keymgr: added import-pem feature

doc/man/keymgr.8in

@@ -86,6 +86,10 @@ from corresponding policy (if \fI\-c\fP or \fI\-C\fP options used) or from Knot
 Imports a BIND\-style key into KASP database (converting it to PEM format).
 Takes one argument: path to BIND key file (private or public, but both MUST exist).
 .TP
+\fBimport\-pem\fP \fIPEM_file\fP [\fIarguments\fP\&...]
+Imports a DNSSEC key form PEM file. The key parameters (same as for generate action) need to be
+specified (mostly algorithm, timers...) because they are not contained in the PEM format.
+.TP
 \fBset\fP \fIkey_spec\fP [\fIarguments\fP\&...]
 Changes a timing argument of an existing key to new timestamp. \fIKey_spec\fP is either the
 key tag or a prefix of key ID; \fIarguments\fP are like for \fBgenerate\fP, but just

doc/man_keymgr.rst

@@ -63,6 +63,10 @@ Actions
   Imports a BIND-style key into KASP database (converting it to PEM format).
   Takes one argument: path to BIND key file (private or public, but both MUST exist).
 
+**import-pem** *PEM_file* [*arguments*...]
+  Imports a DNSSEC key form PEM file. The key parameters (same as for generate action) need to be
+  specified (mostly algorithm, timers...) because they are not contained in the PEM format.
+
 **set** *key_spec* [*arguments*...]
   Changes a timing argument of an existing key to new timestamp. *Key_spec* is either the
   key tag or a prefix of key ID; *arguments* are like for **generate**, but just

src/utils/keymgr/functions.c

@@ -21,6 +21,7 @@
 #include <string.h>
 #include <strings.h>
 #include <time.h>
+#include <fcntl.h>
 
 #include "contrib/wire_ctx.h"
 #include "dnssec/lib/dnssec/error.h"
@@ -354,6 +355,108 @@ cleanup:
 	return knot_error_from_libdnssec(ret);
 }
 
+int keymgr_import_pem(kdnssec_ctx_t *ctx, const char *import_file, int argc, char *argv[])
+{
+	// parse params
+	time_t now = time(NULL), infty = 0x0fffffffffffff00LLU;
+	knot_kasp_key_timing_t gen_timing = { now, now, now, now, infty, infty };
+	bool isksk = false;
+	uint16_t keysize = 0;
+	if (!genkeyargs(argc, argv, false, &isksk, &ctx->policy->algorithm,
+			&keysize, &gen_timing)) {
+		return KNOT_EINVAL;
+	}
+
+	// open file
+	int fd = open(import_file, O_RDONLY, 0);
+	if (fd == -1) {
+		close(fd);
+		return -errno;
+	}
+
+	// determine size
+	off_t fsize = lseek(fd, 0, SEEK_END);
+	if (fsize == -1) {
+		close(fd);
+		return -errno;
+	}
+	if (lseek(fd, 0, SEEK_SET) == -1) {
+		close(fd);
+		return -errno;
+	}
+
+	// alloc memory
+	dnssec_binary_t read_pem = { 0 };
+	int ret = dnssec_binary_alloc(&read_pem, fsize);
+	if (ret != DNSSEC_EOK) {
+		close(fd);
+		return knot_error_from_libdnssec(ret);
+	}
+
+	// read pem
+	ssize_t read_count = read(fd, read_pem.data, read_pem.size);
+	close(fd);
+	if (read_count == -1) {
+		dnssec_binary_free(&read_pem);
+		return -errno;
+	}
+
+	// put pem to kesytore
+	char *keyid = NULL;
+	ret = dnssec_keystore_import(ctx->keystore, &read_pem, &keyid);
+	dnssec_binary_free(&read_pem);
+	if (ret != DNSSEC_EOK) {
+		return ret;
+	}
+
+	// create dnssec key
+	dnssec_key_t *dnskey = NULL;
+	ret = dnssec_key_new(&dnskey);
+	if (ret != KNOT_EOK) {
+		free(keyid);
+		return ret;
+	}
+	ret = dnssec_key_set_dname(dnskey, ctx->zone->dname);
+	if (ret != KNOT_EOK) {
+		dnssec_key_free(dnskey);
+		free(keyid);
+		return ret;
+	}
+	dnssec_key_set_flags(dnskey, dnskey_flags(isksk));
+	dnssec_key_set_algorithm(dnskey, ctx->policy->algorithm);
+
+	// fill key structure from keystore (incl. pubkey from privkey computation)
+	ret = dnssec_key_import_keystore(dnskey, ctx->keystore, keyid);
+	if (ret != KNOT_EOK) {
+		dnssec_key_free(dnskey);
+		free(keyid);
+		return ret;
+	}
+
+	// allocate kasp key
+	knot_kasp_key_t *kkey = calloc(1, sizeof(*kkey));
+	if (!kkey) {
+		dnssec_key_free(dnskey);
+		free(keyid);
+		return KNOT_ENOMEM;
+	}
+	kkey->id = keyid;
+	kkey->key = dnskey;
+	kkey->timing = gen_timing;
+
+	// append to zone
+	ret = kasp_zone_append(ctx->zone, kkey);
+	free(kkey);
+	if (ret != KNOT_EOK) {
+		dnssec_key_free(dnskey);
+		free(keyid);
+		return ret;
+	}
+	ret = kdnssec_ctx_commit(ctx);
+
+	return ret;
+}
+
 static void print_tsig(dnssec_tsig_algorithm_t mac, const char *name,
 		       const dnssec_binary_t *secret)
 {

src/utils/keymgr/functions.h

@@ -20,6 +20,8 @@ int keymgr_generate_key(kdnssec_ctx_t *ctx, int argc, char *argv[]);
 
 int keymgr_import_bind(kdnssec_ctx_t *ctx, const char *import_file);
 
+int keymgr_import_pem(kdnssec_ctx_t *ctx, const char *import_file, int argc, char *argv[]);
+
 int keymgr_generate_tsig(const char *tsig_name, const char *alg_name, int bits);
 
 int keymgr_get_key(kdnssec_ctx_t *ctx, const char *key_spec, knot_kasp_key_t **key);

src/utils/keymgr/main.c

@@ -46,7 +46,9 @@ static void print_help(void)
 	       "   generate     Generate new KASP key.\n"
 	       "                (syntax: generate <attribute_name>=<value>...)\n"
 	       "   import-bind  Import BIND-style key file pair (.key + .private).\n"
-	       "                (syntax: import_bind <key_file_name>)\n"
+	       "                (syntax: import-bind <key_file_name>)\n"
+	       "   import-pem   Import key in PEM format. Specify its parameters manually.\n"
+	       "                (syntax: import-pem <pem_file_path> <attribute_name>=<value>...)\n"
 	       "   ds           Generate DS record(s) for specified key.\n"
 	       "                (syntax: ds <key_spec>)\n"
 	       "   share        Make an existing key of another zone to be shared with"
@@ -98,6 +100,13 @@ static int key_command(int argc, char *argv[])
 			goto main_end;
 		}
 		ret = keymgr_import_bind(&kctx, argv[2]);
+	} else if (strcmp(argv[1], "import-pem") == 0) {
+		if (argc < 3) {
+			printf("PEM file to import not specified.\n");
+			ret = KNOT_EINVAL;
+			goto main_end;
+		}
+		ret = keymgr_import_pem(&kctx, argv[2], argc - 3, argv + 3);
 	} else if (strcmp(argv[1], "set") == 0) {
 		if (argc < 3) {
 			printf("Key is not specified.\n");