag_name = NULL;
4163 char* temp_char = NULL;
4165 xmlChar *zonelist_expr = (
unsigned char*)
"//Common/ZoneListFile";
4166 xmlChar *kaspfile_expr = (
unsigned char*)
"//Common/PolicyFile";
4169 reader = xmlNewTextReaderFilename(
config);
4170 if (reader != NULL) {
4171 ret = xmlTextReaderRead(reader);
4173 tag_name = (
char*) xmlTextReaderLocalName(reader);
4175 if (strncmp(tag_name,
"Common", 6) == 0
4176 && xmlTextReaderNodeType(reader) == 1) {
4179 xmlTextReaderExpand(reader);
4180 doc = xmlTextReaderCurrentDoc(reader);
4182 printf(
"Error: can not read Common section\n");
4184 ret = xmlTextReaderRead(reader);
4188 xpathCtx = xmlXPathNewContext(doc);
4189 if(xpathCtx == NULL) {
4190 printf(
"Error: can not create XPath context for Common section\n");
4192 ret = xmlTextReaderRead(reader);
4197 xpathObj = xmlXPathEvalExpression(zonelist_expr, xpathCtx);
4198 if(xpathObj == NULL) {
4199 printf(
"Error: unable to evaluate xpath expression: %s\n", zonelist_expr);
4201 ret = xmlTextReaderRead(reader);
4204 *zone_list_filename = NULL;
4205 temp_char = (
char*) xmlXPathCastToString(xpathObj);
4206 StrAppend(zone_list_filename, temp_char);
4208 xmlXPathFreeObject(xpathObj);
4209 printf(
"zonelist filename set to %s.\n", *zone_list_filename);
4212 xpathObj = xmlXPathEvalExpression(kaspfile_expr, xpathCtx);
4213 xmlXPathFreeContext(xpathCtx);
4214 if(xpathObj == NULL) {
4215 printf(
"Error: unable to evaluate xpath expression: %s\n", kaspfile_expr);
4217 ret = xmlTextReaderRead(reader);
4220 *kasp_filename = NULL;
4221 if (xpathObj->nodesetval != NULL && xpathObj->nodesetval->nodeNr > 0) {
4225 temp_char = (
char*) xmlXPathCastToString(xpathObj);
4233 StrAppend(kasp_filename, OPENDNSSEC_CONFIG_DIR);
4236 printf(
"kasp filename set to %s.\n", *kasp_filename);
4238 xmlXPathFreeObject(xpathObj);
4241 ret = xmlTextReaderRead(reader);
4245 xmlFreeTextReader(reader);
4247 printf(
"%s : failed to parse\n",
config);
4251 printf(
"Unable to open %s\n",
config);
4268 xmlDocPtr doc = NULL;
4269 xmlXPathContextPtr xpathCtx = NULL;
4270 xmlXPathObjectPtr xpathObj = NULL;
4272 char* repo_name = NULL;
4273 char* repo_capacity = NULL;
4274 int require_backup = 0;
4277 xmlChar *node_expr = (
unsigned char*)
"//Configuration/RepositoryList/Repository";
4281 doc = xmlParseFile(
config);
4283 printf(
"Unable to open %s\n",
config);
4288 xpathCtx = xmlXPathNewContext(doc);
4289 if(xpathCtx == NULL) {
4295 xpathObj = xmlXPathEvalExpression(node_expr, xpathCtx);
4296 if(xpathObj == NULL) {
4297 xmlXPathFreeContext(xpathCtx);
4302 if (xpathObj->nodesetval) {
4303 for (i = 0; i < xpathObj->nodesetval->nodeNr; i++) {
4308 curNode = xpathObj->nodesetval->nodeTab[i]->xmlChildrenNode;
4309 repo_name = (
char *) xmlGetProp(xpathObj->nodesetval->nodeTab[i],
4310 (
const xmlChar *)
"name");
4312 if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Capacity")) {
4313 repo_capacity = (
char *) xmlNodeGetContent(curNode);
4315 if (xmlStrEqual(curNode->name, (
const xmlChar *)
"RequireBackup")) {
4319 curNode = curNode->next;
4322 if (strlen(repo_name) != 0) {
4324 printf(
"Repository %s found\n", repo_name);
4325 if (strlen(repo_capacity) == 0) {
4326 printf(
"No Maximum Capacity set.\n");
4332 printf(
"Capacity set to %s.\n", repo_capacity);
4338 if (require_backup == 0) {
4339 printf(
"RequireBackup NOT set; please make sure that you know the potential problems of using keys which are not recoverable\n");
4341 printf(
"RequireBackup set.\n");
4345 printf(
"Error Importing Repository %s", repo_name);
4349 printf(
"WARNING: Repository found with NULL name, skipping...\n");
4357 xmlXPathFreeObject(xpathObj);
4360 xmlXPathFreeContext(xpathCtx);
4375 char *policy_name = NULL;
4376 char *policy_description = NULL;
4379 xmlDocPtr doc = NULL;
4380 xmlDocPtr pol_doc = NULL;
4381 xmlDocPtr rngdoc = NULL;
4384 xmlNode *childNode2;
4385 xmlNode *childNode3;
4386 xmlChar *opt_out_flag = (xmlChar *)
"N";
4387 xmlChar *nsec3param_ttl = NULL ;
4388 xmlChar *share_keys_flag = (xmlChar *)
"N";
4389 xmlChar *man_roll_flag = (xmlChar *)
"N";
4390 xmlChar *rfc5011_flag = (xmlChar *)
"N";
4391 int standby_keys_flag = 0;
4392 xmlXPathContextPtr xpathCtx = NULL;
4393 xmlXPathObjectPtr xpathObj = NULL;
4394 xmlRelaxNGParserCtxtPtr rngpctx = NULL;
4395 xmlRelaxNGValidCtxtPtr rngctx = NULL;
4396 xmlRelaxNGPtr schema = NULL;
4399 xmlChar *node_expr = (
unsigned char*)
"//Policy";
4403 int audit_found = 0;
4409 int algo_change = 0;
4411 char* changes_made = NULL;
4416 const char* rngfilename = OPENDNSSEC_SCHEMA_DIR
"/kasp.rng";
4417 char* kaspcheck_cmd = NULL;
4418 char* kaspcheck_cmd_version = NULL;
4420 StrAppend(&kaspcheck_cmd, ODS_AU_KASPCHECK);
4424 StrAppend(&kaspcheck_cmd_version, ODS_AU_KASPCHECK);
4425 StrAppend(&kaspcheck_cmd_version,
" -v > /dev/null");
4428 status = system(kaspcheck_cmd_version);
4431 status = system(kaspcheck_cmd);
4434 fprintf(stderr,
"ods-kaspcheck returned an error, please check your policy\n");
4436 StrFree(kaspcheck_cmd_version);
4442 fprintf(stderr,
"Couldn't run ods-kaspcheck (Auditor is not installed), will carry on\n");
4446 StrFree(kaspcheck_cmd_version);
4449 doc = xmlParseFile(kasp_filename);
4451 printf(
"Error: unable to parse file \"%s\"\n", kasp_filename);
4456 rngdoc = xmlParseFile(rngfilename);
4457 if (rngdoc == NULL) {
4458 printf(
"Error: unable to parse file \"%s\"\n", rngfilename);
4463 rngpctx = xmlRelaxNGNewDocParserCtxt(rngdoc);
4464 if (rngpctx == NULL) {
4465 printf(
"Error: unable to create XML RelaxNGs parser context\n");
4470 schema = xmlRelaxNGParse(rngpctx);
4471 if (schema == NULL) {
4472 printf(
"Error: unable to parse a schema definition resource\n");
4477 rngctx = xmlRelaxNGNewValidCtxt(schema);
4478 if (rngctx == NULL) {
4479 printf(
"Error: unable to create RelaxNGs validation context based on the schema\n");
4484 status = xmlRelaxNGValidateDoc(rngctx,doc);
4486 printf(
"Error validating file \"%s\"\n", kasp_filename);
4492 if (policy == NULL) {
4493 printf(
"Malloc for policy struct failed");
4498 xpathCtx = xmlXPathNewContext(doc);
4499 if(xpathCtx == NULL) {
4506 xpathObj = xmlXPathEvalExpression(node_expr, xpathCtx);
4507 if(xpathObj == NULL) {
4508 xmlXPathFreeContext(xpathCtx);
4514 if (xpathObj->nodesetval) {
4520 for (i = 0; i < xpathObj->nodesetval->nodeNr; i++) {
4522 curNode = xpathObj->nodesetval->nodeTab[i]->xmlChildrenNode;
4523 policy_name = (
char *) xmlGetProp(xpathObj->nodesetval->nodeTab[i], (
const xmlChar *)
"name");
4524 if (strlen(policy_name) == 0) {
4526 printf(
"Error extracting policy name from %s\n", kasp_filename);
4539 printf(
"Error: unable to read policy %s; skipping\n", policy_name);
4544 if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Keys")) {
4545 childNode = curNode->children;
4547 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"KSK")) {
4548 childNode2 = childNode->children;
4550 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Algorithm")) {
4553 status =
StrStrtoi((
char *)xmlNodeGetContent(childNode2), &value);
4555 printf(
"Error extracting KSK algorithm for policy %s, exiting...", policy_name);
4561 printf(
"\n\nAlgorithm change attempted... details:\n");
4562 StrAppend(&changes_made,
"Algorithm changes made, details:");
4565 size = snprintf(tmp_change,
KSM_MSG_LENGTH,
"Policy: %s, KSK algorithm changed from %d to %d.", policy_name, policy->
ksk->
algorithm, value);
4568 printf(
"Error constructing log message for policy %s, exiting...", policy_name);
4571 printf(
"%s\n", tmp_change);
4577 childNode2 = childNode2->next;
4582 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"ZSK")) {
4583 childNode2 = childNode->children;
4585 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Algorithm")) {
4588 status =
StrStrtoi((
char *)xmlNodeGetContent(childNode2), &value);
4590 printf(
"Error extracting ZSK algorithm for policy %s, exiting...", policy_name);
4596 printf(
"\n\nAlgorithm change attempted... details:\n");
4597 StrAppend(&changes_made,
"Algorithm changes made, details:");
4600 size = snprintf(tmp_change,
KSM_MSG_LENGTH,
"Policy: %s, ZSK algorithm changed from %d to %d.", policy_name, policy->
zsk->
algorithm, value);
4603 printf(
"Error constructing log message for policy %s, exiting...", policy_name);
4606 printf(
"%s\n", tmp_change);
4612 childNode2 = childNode2->next;
4617 childNode = childNode->next;
4620 curNode = curNode->next;
4632 if (algo_change == 1 && force_flag == 0) {
4633 printf(
"*WARNING* This will change the algorithms used as noted above. Algorithm rollover is _not_ supported by OpenDNSSEC and zones may break. Are you sure? [y/N] ");
4635 user_certain = getchar();
4636 if (user_certain !=
'y' && user_certain !=
'Y') {
4637 printf(
"\nOkay, quitting...\n");
4638 xmlXPathFreeContext(xpathCtx);
4651 #ifdef HAVE_OPENLOG_R
4656 #ifdef HAVE_SYSLOG_R
4657 syslog_r(LOG_INFO, &sdata,
"%s", changes_made);
4659 syslog(LOG_INFO,
"%s", changes_made);
4661 #ifdef HAVE_CLOSELOG_R
4672 for (i = 0; i < xpathObj->nodesetval->nodeNr; i++) {
4674 curNode = xpathObj->nodesetval->nodeTab[i]->xmlChildrenNode;
4675 policy_name = (
char *) xmlGetProp(xpathObj->nodesetval->nodeTab[i], (
const xmlChar *)
"name");
4676 if (strlen(policy_name) == 0) {
4678 printf(
"Error extracting policy name from %s\n", kasp_filename);
4683 printf(
"Policy %s found\n", policy_name);
4685 if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Description")) {
4686 policy_description = (
char *) xmlNodeGetContent(curNode);
4696 printf(
"Error: unable to read policy %s; skipping\n", policy_name);
4697 curNode = curNode->next;
4706 printf(
"Error: unable to insert policy %s; skipping\n", policy_name);
4713 printf(
"Error: unable to get policy id for %s; skipping\n", policy_name);
4719 else if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Signatures")) {
4720 childNode = curNode->children;
4722 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"Resign")) {
4725 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"Refresh")) {
4728 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"Validity")) {
4729 childNode2 = childNode->children;
4731 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Default")) {
4734 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Denial")) {
4737 childNode2 = childNode2->next;
4740 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"Jitter")) {
4743 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"InceptionOffset")) {
4746 childNode = childNode->next;
4749 else if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Denial")) {
4750 opt_out_flag = (xmlChar *)
"N";
4751 childNode = curNode->children;
4753 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"NSEC3")) {
4757 printf(
"Error: unable to insert/update %s for policy\n",
"Denial version");
4759 childNode2 = childNode->children;
4761 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"OptOut")) {
4762 opt_out_flag = (xmlChar *)
"Y";
4764 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Resalt")) {
4767 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"TTL")) {
4768 nsec3param_ttl = xmlNodeGetContent(childNode2);
4770 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Hash")) {
4771 childNode3 = childNode2->children;
4773 if (xmlStrEqual(childNode3->name, (
const xmlChar *)
"Algorithm")) {
4776 else if (xmlStrEqual(childNode3->name, (
const xmlChar *)
"Iterations")) {
4779 else if (xmlStrEqual(childNode3->name, (
const xmlChar *)
"Salt")) {
4782 childNode3 = childNode3->next;
4786 childNode2 = childNode2->next;
4790 if (nsec3param_ttl == NULL)
4791 nsec3param_ttl = (xmlChar *)
StrStrdup(
"PT0S");
4793 nsec3param_ttl = NULL;
4795 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"NSEC")) {
4798 printf(
"Error: unable to insert/update %s for policy\n",
"Denial version");
4801 childNode = childNode->next;
4804 else if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Keys")) {
4805 share_keys_flag = (xmlChar *)
"N";
4806 childNode = curNode->children;
4808 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"TTL")) {
4811 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"RetireSafety")) {
4814 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"PublishSafety")) {
4817 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"ShareKeys")) {
4818 share_keys_flag = (xmlChar *)
"Y";
4820 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"Purge")) {
4824 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"KSK")) {
4825 man_roll_flag = (xmlChar *)
"N";
4826 rfc5011_flag = (xmlChar *)
"N";
4827 childNode2 = childNode->children;
4829 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Algorithm")) {
4834 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Lifetime")) {
4837 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Repository")) {
4839 printf(
"Please either add the repository to conf.xml or remove the reference to it from kasp.xml\n");
4841 xmlFreeDoc(pol_doc);
4842 xmlXPathFreeContext(xpathCtx);
4843 xmlRelaxNGFree(schema);
4844 xmlRelaxNGFreeValidCtxt(rngctx);
4845 xmlRelaxNGFreeParserCtxt(rngpctx);
4853 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Standby")) {
4855 standby_keys_flag = 1;
4857 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"ManualRollover")) {
4858 man_roll_flag = (xmlChar *)
"Y";
4860 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"RFC5011")) {
4861 rfc5011_flag = (xmlChar *)
"Y";
4866 childNode2 = childNode2->next;
4871 if (standby_keys_flag == 0) {
4874 standby_keys_flag = 0;
4878 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"ZSK")) {
4879 man_roll_flag = (xmlChar *)
"N";
4880 childNode2 = childNode->children;
4882 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Algorithm")) {
4887 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Lifetime")) {
4890 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Repository")) {
4892 printf(
"Please either add the repository to conf.xml or remove the reference to it from kasp.xml\n");
4894 xmlFreeDoc(pol_doc);
4895 xmlXPathFreeContext(xpathCtx);
4896 xmlRelaxNGFree(schema);
4897 xmlRelaxNGFreeValidCtxt(rngctx);
4898 xmlRelaxNGFreeParserCtxt(rngpctx);
4906 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Standby")) {
4908 standby_keys_flag = 1;
4910 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"ManualRollover")) {
4911 man_roll_flag = (xmlChar *)
"Y";
4913 childNode2 = childNode2->next;
4919 childNode = childNode->next;
4923 if (standby_keys_flag == 0) {
4926 standby_keys_flag = 0;
4931 else if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Zone")) {
4932 childNode = curNode->children;
4934 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"PropagationDelay")) {
4937 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"SOA")) {
4938 childNode2 = childNode->children;
4940 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"TTL")) {
4943 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Minimum")) {
4946 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Serial")) {
4949 childNode2 = childNode2->next;
4952 childNode = childNode->next;
4956 else if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Parent")) {
4957 childNode = curNode->children;
4959 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"PropagationDelay")) {
4962 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"DS")) {
4963 childNode2 = childNode->children;
4965 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"TTL")) {
4968 childNode2 = childNode2->next;
4971 else if (xmlStrEqual(childNode->name, (
const xmlChar *)
"SOA")) {
4972 childNode2 = childNode->children;
4974 if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"TTL")) {
4977 else if (xmlStrEqual(childNode2->name, (
const xmlChar *)
"Minimum")) {
4980 childNode2 = childNode2->next;
4983 childNode = childNode->next;
4987 else if (xmlStrEqual(curNode->name, (
const xmlChar *)
"Audit")) {
4989 childNode = curNode->children;
4991 if (xmlStrEqual(childNode->name, (
const xmlChar *)
"Partial")) {
4994 childNode = childNode->next;
4998 printf(
"Error: unable to insert Audit info for policy %s\n", policy->
name);
5002 curNode = curNode->next;
5005 if (audit_found == 0) {
5017 xmlXPathFreeContext(xpathCtx);
5018 xmlRelaxNGFree(schema);
5019 xmlRelaxNGFreeValidCtxt(rngctx);
5020 xmlRelaxNGFreeParserCtxt(rngpctx);
5032 xmlTextReaderPtr reader = NULL;
5033 xmlDocPtr doc = NULL;
5034 xmlXPathContextPtr xpathCtx = NULL;
5035 xmlXPathObjectPtr xpathObj = NULL;
5037 char* zone_name = NULL;
5038 char* policy_name = NULL;
5039 char* current_policy = NULL;
5040 char* current_signconf = NULL;
5041 char* current_input = NULL;
5042 char* current_output = NULL;
5043 char* temp_char = NULL;
5044 char* tag_name = NULL;
5047 int file_zone_count = 0;
5048 int db_zone_count = 0;
5062 xmlChar *name_expr = (
unsigned char*)
"name";
5063 xmlChar *policy_expr = (
unsigned char*)
"//Zone/Policy";
5064 xmlChar *signconf_expr = (
unsigned char*)
"//Zone/SignerConfiguration";
5065 xmlChar *input_expr = (
unsigned char*)
"//Zone/Adapters/Input/File";
5066 xmlChar *output_expr = (
unsigned char*)
"//Zone/Adapters/Output/File";
5070 reader = xmlNewTextReaderFilename(zone_list_filename);
5071 if (reader != NULL) {
5072 ret = xmlTextReaderRead(reader);
5074 tag_name = (
char*) xmlTextReaderLocalName(reader);
5076 if (strncmp(tag_name,
"Zone", 4) == 0
5077 && strncmp(tag_name,
"ZoneList", 8) != 0
5078 && xmlTextReaderNodeType(reader) == 1) {
5082 ret = xmlTextReaderRead(reader);
5085 xmlFreeTextReader(reader);
5087 printf(
"%s : failed to parse\n", zone_list_filename);
5091 printf(
"Unable to open %s\n", zone_list_filename);
5096 zone_ids =
MemMalloc(file_zone_count *
sizeof(
int));
5099 reader = xmlNewTextReaderFilename(zone_list_filename);
5100 if (reader != NULL) {
5101 ret = xmlTextReaderRead(reader);
5103 tag_name = (
char*) xmlTextReaderLocalName(reader);
5105 if (strncmp(tag_name,
"Zone", 4) == 0
5106 && strncmp(tag_name,
"ZoneList", 8) != 0
5107 && xmlTextReaderNodeType(reader) == 1) {
5110 temp_char = (
char*) xmlTextReaderGetAttribute(reader, name_expr);
5124 if (zone_name == NULL) {
5126 printf(
"Error extracting zone name from %s\n", zone_list_filename);
5128 ret = xmlTextReaderRead(reader);
5132 printf(
"Zone %s found\n", zone_name);
5135 xmlTextReaderExpand(reader);
5136 doc = xmlTextReaderCurrentDoc(reader);
5138 printf(
"Error: can not read zone \"%s\"; skipping\n", zone_name);
5140 ret = xmlTextReaderRead(reader);
5144 xpathCtx = xmlXPathNewContext(doc);
5145 if(xpathCtx == NULL) {
5146 printf(
"Error: can not create XPath context for \"%s\"; skipping zone\n", zone_name);
5148 ret = xmlTextReaderRead(reader);
5154 xpathObj = xmlXPathEvalExpression(policy_expr, xpathCtx);
5155 if(xpathObj == NULL) {
5156 printf(
"Error: unable to evaluate xpath expression: %s; skipping zone\n", policy_expr);
5158 ret = xmlTextReaderRead(reader);
5162 current_policy = NULL;
5163 temp_char = (
char *)xmlXPathCastToString(xpathObj);
5166 printf(
"Policy set to %s.\n", current_policy);
5167 xmlXPathFreeObject(xpathObj);
5170 if (policy_name == NULL || strcmp(current_policy, policy_name) != 0) {
5172 StrAppend(&policy_name, current_policy);
5176 printf(
"Error, can't find policy : %s\n", policy_name);
5178 ret = xmlTextReaderRead(reader);
5185 xpathObj = xmlXPathEvalExpression(signconf_expr, xpathCtx);
5186 if(xpathObj == NULL) {
5187 printf(
"Error: unable to evaluate xpath expression: %s; skipping zone\n", signconf_expr);
5189 ret = xmlTextReaderRead(reader);
5193 current_signconf = NULL;
5194 temp_char = (
char *)xmlXPathCastToString(xpathObj);
5195 StrAppend(¤t_signconf, temp_char);
5197 xmlXPathFreeObject(xpathObj);
5201 xpathObj = xmlXPathEvalExpression(input_expr, xpathCtx);
5202 if(xpathObj == NULL) {
5203 printf(
"Error: unable to evaluate xpath expression: %s; skipping zone\n", input_expr);
5205 ret = xmlTextReaderRead(reader);
5209 current_input = NULL;
5210 temp_char = (
char *)xmlXPathCastToString(xpathObj);
5213 xmlXPathFreeObject(xpathObj);
5217 xpathObj = xmlXPathEvalExpression(output_expr, xpathCtx);
5218 xmlXPathFreeContext(xpathCtx);
5219 if(xpathObj == NULL) {
5220 printf(
"Error: unable to evaluate xpath expression: %s; skipping zone\n", output_expr);
5222 ret = xmlTextReaderRead(reader);
5226 current_output = NULL;
5227 temp_char = (
char *)xmlXPathCastToString(xpathObj);
5230 xmlXPathFreeObject(xpathObj);
5235 status =
KsmImportZone(zone_name, policy_id, 0, &new_zone, current_signconf, current_input, current_output);
5238 printf(
"Error Importing zone %s; it already exists both with and without a trailing dot\n", zone_name);
5240 printf(
"Error Importing Zone %s\n", zone_name);
5243 ret = xmlTextReaderRead(reader);
5248 if (new_zone == 1) {
5249 printf(
"Added zone %s to database\n", zone_name);
5263 printf(
"Error: unable to find a zone named \"%s\" in database\n", zone_name);
5264 printf(
"Error: Possibly two domains differ only by having a trailing dot or not?\n");
5270 zone_ids[i] = temp_id;
5283 ret = xmlTextReaderRead(reader);
5286 xmlFreeTextReader(reader);
5288 printf(
"%s : failed to parse\n", zone_list_filename);
5291 printf(
"Unable to open %s\n", zone_list_filename);
5307 if (file_zone_count == db_zone_count) {
5312 else if (file_zone_count > db_zone_count) {
5313 printf(
"Failed to add all zones from zonelist\n");
5329 while (status == 0) {
5330 DbInt(row, 0, &temp_id);
5332 DbInt(row, 2, &policy_id);
5335 for (i = 0; i < db_zone_count; ++i) {
5336 if (temp_id == zone_ids[i]) {
5342 if (seen_zone == 0) {
5345 printf(
"Removing zone %s from database\n", zone_name);
5347 status =
KsmParameterInit(&result2,
"zones_share_keys",
"keys", policy_id);
5371 if ((shared.
value == 1 && temp_count == 1) || shared.
value == 0) {
5374 printf(
"Error: failed to mark keys as dead in database\n");
5408 int SetParamOnPolicy(
const xmlChar* new_value,
const char* name,
const char* category,
int current_value,
int policy_id,
int value_type)
5412 char* temp_char = (
char *)new_value;
5416 if (strlen(temp_char) != 0) {
5419 printf(
"Error: unable to convert interval %s to seconds, error: %i\n", temp_char, status);
5423 else if (status == -1) {
5424 printf(
"Info: converting %s to seconds; M interpreted as 31 days, Y interpreted as 365 days\n", temp_char);
5433 if (strncmp(temp_char,
"Y", 1) == 0) {
5443 printf(
"Error: unable to find repository %s\n", temp_char);
5453 printf(
"Error: unable to find serial type %s\n", temp_char);
5463 printf(
"Error: unable to find rollover scheme %s\n", temp_char);
5472 printf(
"Error: unable to convert %s to int\n", temp_char);
5482 if (value != current_value || current_value == 0) {
5485 printf(
"Error: unable to insert/update %s for policy\n", name);
5486 printf(
"Error: Is your database schema up to date?\n");
5492 if (strncmp(name,
"saltlength", 10) == 0) {
5495 printf(
"Error: unable to insert/update %s for policy\n", name);
5496 printf(
"Error: Is your database schema up to date?\n");
5507 if (policy == NULL) {
5508 printf(
"Error, no policy provided");
5545 policy->
ksk->
sm = 0;
5557 policy->
zsk->
sm = 0;
5594 if((from = fopen( orig_file,
"rb"))==NULL) {
5595 if (errno == ENOENT) {
5596 printf(
"File %s does not exist, nothing to backup\n", orig_file);
5600 printf(
"Cannot open source file.\n");
5606 if((to = fopen(backup_file,
"wb"))==NULL) {
5607 printf(
"Cannot open destination file, will not make backup.\n");
5613 while(!feof(from)) {
5616 printf(
"Error reading source file.\n");
5621 if(!feof(from)) fputc(ch, to);
5623 printf(
"Error writing destination file.\n");
5630 if(fclose(from)==EOF) {
5631 printf(
"Error closing source file.\n");
5636 if(fclose(to)==EOF) {
5637 printf(
"Error closing destination file.\n");
5655 get_db_details(
char** dbschema,
char** host,
char** port,
char** user,
char** password)
5660 xmlXPathContextPtr xpathCtx;
5661 xmlXPathObjectPtr xpathObj;
5662 xmlRelaxNGParserCtxtPtr rngpctx;
5663 xmlRelaxNGValidCtxtPtr rngctx;
5664 xmlRelaxNGPtr schema;
5665 xmlChar *litexpr = (
unsigned char*)
"//Configuration/Enforcer/Datastore/SQLite";
5666 xmlChar *mysql_host = (
unsigned char*)
"//Configuration/Enforcer/Datastore/MySQL/Host";
5667 xmlChar *mysql_port = (
unsigned char*)
"//Configuration/Enforcer/Datastore/MySQL/Host/@port";
5668 xmlChar *mysql_db = (
unsigned char*)
"//Configuration/Enforcer/Datastore/MySQL/Database";
5669 xmlChar *mysql_user = (
unsigned char*)
"//Configuration/Enforcer/Datastore/MySQL/Username";
5670 xmlChar *mysql_pass = (
unsigned char*)
"//Configuration/Enforcer/Datastore/MySQL/Password";
5674 char* temp_char = NULL;
5677 const char* rngfilename = OPENDNSSEC_SCHEMA_DIR
"/conf.rng";
5680 doc = xmlParseFile(
config);
5682 printf(
"Error: unable to parse file \"%s\"\n",
config);
5687 rngdoc = xmlParseFile(rngfilename);
5688 if (rngdoc == NULL) {
5689 printf(
"Error: unable to parse file \"%s\"\n", rngfilename);
5695 rngpctx = xmlRelaxNGNewDocParserCtxt(rngdoc);
5697 if (rngpctx == NULL) {
5698 printf(
"Error: unable to create XML RelaxNGs parser context\n");
5704 schema = xmlRelaxNGParse(rngpctx);
5705 xmlRelaxNGFreeParserCtxt(rngpctx);
5706 if (schema == NULL) {
5707 printf(
"Error: unable to parse a schema definition resource\n");
5713 rngctx = xmlRelaxNGNewValidCtxt(schema);
5714 if (rngctx == NULL) {
5715 printf(
"Error: unable to create RelaxNGs validation context based on the schema\n");
5716 xmlRelaxNGFree(schema);
5722 status = xmlRelaxNGValidateDoc(rngctx,doc);
5723 xmlRelaxNGFreeValidCtxt(rngctx);
5724 xmlRelaxNGFree(schema);
5726 printf(
"Error validating file \"%s\"\n",
config);
5733 xpathCtx = xmlXPathNewContext(doc);
5734 if(xpathCtx == NULL) {
5735 printf(
"Error: unable to create new XPath context\n");
5741 xpathObj = xmlXPathEvalExpression(litexpr, xpathCtx);
5742 if(xpathObj == NULL) {
5743 printf(
"Error: unable to evaluate xpath expression: %s\n", litexpr);
5744 xmlXPathFreeContext(xpathCtx);
5748 if(xpathObj->nodesetval != NULL && xpathObj->nodesetval->nodeNr > 0) {
5750 temp_char = (
char *)xmlXPathCastToString(xpathObj);
5754 fprintf(stderr,
"SQLite database set to: %s\n", *dbschema);
5757 xmlXPathFreeObject(xpathObj);
5759 if (db_found == 0) {
5764 xpathObj = xmlXPathEvalExpression(mysql_host, xpathCtx);
5765 if(xpathObj == NULL) {
5766 printf(
"Error: unable to evaluate xpath expression: %s\n", mysql_host);
5767 xmlXPathFreeContext(xpathCtx);
5771 if(xpathObj->nodesetval != NULL && xpathObj->nodesetval->nodeNr > 0) {
5772 temp_char = (
char *)xmlXPathCastToString(xpathObj);
5776 fprintf(stderr,
"MySQL database host set to: %s\n", *host);
5779 xmlXPathFreeObject(xpathObj);
5782 xpathObj = xmlXPathEvalExpression(mysql_port, xpathCtx);
5783 if(xpathObj == NULL) {
5784 printf(
"Error: unable to evaluate xpath expression: %s\n", mysql_port);
5785 xmlXPathFreeContext(xpathCtx);
5789 if(xpathObj->nodesetval != NULL && xpathObj->nodesetval->nodeNr > 0) {
5790 temp_char = (
char *)xmlXPathCastToString(xpathObj);
5794 fprintf(stderr,
"MySQL database port set to: %s\n", *port);
5797 xmlXPathFreeObject(xpathObj);
5800 xpathObj = xmlXPathEvalExpression(mysql_db, xpathCtx);
5801 if(xpathObj == NULL) {
5802 printf(
"Error: unable to evaluate xpath expression: %s\n", mysql_db);
5803 xmlXPathFreeContext(xpathCtx);
5807 if(xpathObj->nodesetval != NULL && xpathObj->nodesetval->nodeNr > 0) {
5808 temp_char = (
char *)xmlXPathCastToString(xpathObj);
5812 fprintf(stderr,
"MySQL database schema set to: %s\n", *dbschema);
5817 xmlXPathFreeObject(xpathObj);
5820 xpathObj = xmlXPathEvalExpression(mysql_user, xpathCtx);
5821 if(xpathObj == NULL) {
5822 printf(
"Error: unable to evaluate xpath expression: %s\n", mysql_user);
5823 xmlXPathFreeContext(xpathCtx);
5827 if(xpathObj->nodesetval != NULL && xpathObj->nodesetval->nodeNr > 0) {
5828 temp_char = (
char *)xmlXPathCastToString(xpathObj);
5832 fprintf(stderr,
"MySQL database user set to: %s\n", *user);
5837 xmlXPathFreeObject(xpathObj);
5840 xpathObj = xmlXPathEvalExpression(mysql_pass, xpathCtx);
5841 if(xpathObj == NULL) {
5842 printf(
"Error: unable to evaluate xpath expression: %s\n", mysql_pass);
5843 xmlXPathFreeContext(xpathCtx);
5848 temp_char = (
char *)xmlXPathCastToString(xpathObj);
5851 xmlXPathFreeObject(xpathObj);
5854 fprintf(stderr,
"MySQL database password set\n");
5859 xmlXPathFreeContext(xpathCtx);
5864 printf(
"Error: unable to find complete database connection expression\n");
5870 printf(
"Error: database in config file does not match libksm\n");
5884 xmlTextReaderPtr reader = NULL;
5885 xmlDocPtr doc = NULL;
5886 xmlXPathContextPtr xpathCtx = NULL;
5887 xmlXPathObjectPtr xpathObj = NULL;
5889 char* temp_char = NULL;
5890 char* tag_name = NULL;
5892 xmlChar *zonelist_expr = (
unsigned char*)
"//Common/ZoneListFile";
5895 reader = xmlNewTextReaderFilename(
config);
5896 if (reader != NULL) {
5897 ret = xmlTextReaderRead(reader);
5899 tag_name = (
char*) xmlTextReaderLocalName(reader);
5901 if (strncmp(tag_name,
"Common", 6) == 0
5902 && xmlTextReaderNodeType(reader) == 1) {
5905 xmlTextReaderExpand(reader);
5906 doc = xmlTextReaderCurrentDoc(reader);
5908 printf(
"Error: can not read Common section\n");
5910 ret = xmlTextReaderRead(reader);
5914 xpathCtx = xmlXPathNewContext(doc);
5915 if(xpathCtx == NULL) {
5916 printf(
"Error: can not create XPath context for Common section\n");
5918 ret = xmlTextReaderRead(reader);
5923 xpathObj = xmlXPathEvalExpression(zonelist_expr, xpathCtx);
5924 if(xpathObj == NULL) {
5925 printf(
"Error: unable to evaluate xpath expression: %s\n", zonelist_expr);
5927 ret = xmlTextReaderRead(reader);
5930 *zone_list_filename = NULL;
5931 temp_char = (
char *)xmlXPathCastToString(xpathObj);
5932 xmlXPathFreeObject(xpathObj);
5933 StrAppend(zone_list_filename, temp_char);
5935 printf(
"zonelist filename set to %s.\n", *zone_list_filename);
5938 ret = xmlTextReaderRead(reader);
5941 xmlFreeTextReader(reader);
5943 printf(
"%s : failed to parse\n",
config);
5947 printf(
"Unable to open %s\n",
config);
5951 xmlXPathFreeContext(xpathCtx);
5961 const char *zone_name,
5962 const char *policy_name,
5963 const char *sig_conf_name,
5964 const char *input_name,
5965 const char *output_name)
5969 xmlNodePtr newzonenode;
5970 xmlNodePtr newadaptnode;
5971 xmlNodePtr newinputnode;
5972 xmlNodePtr newoutputnode;
5973 doc = xmlParseFile(docname);
5975 fprintf(stderr,
"Document not parsed successfully. \n");
5978 cur = xmlDocGetRootElement(doc);
5980 fprintf(stderr,
"empty document\n");
5984 if (xmlStrcmp(cur->name, (
const xmlChar *)
"ZoneList")) {
5985 fprintf(stderr,
"document of the wrong type, root node != %s",
"ZoneList");
5989 newzonenode = xmlNewTextChild(cur, NULL, (
const xmlChar *)
"Zone", NULL);
5990 (void) xmlNewProp(newzonenode, (
const xmlChar *)
"name", (
const xmlChar *)zone_name);
5992 (void) xmlNewTextChild (newzonenode, NULL, (
const xmlChar *)
"Policy", (
const xmlChar *)policy_name);
5994 (void) xmlNewTextChild (newzonenode, NULL, (
const xmlChar *)
"SignerConfiguration", (
const xmlChar *)sig_conf_name);
5996 newadaptnode = xmlNewChild (newzonenode, NULL, (
const xmlChar *)
"Adapters", NULL);
5998 newinputnode = xmlNewChild (newadaptnode, NULL, (
const xmlChar *)
"Input", NULL);
6000 (void) xmlNewTextChild (newinputnode, NULL, (
const xmlChar *)
"File", (
const xmlChar *)input_name);
6002 newoutputnode = xmlNewChild (newadaptnode, NULL, (
const xmlChar *)
"Output", NULL);
6004 (void) xmlNewTextChild (newoutputnode, NULL, (
const xmlChar *)
"File", (
const xmlChar *)output_name);
6010 const char *zone_name)
6016 doc = xmlParseFile(docname);
6018 fprintf(stderr,
"Document not parsed successfully. \n");
6021 root = xmlDocGetRootElement(doc);
6023 fprintf(stderr,
"empty document\n");
6027 if (xmlStrcmp(root->name, (
const xmlChar *)
"ZoneList")) {
6028 fprintf(stderr,
"document of the wrong type, root node != %s",
"ZoneList");
6034 if (all_flag == 1) {
6035 cur = root->children;
6041 cur = root->children;
6047 for(cur = root->children; cur != NULL; cur = cur->next)
6050 if (xmlStrcmp( xmlGetProp(cur, (xmlChar *)
"name"), (
const xmlChar *) zone_name) == 0)
6054 cur = root->children;
6069 xmlChar *polChar = NULL;
6070 xmlChar *propChar = NULL;
6076 doc = xmlParseFile(docname);
6078 fprintf(stderr,
"Document not parsed successfully. \n");
6081 root = xmlDocGetRootElement(doc);
6083 fprintf(stderr,
"empty document\n");
6087 if (xmlStrcmp(root->name, (
const xmlChar *)
"ZoneList")) {
6088 fprintf(stderr,
"document of the wrong type, root node != %s",
"ZoneList");
6094 for(cur = root->children; cur != NULL; cur = cur->next)
6096 if (xmlStrcmp( cur->name, (
const xmlChar *)
"Zone") == 0) {
6097 propChar = xmlGetProp(cur, (xmlChar *)
"name");
6098 printf(
"Found Zone: %s", propChar);
6104 printf(
" (zone not in database)");
6107 zone_ids[i] = temp_id;
6112 for(pol = cur->children; pol != NULL; pol = pol->next)
6114 if (xmlStrcmp( pol->name, (
const xmlChar *)
"Policy") == 0)
6116 polChar = xmlNodeGetContent(pol);
6117 printf(
"; on policy %s\n", polChar);
6136 xmlNodePtr policy_node;
6137 xmlNodePtr signatures_node;
6138 xmlNodePtr validity_node;
6139 xmlNodePtr denial_node;
6140 xmlNodePtr nsec_node;
6141 xmlNodePtr hash_node;
6142 xmlNodePtr salt_node;
6143 xmlNodePtr keys_node;
6144 xmlNodePtr ksk_node;
6145 xmlNodePtr ksk_alg_node;
6146 xmlNodePtr zsk_node;
6147 xmlNodePtr zsk_alg_node;
6148 xmlNodePtr zone_node;
6149 xmlNodePtr zone_soa_node;
6150 xmlNodePtr parent_node;
6151 xmlNodePtr parent_ds_node;
6152 xmlNodePtr parent_soa_node;
6156 root = xmlDocGetRootElement(doc);
6158 fprintf(stderr,
"empty document\n");
6161 if (xmlStrcmp(root->name, (
const xmlChar *)
"KASP")) {
6162 fprintf(stderr,
"document of the wrong type, root node != %s",
"KASP");
6166 policy_node = xmlNewTextChild(root, NULL, (
const xmlChar *)
"Policy", NULL);
6167 (void) xmlNewProp(policy_node, (
const xmlChar *)
"name", (
const xmlChar *)policy->
name);
6168 (void) xmlNewTextChild(policy_node, NULL, (
const xmlChar *)
"Description", (
const xmlChar *)policy->
description);
6171 signatures_node = xmlNewTextChild(policy_node, NULL, (
const xmlChar *)
"Signatures", NULL);
6173 (void) xmlNewTextChild(signatures_node, NULL, (
const xmlChar *)
"Resign", (
const xmlChar *)temp_time);
6175 (void) xmlNewTextChild(signatures_node, NULL, (
const xmlChar *)
"Refresh", (
const xmlChar *)temp_time);
6176 validity_node = xmlNewTextChild(signatures_node, NULL, (
const xmlChar *)
"Validity", NULL);
6178 (void) xmlNewTextChild(validity_node, NULL, (
const xmlChar *)
"Default", (
const xmlChar *)temp_time);
6180 (void) xmlNewTextChild(validity_node, NULL, (
const xmlChar *)
"Denial", (
const xmlChar *)temp_time);
6181 snprintf(temp_time, 32,
"PT%dS", policy->
signer->
jitter);
6182 (void) xmlNewTextChild(signatures_node, NULL, (
const xmlChar *)
"Jitter", (
const xmlChar *)temp_time);
6184 (void) xmlNewTextChild(signatures_node, NULL, (
const xmlChar *)
"InceptionOffset", (
const xmlChar *)temp_time);
6187 denial_node = xmlNewTextChild(policy_node, NULL, (
const xmlChar *)
"Denial", NULL);
6190 (void) xmlNewTextChild(denial_node, NULL, (
const xmlChar *)
"NSEC", NULL);
6194 nsec_node = xmlNewTextChild(denial_node, NULL, (
const xmlChar *)
"NSEC3", NULL);
6196 snprintf(temp_time, 32,
"PT%dS", policy->
denial->
ttl);
6197 (void) xmlNewTextChild(nsec_node, NULL, (
const xmlChar *)
"TTL", (
const xmlChar *)temp_time);
6201 (void) xmlNewTextChild(nsec_node, NULL, (
const xmlChar *)
"OptOut", NULL);
6203 snprintf(temp_time, 32,
"PT%dS", policy->
denial->
resalt);
6204 (void) xmlNewTextChild(nsec_node, NULL, (
const xmlChar *)
"Resalt", (
const xmlChar *)temp_time);
6205 hash_node = xmlNewTextChild(nsec_node, NULL, (
const xmlChar *)
"Hash", NULL);
6207 (void) xmlNewTextChild(hash_node, NULL, (
const xmlChar *)
"Algorithm", (
const xmlChar *)temp_time);
6209 (void) xmlNewTextChild(hash_node, NULL, (
const xmlChar *)
"Iterations", (
const xmlChar *)temp_time);
6211 salt_node = xmlNewTextChild(hash_node, NULL, (
const xmlChar *)
"Salt", NULL);
6212 (void) xmlNewProp(salt_node, (
const xmlChar *)
"length", (
const xmlChar *)temp_time);
6216 keys_node = xmlNewTextChild(policy_node, NULL, (
const xmlChar *)
"Keys", NULL);
6217 snprintf(temp_time, 32,
"PT%dS", policy->
keys->
ttl);
6218 (void) xmlNewTextChild(keys_node, NULL, (
const xmlChar *)
"TTL", (
const xmlChar *)temp_time);
6220 (void) xmlNewTextChild(keys_node, NULL, (
const xmlChar *)
"RetireSafety", (
const xmlChar *)temp_time);
6222 (void) xmlNewTextChild(keys_node, NULL, (
const xmlChar *)
"PublishSafety", (
const xmlChar *)temp_time);
6225 (void) xmlNewTextChild(keys_node, NULL, (
const xmlChar *)
"ShareKeys", NULL);
6228 snprintf(temp_time, 32,
"PT%dS", policy->
keys->
purge);
6229 (void) xmlNewTextChild(keys_node, NULL, (
const xmlChar *)
"Purge", (
const xmlChar *)temp_time);
6233 ksk_node = xmlNewTextChild(keys_node, NULL, (
const xmlChar *)
"KSK", NULL);
6235 ksk_alg_node = xmlNewTextChild(ksk_node, NULL, (
const xmlChar *)
"Algorithm", (
const xmlChar *)temp_time);
6236 snprintf(temp_time, 32,
"%d", policy->
ksk->
bits);
6237 (void) xmlNewProp(ksk_alg_node, (
const xmlChar *)
"length", (
const xmlChar *)temp_time);
6238 snprintf(temp_time, 32,
"PT%dS", policy->
ksk->
lifetime);
6239 (void) xmlNewTextChild(ksk_node, NULL, (
const xmlChar *)
"Lifetime", (
const xmlChar *)temp_time);
6240 (void) xmlNewTextChild(ksk_node, NULL, (
const xmlChar *)
"Repository", (
const xmlChar *)policy->
ksk->
sm_name);
6242 (void) xmlNewTextChild(ksk_node, NULL, (
const xmlChar *)
"Standby", (
const xmlChar *)temp_time);
6245 (void) xmlNewTextChild(ksk_node, NULL, (
const xmlChar *)
"ManualRollover", NULL);
6249 (void) xmlNewTextChild(ksk_node, NULL, (
const xmlChar *)
"RFC5011", NULL);
6257 zsk_node = xmlNewTextChild(keys_node, NULL, (
const xmlChar *)
"ZSK", NULL);
6259 zsk_alg_node = xmlNewTextChild(zsk_node, NULL, (
const xmlChar *)
"Algorithm", (
const xmlChar *)temp_time);
6260 snprintf(temp_time, 32,
"%d", policy->
zsk->
bits);
6261 (void) xmlNewProp(zsk_alg_node, (
const xmlChar *)
"length", (
const xmlChar *)temp_time);
6262 snprintf(temp_time, 32,
"PT%dS", policy->
zsk->
lifetime);
6263 (void) xmlNewTextChild(zsk_node, NULL, (
const xmlChar *)
"Lifetime", (
const xmlChar *)temp_time);
6264 (void) xmlNewTextChild(zsk_node, NULL, (
const xmlChar *)
"Repository", (
const xmlChar *)policy->
zsk->
sm_name);
6266 (void) xmlNewTextChild(zsk_node, NULL, (
const xmlChar *)
"Standby", (
const xmlChar *)temp_time);
6269 (void) xmlNewTextChild(zsk_node, NULL, (
const xmlChar *)
"ManualRollover", NULL);
6273 zone_node = xmlNewTextChild(policy_node, NULL, (
const xmlChar *)
"Zone", NULL);
6275 (void) xmlNewTextChild(zone_node, NULL, (
const xmlChar *)
"PropagationDelay", (
const xmlChar *)temp_time);
6276 zone_soa_node = xmlNewTextChild(zone_node, NULL, (
const xmlChar *)
"SOA", NULL);
6277 snprintf(temp_time, 32,
"PT%dS", policy->
zone->
soa_ttl);
6278 (void) xmlNewTextChild(zone_soa_node, NULL, (
const xmlChar *)
"TTL", (
const xmlChar *)temp_time);
6279 snprintf(temp_time, 32,
"PT%dS", policy->
zone->
soa_min);
6280 (void) xmlNewTextChild(zone_soa_node, NULL, (
const xmlChar *)
"Minimum", (
const xmlChar *)temp_time);
6284 parent_node = xmlNewTextChild(policy_node, NULL, (
const xmlChar *)
"Parent", NULL);
6286 (void) xmlNewTextChild(parent_node, NULL, (
const xmlChar *)
"PropagationDelay", (
const xmlChar *)temp_time);
6287 parent_ds_node = xmlNewTextChild(parent_node, NULL, (
const xmlChar *)
"DS", NULL);
6288 snprintf(temp_time, 32,
"PT%dS", policy->
parent->
ds_ttl);
6289 (void) xmlNewTextChild(parent_ds_node, NULL, (
const xmlChar *)
"TTL", (
const xmlChar *)temp_time);
6290 parent_soa_node = xmlNewTextChild(parent_node, NULL, (
const xmlChar *)
"SOA", NULL);
6292 (void) xmlNewTextChild(parent_soa_node, NULL, (
const xmlChar *)
"TTL", (
const xmlChar *)temp_time);
6294 (void) xmlNewTextChild(parent_soa_node, NULL, (
const xmlChar *)
"Minimum", (
const xmlChar *)temp_time);
6297 if (strncmp(policy->
audit,
"NULL", 4) != 0) {
6298 (void) xmlNewChild(policy_node, NULL, (
const xmlChar *)
"Audit", NULL);
6308 const char *policy_name)
6314 doc = xmlParseFile(docname);
6316 fprintf(stderr,
"Document not parsed successfully. \n");
6319 root = xmlDocGetRootElement(doc);
6321 fprintf(stderr,
"empty document\n");
6325 if (xmlStrcmp(root->name, (
const xmlChar *)
"KASP")) {
6326 fprintf(stderr,
"document of the wrong type, root node != %s",
"KASP");
6333 for(cur = root->children; cur != NULL; cur = cur->next)
6336 if (xmlStrcmp( xmlGetProp(cur, (xmlChar *)
"name"), (
const xmlChar *) policy_name) == 0)
6340 cur = root->children;
6356 fprintf(stdout,
"KSK:");
6360 fprintf(stdout,
"ZSK:");
6362 fprintf(stdout,
" %s Retired\n", key_data->
location);
6374 fprintf(stderr,
"%s\n", format);
6401 char* temp_zone = NULL;
6404 char* temp_ready = NULL;
6405 char* temp_active = NULL;
6406 char* temp_retire = NULL;
6407 char* temp_dead = NULL;
6408 char* temp_loc = NULL;
6409 char* temp_hsm = NULL;
6413 hsm_key_t *key = NULL;
6414 ldns_rr *dnskey_rr = NULL;
6415 hsm_sign_params_t *sign_params = NULL;
6419 status = hsm_open(
config, hsm_prompt_pin, NULL);
6421 hsm_print_error(NULL);
6427 StrAppend(&sql,
"select z.name, k.keytype, k.state, k.ready, k.active, k.retire, k.dead, k.location, s.name, k.algorithm from securitymodules s, zones z, KEYDATA_VIEW k where z.id = k.zone_id and s.id = k.securitymodule_id and state != 6 and zone_id is not null ");
6428 if (zone_id != -1) {
6441 if (verbose_flag == 1) {
6442 printf(
"Zone: Keytype: State: Date of next transition: CKA_ID: Repository: Keytag:\n");
6445 printf(
"Zone: Keytype: State: Date of next transition:\n");
6447 while (status == 0) {
6450 DbInt(row, 1, &temp_type);
6451 DbInt(row, 2, &temp_state);
6458 DbInt(row, 9, &temp_alg);
6470 printf(
"%-31s %-13s %-9s %-26s", temp_zone, (temp_type ==
KSM_TYPE_KSK) ?
"KSK" :
"ZSK",
KsmKeywordStateValueToName(temp_state), (temp_retire == NULL) ?
"(not scheduled)" : temp_retire);
6482 printf(
"%-31s %-13s %-9s %-26s", temp_zone,
"KSK",
KsmKeywordStateValueToName(temp_state), (temp_ready == NULL) ?
"(not scheduled)" : temp_ready);
6490 printf(
"%-31s %-13s %-9s %-26s", temp_zone,
"KSK",
KsmKeywordStateValueToName(temp_state), (temp_active == NULL) ?
"(not scheduled)" : temp_active);
6494 if (done_row == 1 && verbose_flag == 1) {
6495 key = hsm_find_key_by_id(NULL, temp_loc);
6497 printf(
"%-33s %s NOT IN repository\n", temp_loc, temp_hsm);
6499 sign_params = hsm_sign_params_new();
6500 sign_params->owner = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, temp_zone);
6501 sign_params->algorithm = temp_alg;
6502 sign_params->flags = LDNS_KEY_ZONE_KEY;
6504 sign_params->flags += LDNS_KEY_SEP_KEY;
6506 dnskey_rr = hsm_get_dnskey(NULL, key, sign_params);
6507 sign_params->keytag = ldns_calc_keytag(dnskey_rr);
6509 printf(
"%-33s %-33s %d\n", temp_loc, temp_hsm, sign_params->keytag);
6511 hsm_sign_params_free(sign_params);
6515 else if (done_row == 1) {
6542 if (dnskey_rr != NULL) {
6543 ldns_rr_free(dnskey_rr);
6585 char* temp_loc = NULL;
6588 int done_something = 0;
6591 hsm_key_t *key = NULL;
6593 if ((zone_id == -1 && policy_id == -1) ||
6594 (zone_id != -1 && policy_id != -1)){
6595 printf(
"Please provide either a zone OR a policy to key purge\n");
6601 status = hsm_open(
config, hsm_prompt_pin, NULL);
6603 hsm_print_error(NULL);
6608 StrAppend(&sql,
"select distinct id, location from KEYDATA_VIEW where state = 6 ");
6609 if (zone_id != -1) {
6614 if (policy_id != -1) {
6625 while (status == 0) {
6627 DbInt(row, 0, &temp_id);
6684 key = hsm_find_key_by_id(NULL, temp_loc);
6687 printf(
"Key not found: %s\n", temp_loc);
6694 status = hsm_remove_key(NULL, key);
6699 printf(
"Key remove successful.\n");
6701 printf(
"Key remove failed.\n");
6722 if (done_something == 0) {
6723 printf(
"No keys to purge.\n");
6743 hsm_ctx_t *ctx = NULL;
6748 hsm_key_t *key = NULL;
6749 char *hsm_error_message = NULL;
6751 int ksks_needed = 0;
6752 int zsks_needed = 0;
6753 int keys_in_queue = 0;
6755 unsigned int current_count = 0;
6761 int ksks_created = 0;
6765 FILE* lock_fd = NULL;
6770 printf(
"Failed to connect to database\n");
6776 if (policy == NULL) {
6777 printf(
"Malloc for policy struct failed\n");
6783 printf(
"Please provide a policy name with the --policy option\n");
6789 printf(
"Please provide an interval with the --interval option\n");
6802 printf(
"Error: unable to read policy %s from database\n",
o_policy);
6808 printf(
"Error: policy %s doesn't exist in database\n",
o_policy);
6815 printf(
"Key sharing is On\n");
6817 printf(
"Key sharing is Off\n");
6822 printf(
"Error: unable to convert Interval %s to seconds, error: ",
o_interval);
6825 printf(
"invalid interval-type.\n");
6828 printf(
"unable to translate string.\n");
6831 printf(
"interval too long to be an int. E.g. Maximum is ~68 years on a system with 32-bit integers.\n");
6834 printf(
"invalid pointers or text string NULL.\n");
6837 printf(
"unknown\n");
6843 else if (status == -1) {
6844 printf(
"Info: converting %s to seconds; M interpreted as 31 days, Y interpreted as 365 days\n",
o_interval);
6848 status = hsm_open(
config, hsm_prompt_pin, NULL);
6850 hsm_error_message = hsm_get_error(ctx);
6851 if (hsm_error_message) {
6852 printf(
"%s\n", hsm_error_message);
6853 free(hsm_error_message);
6859 printf(
"hsm_open() result: HSM error\n");
6861 case HSM_PIN_INCORRECT:
6862 printf(
"hsm_open() result: incorrect PIN\n");
6864 case HSM_CONFIG_FILE_ERROR:
6865 printf(
"hsm_open() result: config file error\n");
6867 case HSM_REPOSITORY_NOT_FOUND:
6868 printf(
"hsm_open() result: repository not found\n");
6870 case HSM_NO_REPOSITORIES:
6871 printf(
"hsm_open() result: no repositories\n");
6874 printf(
"hsm_open() result: %d", status);
6881 printf(
"HSM opened successfully.\n");
6882 ctx = hsm_create_context();
6887 if (rightnow == NULL) {
6888 printf(
"Couldn't turn \"now\" into a date, quitting...\n");
6909 printf(
"Could not count zones on policy %s\n", policy->
name);
6912 hsm_destroy_context(ctx);
6918 printf(
"Info: %d zone(s) found on policy \"%s\"\n", zone_count, policy->
name);
6927 printf(
"Error: Unable to convert zonetotal \"%s\"; to an integer\n",
o_zonetotal);
6934 printf(
"Error: zonetotal \"%s\"; should be numeric only\n",
o_zonetotal);
6941 if (zone_count < 1) {
6942 printf(
"Error: zonetotal parameter value of %d is invalid - the value must be greater than 0\n", zone_count);
6948 printf(
"Info: Keys will actually be generated for a total of %d zone(s) as specified by zone total parameter\n", zone_count);
6952 if (zone_count == 0) {
6953 printf(
"No zones on policy %s, skipping...\n", policy->
name);
6956 hsm_destroy_context(ctx);
6967 printf(
"Could not predict ksk requirement for next interval for %s\n", policy->
name);
6976 printf(
"Could not count current ksk numbers for policy %s\n", policy->
name);
6983 new_keys = ksks_needed - keys_in_queue;
6988 current_count = hsm_count_keys_repository(ctx, policy->
ksk->
sm_name);
6990 printf(
"Repository %s is full, cannot create more KSKs for policy %s\n", policy->
ksk->
sm_name, policy->
name);
6994 printf(
"Repository %s is nearly full, will create %lu KSKs for policy %s (reduced from %d)\n", policy->
ksk->
sm_name, policy->
ksk->
sm_capacity - current_count, policy->
name, new_keys);
6999 if (new_keys <= 0 ) {
7000 printf(
"No new KSKs need to be created.\n");
7003 printf(
"%d new KSK(s) (%d bits) need to be created.\n", new_keys, policy->
ksk->
bits);
7007 for (i=new_keys ; i > 0 ; i--){
7008 if (hsm_supported_algorithm(policy->
ksk->
algorithm) == 0) {
7013 printf(
"Created key in repository %s\n", policy->
ksk->
sm_name);
7016 printf(
"Error creating key in repository %s\n", policy->
ksk->
sm_name);
7017 hsm_error_message = hsm_get_error(ctx);
7018 if (hsm_error_message) {
7019 printf(
"%s\n", hsm_error_message);
7020 free(hsm_error_message);
7027 id = hsm_get_key_id(ctx, key);
7031 printf(
"Error creating key in Database\n");
7032 hsm_error_message = hsm_get_error(ctx);
7033 if (hsm_error_message) {
7034 printf(
"%s\n", hsm_error_message);
7035 free(hsm_error_message);
7042 printf(
"Created KSK size: %i, alg: %i with id: %s in repository: %s and database.\n", policy->
ksk->
bits,
7046 printf(
"Key algorithm %d unsupported by libhsm.\n", policy->
ksk->
algorithm);
7053 ksks_created = new_keys;
7063 printf(
"Could not predict zsk requirement for next interval for %s\n", policy->
name);
7069 printf(
"Could not count current zsk numbers for policy %s\n", policy->
name);
7076 keys_in_queue -= ksks_needed;
7079 new_keys = zsks_needed - keys_in_queue;
7084 current_count = hsm_count_keys_repository(ctx, policy->
zsk->
sm_name);
7086 printf(
"Repository %s is full, cannot create more ZSKs for policy %s\n", policy->
zsk->
sm_name, policy->
name);
7090 printf(
"Repository %s is nearly full, will create %lu ZSKs for policy %s (reduced from %d)\n", policy->
zsk->
sm_name, policy->
zsk->
sm_capacity - current_count, policy->
name, new_keys);
7095 if (new_keys <= 0 ) {
7097 printf(
"No new ZSKs need to be created.\n");
7100 printf(
"%d new ZSK(s) (%d bits) need to be created.\n", new_keys, policy->
zsk->
bits);
7104 for (i = new_keys ; i > 0 ; i--) {
7105 if (hsm_supported_algorithm(policy->
zsk->
algorithm) == 0) {
7110 printf(
"Created key in repository %s\n", policy->
zsk->
sm_name);
7113 printf(
"Error creating key in repository %s\n", policy->
zsk->
sm_name);
7114 hsm_error_message = hsm_get_error(ctx);
7115 if (hsm_error_message) {
7116 printf(
"%s\n", hsm_error_message);
7117 free(hsm_error_message);
7124 id = hsm_get_key_id(ctx, key);
7128 printf(
"Error creating key in Database\n");
7129 hsm_error_message = hsm_get_error(ctx);
7130 if (hsm_error_message) {
7131 printf(
"%s\n", hsm_error_message);
7132 free(hsm_error_message);
7139 printf(
"Created ZSK size: %i, alg: %i with id: %s in repository: %s and database.\n", policy->
zsk->
bits,
7143 printf(
"Key algorithm %d unsupported by libhsm.\n", policy->
zsk->
algorithm);
7154 printf(
"NOTE: keys generated in repository %s will not become active until they have been backed up\n", policy->
ksk->
sm_name);
7157 printf(
"NOTE: keys generated in repository %s will not become active until they have been backed up\n", policy->
zsk->
sm_name);
7164 hsm_destroy_context(ctx);
7166 status = hsm_close();
7167 printf(
"all done! hsm_close result: %d\n", status);
7181 struct stat stat_ret;
7185 xmlDocPtr doc = NULL;
7186 xmlDocPtr rngdoc = NULL;
7187 xmlXPathContextPtr xpathCtx = NULL;
7188 xmlXPathObjectPtr xpathObj = NULL;
7189 xmlRelaxNGParserCtxtPtr rngpctx = NULL;
7190 xmlRelaxNGValidCtxtPtr rngctx = NULL;
7191 xmlRelaxNGPtr schema = NULL;
7192 xmlChar *user_expr = (
unsigned char*)
"//Configuration/Enforcer/Privileges/User";
7193 xmlChar *group_expr = (
unsigned char*)
"//Configuration/Enforcer/Privileges/Group";
7195 char* filename = OPENDNSSEC_CONFIG_FILE;
7196 char* rngfilename = OPENDNSSEC_SCHEMA_DIR
"/conf.rng";
7197 char* temp_char = NULL;
7204 char *username = NULL;
7205 char *groupname = NULL;
7207 printf(
"fixing permissions on file %s\n", dbschema);
7209 if (geteuid() != 0) {
7214 if (stat(dbschema, &stat_ret) != 0) {
7215 printf(
"cannot stat file %s: %s", dbschema, strerror(errno));
7221 doc = xmlParseFile(filename);
7223 printf(
"Error: unable to parse file \"%s\"", filename);
7228 rngdoc = xmlParseFile(rngfilename);
7229 if (rngdoc == NULL) {
7230 printf(
"Error: unable to parse file \"%s\"", rngfilename);
7235 rngpctx = xmlRelaxNGNewDocParserCtxt(rngdoc);
7236 if (rngpctx == NULL) {
7237 printf(
"Error: unable to create XML RelaxNGs parser context");
7242 schema = xmlRelaxNGParse(rngpctx);
7243 if (schema == NULL) {
7244 printf(
"Error: unable to parse a schema definition resource");
7249 rngctx = xmlRelaxNGNewValidCtxt(schema);
7250 if (rngctx == NULL) {
7251 printf(
"Error: unable to create RelaxNGs validation context based on the schema");
7256 status = xmlRelaxNGValidateDoc(rngctx,doc);
7258 printf(
"Error validating file \"%s\"", filename);
7264 xpathCtx = xmlXPathNewContext(doc);
7265 if(xpathCtx == NULL) {
7266 printf(
"Error: unable to create new XPath context");
7272 xpathObj = xmlXPathEvalExpression(group_expr, xpathCtx);
7273 if(xpathObj == NULL) {
7274 printf(
"Error: unable to evaluate xpath expression: %s", group_expr);
7275 xmlXPathFreeContext(xpathCtx);
7279 if (xpathObj->nodesetval != NULL && xpathObj->nodesetval->nodeNr > 0) {
7280 temp_char = (
char*) xmlXPathCastToString(xpathObj);
7283 xmlXPathFreeObject(xpathObj);
7289 xpathObj = xmlXPathEvalExpression(user_expr, xpathCtx);
7290 if(xpathObj == NULL) {
7291 printf(
"Error: unable to evaluate xpath expression: %s", user_expr);
7292 xmlXPathFreeContext(xpathCtx);
7296 if (xpathObj->nodesetval != NULL && xpathObj->nodesetval->nodeNr > 0) {
7297 temp_char = (
char*) xmlXPathCastToString(xpathObj);
7300 xmlXPathFreeObject(xpathObj);
7306 xmlXPathFreeContext(xpathCtx);
7307 xmlRelaxNGFree(schema);
7308 xmlRelaxNGFreeValidCtxt(rngctx);
7309 xmlRelaxNGFreeParserCtxt(rngpctx);
7314 if (username != NULL) {
7316 if ((pwd = getpwnam(username)) == NULL) {
7317 printf(
"user '%s' does not exist. cannot chown %s...\n", username, dbschema);
7326 if ((grp = getgrnam(groupname)) == NULL) {
7327 printf(
"group '%s' does not exist. cannot chown %s...\n", groupname, dbschema);
7336 if (chown(dbschema, uid, gid) == -1) {
7337 printf(
"cannot chown(%u,%u) %s: %s",
7338 (
unsigned) uid, (
unsigned) gid, dbschema, strerror(errno));
7347 if (chown(temp_char, uid, gid) == -1) {
7348 printf(
"cannot chown(%u,%u) %s: %s",
7349 (
unsigned) uid, (
unsigned) gid, temp_char, strerror(errno));
7391 int CountKeys(
int *zone_id,
int keytag,
const char *cka_id,
int *key_count,
char **temp_cka_id,
int *temp_key_state,
int *temp_keypair_id)
7404 int temp_zone_id = 0;
7405 char* temp_loc = NULL;
7408 int temp_keypair = 0;
7413 hsm_key_t *key = NULL;
7414 ldns_rr *dnskey_rr = NULL;
7415 hsm_sign_params_t *sign_params = NULL;
7418 status = hsm_open(
config, hsm_prompt_pin, NULL);
7420 hsm_print_error(NULL);
7425 nchar = snprintf(buffer,
sizeof(buffer),
"(%d, %d, %d)",
7427 if (nchar >=
sizeof(buffer)) {
7428 printf(
"Error: Overran buffer in CountKeys\n");
7434 StrAppend(&sql,
"select k.zone_id, k.location, k.algorithm, k.state, k.id from KEYDATA_VIEW k where state in ");
7436 StrAppend(&sql,
" and zone_id is not null and k.keytype = 257");
7438 if (*zone_id != -1) {
7443 if (cka_id != NULL) {
7461 while (status == 0) {
7463 DbInt(row, 0, &temp_zone_id);
7465 DbInt(row, 2, &temp_alg);
7466 DbInt(row, 3, &temp_state);
7467 DbInt(row, 4, &temp_keypair);
7471 if (keytag == -1 && cka_id == NULL)
7473 *temp_key_state = temp_state;
7476 key = hsm_find_key_by_id(NULL, temp_loc);
7478 printf(
"cka_id %-33s in DB but NOT IN repository\n", temp_loc);
7479 }
else if (keytag != -1) {
7480 sign_params = hsm_sign_params_new();
7481 sign_params->owner = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME,
"temp_zone");
7482 sign_params->algorithm = temp_alg;
7483 sign_params->flags = LDNS_KEY_ZONE_KEY;
7484 sign_params->flags += LDNS_KEY_SEP_KEY;
7486 dnskey_rr = hsm_get_dnskey(NULL, key, sign_params);
7487 sign_params->keytag = ldns_calc_keytag(dnskey_rr);
7490 if (keytag == sign_params->keytag) {
7493 *temp_cka_id = NULL;
7495 *zone_id = temp_zone_id;
7496 *temp_key_state = temp_state;
7497 *temp_keypair_id = temp_keypair;
7498 printf(
"Found key with CKA_ID %s\n", temp_loc);
7501 hsm_sign_params_free(sign_params);
7503 if (key && cka_id != NULL && strncmp(cka_id, temp_loc, strlen(temp_loc)) == 0) {
7505 if (done_row == 0) {
7507 *temp_cka_id = NULL;
7509 *zone_id = temp_zone_id;
7510 *temp_key_state = temp_state;
7511 *temp_keypair_id = temp_keypair;
7512 printf(
"Found key with CKA_ID %s\n", temp_loc);
7532 *key_count = temp_count;
7539 if (dnskey_rr != NULL) {
7540 ldns_rr_free(dnskey_rr);
7575 int MarkDSSeen(
int keypair_id,
int zone_id,
int policy_id,
const char *datetime,
int key_state)
7594 printf(
"Error: failed to read policy\n");
7615 nchar = snprintf(buffer,
sizeof(buffer),
7616 "DATE_ADD('%s', INTERVAL %d SECOND) ", datetime, deltat);
7618 nchar = snprintf(buffer,
sizeof(buffer),
7619 "DATETIME('%s', '+%d SECONDS') ", datetime, deltat);
7622 if (nchar >=
sizeof(buffer)) {
7624 printf(
"Error: failed to create SQL statement\n");
7646 nchar = snprintf(buffer,
sizeof(buffer),
7647 "DATE_ADD('%s', INTERVAL %d SECOND) ", datetime, deltat);
7649 nchar = snprintf(buffer,
sizeof(buffer),
7650 "DATETIME('%s', '+%d SECONDS') ", datetime, deltat);
7653 if (nchar >=
sizeof(buffer)) {
7655 printf(
"Error: failed to create SQL statement\n");
7717 char* where_clause = NULL;
7733 printf(
"Error: failed to read policy\n");
7749 StrAppend(&where_clause,
"select id from KEYDATA_VIEW where state = 4 and keytype = 257 and zone_id = ");
7751 StrAppend(&where_clause,
" and retire = (select min(retire) from KEYDATA_VIEW where state = 4 and keytype = 257 and zone_id = ");
7760 printf(
"Error: failed to find ID of key to retire\n");
7769 nchar = snprintf(buffer,
sizeof(buffer),
7770 "DATE_ADD('%s', INTERVAL %d SECOND) ", datetime, deltat);
7772 nchar = snprintf(buffer,
sizeof(buffer),
7773 "DATETIME('%s', '+%d SECONDS') ", datetime, deltat);
7776 if (nchar >=
sizeof(buffer)) {
7778 printf(
"Error: failed to create SQL statement\n");
7846 if (zone_id != -1) {
7855 printf(
"Error in CountKeysInState\n");
7892 int ChangeKeyState(
int keytype,
const char *cka_id,
int zone_id,
int policy_id,
const char *datetime,
int keystate)
7921 printf(
"Error: failed to read policy\n");
7929 if (zone_id != -1) {
7948 keyids =
MemMalloc(count *
sizeof(
int));
7955 if (zone_id != -1) {
7964 while (status == 0) {
7965 status =
KsmKey(result, &data);
7996 for (j = 0; j < i; ++j) {
8000 snprintf(buffer,
sizeof(buffer),
"%d", keyids[j]);
8023 nchar = snprintf(buffer,
sizeof(buffer),
8024 "DATE_ADD('%s', INTERVAL %d SECOND) ", datetime, deltat);
8026 nchar = snprintf(buffer,
sizeof(buffer),
8027 "DATETIME('%s', '+%d SECONDS') ", datetime, deltat);
8030 if (nchar >=
sizeof(buffer)) {
8032 printf(
"Error: failed to create SQL statement\n");
8043 if (zone_id != -1) {
8061 nchar = snprintf(buffer,
sizeof(buffer),
8062 "DATE_ADD('%s', INTERVAL %d SECOND) ", datetime, deltat);
8064 nchar = snprintf(buffer,
sizeof(buffer),
8065 "DATETIME('%s', '+%d SECONDS') ", datetime, deltat);
8068 if (nchar >=
sizeof(buffer)) {
8070 printf(
"Error: failed to create SQL statement\n");
8081 if (zone_id != -1) {
8092 nchar = snprintf(buffer,
sizeof(buffer),
8093 "DATE_ADD('%s', INTERVAL %d SECOND) ", datetime, deltat);
8095 nchar = snprintf(buffer,
sizeof(buffer),
8096 "DATETIME('%s', '+%d SECONDS') ", datetime, deltat);
8099 if (nchar >=
sizeof(buffer)) {
8101 printf(
"Error: failed to create SQL statement\n");
8112 if (zone_id != -1) {
8147 static int restart_enforcerd()
8151 return system(ODS_EN_NOTIFY);
8163 xmlDocPtr doc = NULL;
8164 xmlXPathContextPtr xpathCtx = NULL;
8165 xmlXPathObjectPtr xpathObj = NULL;
8166 char* temp_char = NULL;
8168 xmlChar *iv_expr = (
unsigned char*)
"//Configuration/Enforcer/Interval";
8169 xmlChar *mk_expr = (
unsigned char*)
"//Configuration/Enforcer/ManualKeyGeneration";
8172 doc = xmlParseFile(
config);
8174 printf(
"Error: unable to parse file \"%s\"\n",
config);
8179 xpathCtx = xmlXPathNewContext(doc);
8180 if(xpathCtx == NULL) {
8181 printf(
"Error: unable to create new XPath context\n");
8187 xpathObj = xmlXPathEvalExpression(iv_expr, xpathCtx);
8188 if(xpathObj == NULL) {
8189 printf(
"Error: unable to evaluate xpath expression: %s", iv_expr);
8190 xmlXPathFreeContext(xpathCtx);
8195 temp_char = (
char *)xmlXPathCastToString(xpathObj);
8198 printf(
"Error: unable to convert Interval %s to seconds, error: %i\n", temp_char, status);
8202 else if (status == -1) {
8203 printf(
"Info: converting %s to seconds; M interpreted as 31 days, Y interpreted as 365 days\n", temp_char);
8207 xmlXPathFreeObject(xpathObj);
8210 xpathObj = xmlXPathEvalExpression(mk_expr, xpathCtx);
8211 if(xpathObj == NULL) {
8212 printf(
"Error: unable to evaluate xpath expression: %s\n", mk_expr);
8213 xmlXPathFreeContext(xpathCtx);
8218 if (xpathObj->nodesetval != NULL && xpathObj->nodesetval->nodeNr > 0) {
8226 xmlXPathFreeObject(xpathObj);
8229 xmlXPathFreeContext(xpathCtx);
8269 int man_key_gen = -1;
8280 printf(
"Failed to Link Keys to zone\n");
8290 if (policy == NULL) {
8291 printf(
"Malloc for policy struct failed\n");
8301 printf(
"Error: unable to read policy %s from database\n",
o_policy);
8306 printf(
"Error: policy %s doesn't exist in database\n",
o_policy);
8314 printf(
"Error allocating zsks to zone %s", zone_name);
8320 printf(
"Error allocating ksks to zone %s", zone_name);
8362 int keys_needed = 0;
8363 int keys_in_queue = 0;
8364 int keys_pending_retirement = 0;
8366 int key_pair_id = 0;
8373 if (datetime == NULL) {
8374 printf(
"Couldn't turn \"now\" into a date, quitting...");
8378 if (policy == NULL) {
8379 printf(
"NULL policy sent to allocateKeysToZone");
8385 printf(
"Unknown keytype: %i in allocateKeysToZone", key_type);
8399 status =
KsmKeyPredict(policy->
id, key_type, 1, interval, &keys_needed, rollover_scheme, 1);
8401 printf(
"Could not predict key requirement for next interval for %s", zone_name);
8409 printf(
"Could not count current key numbers for zone %s", zone_name);
8417 printf(
"Could not count keys which may retire before the next run (for zone %s)", zone_name);
8423 new_keys = keys_needed - (keys_in_queue - keys_pending_retirement);
8428 for (i=0 ; i < new_keys ; i++){
8432 if (status == -1 || key_pair_id == 0) {
8433 if (man_key_gen == 0) {
8434 printf(
"Not enough keys to satisfy ksk policy for zone: %s", zone_name);
8435 printf(
"ods-enforcerd will create some more keys on its next run");
8438 printf(
"Not enough keys to satisfy ksk policy for zone: %s", zone_name);
8439 printf(
"please use \"ods-ksmutil key generate\" to create some more keys.");
8443 else if (status != 0) {
8444 printf(
"Could not get an unallocated ksk for zone: %s", zone_name);
8449 if (status == -1 || key_pair_id == 0) {
8450 if (man_key_gen == 0) {
8451 printf(
"Not enough keys to satisfy zsk policy for zone: %s", zone_name);
8452 printf(
"ods-enforcerd will create some more keys on its next run");
8455 printf(
"Not enough keys to satisfy zsk policy for zone: %s", zone_name);
8456 printf(
"please use \"ods-ksmutil key generate\" to create some more keys.");
8460 else if (status != 0) {
8461 printf(
"Could not get an unallocated zsk for zone: %s", zone_name);
8465 if(key_pair_id > 0) {
8470 printf(
"KsmKeyGetUnallocated returned bad key_id %d for zone: %s; exiting...", key_pair_id, zone_name);
8498 int keyRoll(
int zone_id,
int policy_id,
int key_type)
8511 int temp_zone_id = -1;
8517 char* insql1 = NULL;
8518 char* insql2 = NULL;
8524 if (datetime == NULL) {
8525 printf(
"Couldn't turn \"now\" into a date, quitting...\n");
8533 if (zone_id != -1) {
8536 if (policy_id != -1) {
8540 if (key_type != -1) {
8549 while (status == 0) {
8551 DbInt(row, 0, &temp_id);
8552 DbInt(row, 1, &temp_type);
8556 DusSetInt(&sql1,
"compromisedflag", 1, 1);
8617 size = snprintf(sql2,
KSM_SQL_SIZE,
"select zone_id from dnsseckeys where retire = \"%s\" and keypair_id = %d", datetime, temp_id);
8621 while (status == 0) {
8623 DbInt(row2, 0, &temp_zone_id);
8628 snprintf(buffer,
sizeof(buffer),
"%d", temp_zone_id);
8651 while (status == 0) {
8653 DbInt(row2, 0, &temp_zone_id);
8658 snprintf(buffer,
sizeof(buffer),
"%d", temp_zone_id);
8680 printf(
"Couldn't construct SQL to promote standby key\n");
8743 else if (status == -1) {}
8758 xmlNodePtr zone_node;
8759 xmlNodePtr adapters_node;
8760 xmlNodePtr input_node;
8761 xmlNodePtr output_node;
8763 root = xmlDocGetRootElement(doc);
8765 fprintf(stderr,
"empty document\n");
8768 if (xmlStrcmp(root->name, (
const xmlChar *)
"ZoneList")) {
8769 fprintf(stderr,
"document of the wrong type, root node != %s",
"ZoneList");
8773 zone_node = xmlNewTextChild(root, NULL, (
const xmlChar *)
"Zone", NULL);
8774 (void) xmlNewProp(zone_node, (
const xmlChar *)
"name", (
const xmlChar *)zone->
name);
8777 (void) xmlNewTextChild(zone_node, NULL, (
const xmlChar *)
"Policy", (
const xmlChar *)zone->
policy_name);
8780 (void) xmlNewTextChild(zone_node, NULL, (
const xmlChar *)
"SignerConfiguration", (
const xmlChar *)zone->
signconf);
8783 adapters_node = xmlNewTextChild(zone_node, NULL, (
const xmlChar *)
"Adapters", NULL);
8785 input_node = xmlNewTextChild(adapters_node, NULL, (
const xmlChar *)
"Input", NULL);
8786 (void) xmlNewTextChild(input_node, NULL, (
const xmlChar *)
"File", (
const xmlChar *)zone->
input);
8788 output_node = xmlNewTextChild(adapters_node, NULL, (
const xmlChar *)
"Output", NULL);
8789 (void) xmlNewTextChild(output_node, NULL, (
const xmlChar *)
"File", (
const xmlChar *)zone->
output);
8800 size_t len = strlen(
string);
8803 for (i = 0; i < len; ++i) {
8804 if (
string[i] ==
'\'') {
8809 buffer[j++] =
string[i];
8813 return ( (j <= buflen) ? 0 : 1);
8818 char* signconf = NULL;
8819 char* moved_signconf = NULL;
8820 char* zone_name = NULL;
8824 xmlDocPtr doc = NULL;
8826 xmlXPathContextPtr xpathCtx = NULL;
8827 xmlXPathObjectPtr xpathObj = NULL;
8829 xmlChar *node_expr = (
unsigned char*)
"//Zone";
8831 doc = xmlParseFile(zonelist_filename);
8833 printf(
"Error: unable to parse file \"%s\"\n", zonelist_filename);
8837 xpathCtx = xmlXPathNewContext(doc);
8838 if(xpathCtx == NULL) {
8844 xpathObj = xmlXPathEvalExpression(node_expr, xpathCtx);
8845 if(xpathObj == NULL) {
8846 xmlXPathFreeContext(xpathCtx);
8851 if (xpathObj->nodesetval) {
8852 for (i = 0; i < xpathObj->nodesetval->nodeNr; i++) {
8854 curNode = xpathObj->nodesetval->nodeTab[i]->xmlChildrenNode;
8855 zone_name = (
char *) xmlGetProp(xpathObj->nodesetval->nodeTab[i], (
const xmlChar *)
"name");
8857 if (all_flag || (strlen(zone_name) == strlen(o_zone) &&
8858 strncmp(zone_name, o_zone, strlen(zone_name)) == 0)) {
8862 if (xmlStrEqual(curNode->name, (
const xmlChar *)
"SignerConfiguration")) {
8863 StrAppend(&signconf, (
char *) xmlNodeGetContent(curNode));
8865 StrAppend(&moved_signconf,
".ZONE_DELETED");
8867 status = rename(signconf, moved_signconf);
8868 if (status != 0 && errno != ENOENT)
8871 printf(
"Could not rename: %s -> %s", signconf, moved_signconf);
8882 curNode = curNode->next;
void DbFreeResult(DB_RESULT result)
int KsmCheckHSMkeyID(int repo_id, const char *cka_id, int *exists)
int main(int argc, char *argv[])
int KsmPolicyInit(DB_RESULT *handle, const char *name)
char name[KSM_NAME_LENGTH]
unsigned long sm_capacity
char name[KSM_ZONE_NAME_LENGTH]
int KsmZoneIdAndPolicyFromName(const char *zone_name, int *policy_id, int *zone_id)
void SetPolicyDefaults(KSM_POLICY *policy, char *name)
int StrIsDigits(const char *string)
void DusConditionKeyword(char **query, const char *field, DQS_COMPARISON compare, const char *value, int clause)
char signconf[KSM_PATH_LENGTH]
int DbFetchRow(DB_RESULT result, DB_ROW *row)
int KsmPolicy(DB_RESULT handle, KSM_POLICY *data)
char * DqsSpecifyInit(const char *table, const char *fields)
char location[KSM_NAME_LENGTH]
void list_zone_node(const char *docname, int *zone_ids)
int KsmKeywordTypeNameToValue(const char *name)
void usage_policyimport()
int db_connect(DB_HANDLE *dbhandle, FILE **lock_fd, int backup)
int KsmMarkPreBackup(int repo_id, const char *datetime)
int get_conf_key_info(int *interval, int *man_key_gen)
int KsmKeyCountQueue(int keytype, int *count, int zone_id)
KSM_POLICY * KsmPolicyAlloc()
#define KSM_PAR_ZSKTTL_CAT
int KsmParameter(DB_RESULT result, KSM_PARAMETER *data)
KSM_COMMON_KEY_POLICY * keys
xmlDocPtr add_zone_node(const char *docname, const char *zone_name, const char *policy_name, const char *sig_conf_name, const char *input_name, const char *output_name)
int KsmZoneInit(DB_RESULT *handle, int policy_id)
int KsmParameterCollection(KSM_PARCOLL *data, int policy_id)
int CountKeys(int *zone_id, int keytag, const char *cka_id, int *key_count, char **temp_cka_id, int *temp_key_state, int *temp_keypair_id)
int KsmSerialIdFromName(const char *name, int *id)
int get_db_details(char **dbschema, char **host, char **port, char **user, char **password)
int SetParamOnPolicy(const xmlChar *new_value, const char *name, const char *category, int current_value, int policy_id, int value_type)
char retire[KSM_TIME_LENGTH]
int KsmPolicySetIdFromName(KSM_POLICY *policy)
void DqsConditionKeyword(char **query, const char *field, DQS_COMPARISON compare, const char *value, int index)
int KsmImportAudit(int policy_id, const char *audit_contents)
void db_disconnect(FILE *lock_fd)
int KsmKeyPairCreate(int policy_id, const char *HSMKeyID, int smID, int size, int alg, const char *generate, DB_ID *id)
int KsmZone(DB_RESULT handle, KSM_ZONE *data)
int KsmKeywordRollNameToValue(const char *name)
void DqsOrderBy(char **query, const char *field)
int KsmZoneCount(DB_RESULT handle, int *count)
char sm_name[KSM_NAME_LENGTH]
int MsgLog(int status,...)
int KsmRollbackMarkPreBackup(int repo_id)
int read_filenames(char **zone_list_filename, char **kasp_filename)
int KsmPolicyRead(KSM_POLICY *policy)
int get_policy_name_from_id(KSM_ZONE *zone)
int cmd_control(char *command)
int ShellQuoteString(const char *string, char *buffer, size_t buflen)
void usage_policyexport()
void DusSetInt(char **sql, const char *field, int data, int clause)
void DqsFree(char *query)
#define KSM_STATE_KEYPUBLISH
void DdsFree(char *query)
int KsmImportZone(const char *zone_name, int policy_id, int fail_if_exists, int *new_zone, const char *signconf, const char *input, const char *output)
void DusConditionInt(char **query, const char *field, DQS_COMPARISON compare, int value, int clause)
int read_zonelist_filename(const char *filename, char **zone_list_filename)
const char * KsmKeywordStateValueToName(int value)
char * DqsCountInit(const char *table)
int append_policy(xmlDocPtr doc, KSM_POLICY *policy)
int KsmPolicyIdFromName(const char *name, int *id)
int DbString(DB_ROW row, int field_index, char **result)
#define KSM_PAR_DSTTL_CAT
int KsmSmIdFromName(const char *name, int *id)
char * StrStrdup(const char *string)
void DqsConditionInt(char **query, const char *field, DQS_COMPARISON compare, int value, int index)
void DdsConditionInt(char **query, const char *field, DQS_COMPARISON compare, int value, int index)
#define KSM_PAR_ZSKTTL_STRING
int LinkKeys(const char *zone_name, int policy_id)
int KsmPolicyIdFromZoneId(int zone_id, int *policy_id)
int printKey(void *context, KSM_KEYDATA *key_data)
char * DdsInit(const char *table)
int DtGeneral(const char *string, struct tm *datetime)
char * DtParseDateTimeString(const char *string)
#define KSM_STATE_DSPUBLISH
KSM_PARENT_POLICY * parent
char output[KSM_PATH_LENGTH]
KSM_DENIAL_POLICY * denial
int KsmZoneIdFromName(const char *zone_name, int *zone_id)
int KsmParameterValue(const char *name, const char *category, int *value, int policy_id, int *parameter_id)
int KsmKeyInitSql(DB_RESULT *result, const char *sql)
int KsmCollectionInit(KSM_PARCOLL *data)
#define DB_KEYDATA_FIELDS
int ChangeKeyState(int keytype, const char *cka_id, int zone_id, int policy_id, const char *datetime, int key_state)
const char * DbErrmsg(DB_HANDLE handle)
int KsmImportPolicy(const char *policy_name, const char *policy_description)
char policy_name[KSM_NAME_LENGTH]
void KsmPolicyFree(KSM_POLICY *policy)
void DbFreeRow(DB_ROW row)
int KsmKey(DB_RESULT result, KSM_KEYDATA *data)
void MsgRegister(int min, int max, const char **message, MSG_OUTPUT_FUNCTION output)
KSM_SIGNER_POLICY * signer
size_t StrToLower(char *text)
int update_zones(char *zone_list_filename)
int cmd_update(const char *qualifier)
char input[KSM_PATH_LENGTH]
int DbDisconnect(DB_HANDLE dbhandle)
int update_repositories()
#define KSM_POLICY_AUDIT_LENGTH
int KsmKeyPredict(int policy_id, int keytype, int shared_keys, int interval, int *count, int rollover_scheme, int zone_count)
int KsmMarkKeysAsDead(int zone_id)
const char * KsmKeywordSerialValueToName(int value)
int KsmDnssecKeyCreate(int zone_id, int keypair_id, int keytype, int state, const char *time, const char *retTime, DB_ID *id)
int KsmPolicyNullSaltStamp(int policy_id)
int DbExecuteSql(DB_HANDLE handle, const char *stmt_str, DB_RESULT *result)
#define KSM_POLICY_DESC_LENGTH
int release_lite_lock(FILE *lock_fd)
void ksm_log_msg(const char *format)
int DbStringBuffer(DB_ROW row, int field_index, char *buffer, size_t buflen)
void StrAppend(char **str1, const char *str2)
int StrStrtoi(const char *string, int *value)
int fix_file_perms(const char *dbschema)
int DbIntQuery(DB_HANDLE handle, int *value, const char *query)
void usage_keykskretire()
xmlDocPtr del_zone_node(const char *docname, const char *zone_name)
#define KSM_PAR_KSKTTL_CAT
#define KSM_STATE_PUBLISH
#define KSM_PAR_DSTTL_STRING
int KsmDeleteZone(int zone_id)
int RetireOldKey(int zone_id, int policy_id, const char *datetime)
int KsmZoneNameFromId(int zone_id, char **zone_name)
int backup_file(const char *orig_file, const char *backup_file)
char * DusInit(const char *table)
#define DEFAULT_LOG_FACILITY
void KsmParameterEnd(DB_RESULT result)
int KsmImportKeyPair(int policy_id, const char *HSMKeyID, int smID, int size, int alg, int state, const char *time, int fixDate, DB_ID *id)
int cmd_backup(const char *qualifier)
int KsmKeyGetUnallocated(int policy_id, int sm, int bits, int algorithm, int zone_id, int share_keys, int *keypair_id)
int PurgeKeys(int zone_id, int policy_id)
int keyRoll(int zone_id, int policy_id, int key_type)
int KsmParameterInit(DB_RESULT *result, const char *name, const char *category, int policy_id)
int get_lite_lock(char *lock_filename, FILE *lock_fd)
int rename_signconf(const char *zonelist_filename, const char *o_zone)
int KsmPolicyExists(const char *name)
int allocateKeysToZone(KSM_POLICY *policy, int key_type, int zone_id, uint16_t interval, const char *zone_name, int man_key_gen, int rollover_scheme)
int ListKeys(int zone_id)
int append_zone(xmlDocPtr doc, KSM_ZONE *zone)
#define KSM_PAR_KSKTTL_STRING
int KsmRequestPendingRetireCount(int keytype, const char *datetime, KSM_PARCOLL *parameters, int *count, int zone_id, int interval)
int KsmZoneCountInit(DB_RESULT *handle, int id)
void DdsEnd(char **query)
int KsmParameterSet(const char *name, const char *category, int value, int policy_id)
KSM_ENFORCER_POLICY * enforcer
int CountKeysInState(int keytype, int keystate, int *count, int zone_id)
int KsmImportRepository(const char *repo_name, const char *repo_capacity, int require_backup)
int KsmKeywordAlgorithmNameToValue(const char *name)
int DbInt(DB_ROW row, int field_index, int *value)
void * MemMalloc(size_t size)
int KsmListBackups(int repo_id, int verbose_flag)
#define KSM_STATE_DSREADY
int MarkDSSeen(int keypair_id, int zone_id, int policy_id, const char *datetime, int key_state)
int DtXMLIntervalSeconds(const char *text, int *interval)
size_t StrToUpper(char *text)
void KsmKeyEnd(DB_RESULT result)
int KsmMarkBackup(int repo_id, const char *datetime)
#define KSM_STATE_GENERATE
void DusSetString(char **sql, const char *field, const char *data, int clause)
void DqsEnd(char **query)
int DbBeginTransaction(void)
int DbExecuteSqlNoResult(DB_HANDLE handle, const char *stmt_str)
void DqsConditionString(char **query, const char *field, DQS_COMPARISON compare, const char *value, int index)
int KsmListRollovers(int zone_id)
int KsmKeyCountStillGood(int policy_id, int sm, int bits, int algorithm, int interval, const char *datetime, int *count, int keytype)
KSM_SIGNATURE_POLICY * signature
int update_policies(char *kasp_filename)
xmlDocPtr del_policy_node(const char *docname, const char *policy_name)
int DbConnect(DB_HANDLE *dbhandle, const char *database,...)
void DbStringFree(char *string)