Commit 6fb05ae3 authored by Libor Peltan's avatar Libor Peltan Committed by Daniel Salzman

keymgr: added import-pem feature

parent 4ef5c6bd
......@@ -86,6 +86,10 @@ from corresponding policy (if \fI\-c\fP or \fI\-C\fP options used) or from Knot
Imports a BIND\-style key into KASP database (converting it to PEM format).
Takes one argument: path to BIND key file (private or public, but both MUST exist).
.TP
\fBimport\-pem\fP \fIPEM_file\fP [\fIarguments\fP\&...]
Imports a DNSSEC key form PEM file. The key parameters (same as for generate action) need to be
specified (mostly algorithm, timers...) because they are not contained in the PEM format.
.TP
\fBset\fP \fIkey_spec\fP [\fIarguments\fP\&...]
Changes a timing argument of an existing key to new timestamp. \fIKey_spec\fP is either the
key tag or a prefix of key ID; \fIarguments\fP are like for \fBgenerate\fP, but just
......
......@@ -63,6 +63,10 @@ Actions
Imports a BIND-style key into KASP database (converting it to PEM format).
Takes one argument: path to BIND key file (private or public, but both MUST exist).
**import-pem** *PEM_file* [*arguments*...]
Imports a DNSSEC key form PEM file. The key parameters (same as for generate action) need to be
specified (mostly algorithm, timers...) because they are not contained in the PEM format.
**set** *key_spec* [*arguments*...]
Changes a timing argument of an existing key to new timestamp. *Key_spec* is either the
key tag or a prefix of key ID; *arguments* are like for **generate**, but just
......
......@@ -21,6 +21,7 @@
#include <string.h>
#include <strings.h>
#include <time.h>
#include <fcntl.h>
#include "contrib/wire_ctx.h"
#include "dnssec/lib/dnssec/error.h"
......@@ -354,6 +355,108 @@ cleanup:
return knot_error_from_libdnssec(ret);
}
int keymgr_import_pem(kdnssec_ctx_t *ctx, const char *import_file, int argc, char *argv[])
{
// parse params
time_t now = time(NULL), infty = 0x0fffffffffffff00LLU;
knot_kasp_key_timing_t gen_timing = { now, now, now, now, infty, infty };
bool isksk = false;
uint16_t keysize = 0;
if (!genkeyargs(argc, argv, false, &isksk, &ctx->policy->algorithm,
&keysize, &gen_timing)) {
return KNOT_EINVAL;
}
// open file
int fd = open(import_file, O_RDONLY, 0);
if (fd == -1) {
close(fd);
return -errno;
}
// determine size
off_t fsize = lseek(fd, 0, SEEK_END);
if (fsize == -1) {
close(fd);
return -errno;
}
if (lseek(fd, 0, SEEK_SET) == -1) {
close(fd);
return -errno;
}
// alloc memory
dnssec_binary_t read_pem = { 0 };
int ret = dnssec_binary_alloc(&read_pem, fsize);
if (ret != DNSSEC_EOK) {
close(fd);
return knot_error_from_libdnssec(ret);
}
// read pem
ssize_t read_count = read(fd, read_pem.data, read_pem.size);
close(fd);
if (read_count == -1) {
dnssec_binary_free(&read_pem);
return -errno;
}
// put pem to kesytore
char *keyid = NULL;
ret = dnssec_keystore_import(ctx->keystore, &read_pem, &keyid);
dnssec_binary_free(&read_pem);
if (ret != DNSSEC_EOK) {
return ret;
}
// create dnssec key
dnssec_key_t *dnskey = NULL;
ret = dnssec_key_new(&dnskey);
if (ret != KNOT_EOK) {
free(keyid);
return ret;
}
ret = dnssec_key_set_dname(dnskey, ctx->zone->dname);
if (ret != KNOT_EOK) {
dnssec_key_free(dnskey);
free(keyid);
return ret;
}
dnssec_key_set_flags(dnskey, dnskey_flags(isksk));
dnssec_key_set_algorithm(dnskey, ctx->policy->algorithm);
// fill key structure from keystore (incl. pubkey from privkey computation)
ret = dnssec_key_import_keystore(dnskey, ctx->keystore, keyid);
if (ret != KNOT_EOK) {
dnssec_key_free(dnskey);
free(keyid);
return ret;
}
// allocate kasp key
knot_kasp_key_t *kkey = calloc(1, sizeof(*kkey));
if (!kkey) {
dnssec_key_free(dnskey);
free(keyid);
return KNOT_ENOMEM;
}
kkey->id = keyid;
kkey->key = dnskey;
kkey->timing = gen_timing;
// append to zone
ret = kasp_zone_append(ctx->zone, kkey);
free(kkey);
if (ret != KNOT_EOK) {
dnssec_key_free(dnskey);
free(keyid);
return ret;
}
ret = kdnssec_ctx_commit(ctx);
return ret;
}
static void print_tsig(dnssec_tsig_algorithm_t mac, const char *name,
const dnssec_binary_t *secret)
{
......
......@@ -20,6 +20,8 @@ int keymgr_generate_key(kdnssec_ctx_t *ctx, int argc, char *argv[]);
int keymgr_import_bind(kdnssec_ctx_t *ctx, const char *import_file);
int keymgr_import_pem(kdnssec_ctx_t *ctx, const char *import_file, int argc, char *argv[]);
int keymgr_generate_tsig(const char *tsig_name, const char *alg_name, int bits);
int keymgr_get_key(kdnssec_ctx_t *ctx, const char *key_spec, knot_kasp_key_t **key);
......
......@@ -46,7 +46,9 @@ static void print_help(void)
" generate Generate new KASP key.\n"
" (syntax: generate <attribute_name>=<value>...)\n"
" import-bind Import BIND-style key file pair (.key + .private).\n"
" (syntax: import_bind <key_file_name>)\n"
" (syntax: import-bind <key_file_name>)\n"
" import-pem Import key in PEM format. Specify its parameters manually.\n"
" (syntax: import-pem <pem_file_path> <attribute_name>=<value>...)\n"
" ds Generate DS record(s) for specified key.\n"
" (syntax: ds <key_spec>)\n"
" share Make an existing key of another zone to be shared with"
......@@ -98,6 +100,13 @@ static int key_command(int argc, char *argv[])
goto main_end;
}
ret = keymgr_import_bind(&kctx, argv[2]);
} else if (strcmp(argv[1], "import-pem") == 0) {
if (argc < 3) {
printf("PEM file to import not specified.\n");
ret = KNOT_EINVAL;
goto main_end;
}
ret = keymgr_import_pem(&kctx, argv[2], argc - 3, argv + 3);
} else if (strcmp(argv[1], "set") == 0) {
if (argc < 3) {
printf("Key is not specified.\n");
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment