Commit 94d9db8f authored by Daniel Salzman's avatar Daniel Salzman
Browse files

Merge branch 'keymgr-fixes' into 'master'

Keymgr:  various fixes

See merge request !779
parents 3cc593c5 988e4e99
Pipeline #11760 passed with stages
in 9 minutes and 53 seconds
......@@ -86,12 +86,12 @@ Imports a BIND\-style key into KASP database (converting it to PEM format).
Takes one argument: path to BIND key file (private or public, but both MUST exist).
.TP
\fBimport\-pem\fP \fIPEM_file\fP [\fIarguments\fP\&...]
Imports a DNSSEC key from PEM file. The key parameters (same as for generate action) need to be
specified (mostly algorithm, timers...) because they are not contained in the PEM format.
Imports a DNSSEC key from PEM file. The key parameters (same as for the generate action) need to be
specified (mainly algorithm, timers...) because they are not contained in the PEM format.
.TP
\fBset\fP \fIkey_spec\fP [\fIarguments\fP\&...]
Changes a timing argument of an existing key to new timestamp. \fIKey_spec\fP is either the
key tag or a prefix of key ID; \fIarguments\fP are like for \fBgenerate\fP, but just
Changes a timing argument of an existing key to a new timestamp. \fIKey_spec\fP is either the
key tag or a prefix of the key ID; \fIarguments\fP are like for \fBgenerate\fP, but just the
timing\-related ones.
.TP
\fBds\fP [\fIkey_spec\fP]
......@@ -121,7 +121,7 @@ Either an algorithm number (e.g. 14), or text name without dashes (e.g. ECDSAP38
Key length in bits.
.TP
\fBksk\fP
Either \(aqtrue\(aq (KSK will be generated) or \(aqfalse\(aq (ZSK wil be generated).
Either \(aqtrue\(aq (KSK will be generated) or \(aqfalse\(aq (ZSK will be generated).
.TP
\fBcreated\fP
Timestamp of key creation.
......
......@@ -63,12 +63,12 @@ Commands
Takes one argument: path to BIND key file (private or public, but both MUST exist).
**import-pem** *PEM_file* [*arguments*...]
Imports a DNSSEC key from PEM file. The key parameters (same as for generate action) need to be
specified (mostly algorithm, timers...) because they are not contained in the PEM format.
Imports a DNSSEC key from PEM file. The key parameters (same as for the generate action) need to be
specified (mainly algorithm, timers...) because they are not contained in the PEM format.
**set** *key_spec* [*arguments*...]
Changes a timing argument of an existing key to new timestamp. *Key_spec* is either the
key tag or a prefix of key ID; *arguments* are like for **generate**, but just
Changes a timing argument of an existing key to a new timestamp. *Key_spec* is either the
key tag or a prefix of the key ID; *arguments* are like for **generate**, but just the
timing-related ones.
**ds** [*key_spec*]
......@@ -98,7 +98,7 @@ Arguments are separated by space, each of them is in format 'name=value'.
Key length in bits.
**ksk**
Either 'true' (KSK will be generated) or 'false' (ZSK wil be generated).
Either 'true' (KSK will be generated) or 'false' (ZSK will be generated).
**created**
Timestamp of key creation.
......
......@@ -574,17 +574,8 @@ int keymgr_get_key(kdnssec_ctx_t *ctx, const char *key_spec, knot_kasp_key_t **k
return KNOT_EOK;
}
int keymgr_foreign_key_id(int argc, char *argv[], const char *req_action,
knot_dname_t **key_zone, char **key_id)
int keymgr_foreign_key_id(char *argv[], knot_dname_t **key_zone, char **key_id)
{
if (argc < 1) {
printf("Key to %s - zone is not specified.\n", req_action);
return KNOT_EINVAL;
}
if (argc < 2) {
printf("Key to %s is not specified.\n", req_action);
return KNOT_EINVAL;
}
*key_zone = knot_dname_from_str_alloc(argv[0]);
if (*key_zone == NULL) {
return KNOT_ENOMEM;
......@@ -600,7 +591,7 @@ int keymgr_foreign_key_id(int argc, char *argv[], const char *req_action,
return KNOT_ENOZONE;
}
knot_kasp_key_t *key;
ret = keymgr_get_key(&kctx, argv[1], &key);
ret = keymgr_get_key(&kctx, argv[2], &key);
if (ret == KNOT_EOK) {
*key_id = strdup(key->id);
if (*key_id == NULL) {
......
......@@ -26,8 +26,7 @@ int keymgr_generate_tsig(const char *tsig_name, const char *alg_name, int bits);
int keymgr_get_key(kdnssec_ctx_t *ctx, const char *key_spec, knot_kasp_key_t **key);
int keymgr_foreign_key_id(int argc, char *argv[], const char *req_action,
knot_dname_t **key_zone, char **key_id);
int keymgr_foreign_key_id(char *argv[], knot_dname_t **key_zone, char **key_id);
int keymgr_set_timing(knot_kasp_key_t *key, int argc, char *argv[]);
......
......@@ -52,8 +52,7 @@ static void print_help(void)
" (syntax: ds <key_spec>)\n"
" dnskey Generate DNSKEY record for specified key.\n"
" (syntax: dnskey <key_spec>)\n"
" share Make an existing key of another zone to be shared with\n"
" the specified zone.\n"
" share Share an existing key of another zone with the specified zone.\n"
" (syntax: share <full_key_ID>\n"
" delete Remove the specified key from zone.\n"
" (syntax: delete <key_spec>)\n"
......@@ -67,7 +66,7 @@ static void print_help(void)
" algorithm The key cryptographic algorithm: either name (e.g. RSASHA256) or\n"
" number.\n"
" size The key size in bits.\n"
" ksk Wheather the generated/imported key shall be Key Signing Key.\n"
" ksk Whether the generated/imported key shall be Key Signing Key.\n"
" created/publish/ready/active/retire/remove The timestamp of the key\n"
" lifetime event (e.g. published=now+1d active=1499770874)\n",
PROGRAM_NAME, PROGRAM_NAME, PROGRAM_NAME);
......@@ -99,32 +98,29 @@ static int key_command(int argc, char *argv[])
ret = kdnssec_ctx_init(conf(), &kctx, zone_name, NULL);
if (ret != KNOT_EOK) {
printf("Failed to initializize KASP (%s)\n", knot_strerror(ret));
printf("Failed to initialize KASP (%s)\n", knot_strerror(ret));
goto main_end;
}
#define CHECK_MISSING_ARG(msg) \
if (argc < 3) { \
printf("%s\n", (msg)); \
ret = KNOT_EINVAL; \
goto main_end; \
}
bool print_ok_on_succes = true;
if (strcmp(argv[1], "generate") == 0) {
ret = keymgr_generate_key(&kctx, argc - 2, argv + 2);
print_ok_on_succes = false;
} else if (strcmp(argv[1], "import-bind") == 0) {
if (argc < 3) {
printf("BIND-style key to import not specified\n");
ret = KNOT_EINVAL;
goto main_end;
}
CHECK_MISSING_ARG("BIND-style key to import not specified");
ret = keymgr_import_bind(&kctx, argv[2]);
} else if (strcmp(argv[1], "import-pem") == 0) {
if (argc < 3) {
printf("PEM file to import not specified\n");
ret = KNOT_EINVAL;
goto main_end;
}
CHECK_MISSING_ARG("PEM file to import not specified");
ret = keymgr_import_pem(&kctx, argv[2], argc - 3, argv + 3);
} else if (strcmp(argv[1], "set") == 0) {
if (argc < 3) {
printf("Key is not specified\n");
ret = KNOT_EINVAL;
goto main_end;
}
CHECK_MISSING_ARG("Key is not specified");
knot_kasp_key_t *key2set;
ret = keymgr_get_key(&kctx, argv[2], &key2set);
if (ret == KNOT_EOK) {
......@@ -135,6 +131,7 @@ static int key_command(int argc, char *argv[])
}
} else if (strcmp(argv[1], "list") == 0) {
ret = keymgr_list_keys(&kctx);
print_ok_on_succes = false;
} else if (strcmp(argv[1], "ds") == 0 || strcmp(argv[1], "dnskey") == 0) {
int (*generate_rr)(const knot_dname_t *, const knot_kasp_key_t *) = keymgr_generate_dnskey;
if (strcmp(argv[1], "ds") == 0) {
......@@ -153,20 +150,19 @@ static int key_command(int argc, char *argv[])
ret = generate_rr(zone_name, key2rr);
}
}
print_ok_on_succes = false;
} else if (strcmp(argv[1], "share") == 0) {
CHECK_MISSING_ARG("Key to be shared is not specified");
knot_dname_t *other_zone = NULL;
char *key_to_share = NULL;
if (keymgr_foreign_key_id(argc - 2, argv + 2, "be shared", &other_zone, &key_to_share) == KNOT_EOK) {
ret = keymgr_foreign_key_id(argv, &other_zone, &key_to_share);
if (ret == KNOT_EOK) {
ret = kasp_db_share_key(*kctx.kasp_db, other_zone, kctx.zone->dname, key_to_share);
}
free(other_zone);
free(key_to_share);
} else if (strcmp(argv[1], "delete") == 0) {
if (argc < 3) {
printf("Key is not specified\n");
ret = KNOT_EINVAL;
goto main_end;
}
CHECK_MISSING_ARG("Key is not specified");
knot_kasp_key_t *key2del;
ret = keymgr_get_key(&kctx, argv[2], &key2del);
if (ret == KNOT_EOK) {
......@@ -177,8 +173,10 @@ static int key_command(int argc, char *argv[])
goto main_end;
}
#undef CHECK_MISSING_ARG
if (ret == KNOT_EOK) {
printf("OK\n");
printf("%s", print_ok_on_succes ? "OK\n" : "");
} else {
printf("Error (%s)\n", knot_strerror(ret));
}
......@@ -254,11 +252,12 @@ int main(int argc, char *argv[])
if (strlen(argv[1]) == 2 && argv[1][0] == '-') {
#define check_argc_three if (argc < 3) { \
printf("Option %s requires an argument\n", argv[1]); \
print_help(); \
return EXIT_FAILURE; \
}
#define CHECK_ARGC_THREE \
if (argc < 3) { \
printf("Option %s requires an argument\n", argv[1]); \
print_help(); \
return EXIT_FAILURE; \
}
switch (argv[1][1]) {
case 'h':
......@@ -268,25 +267,25 @@ int main(int argc, char *argv[])
print_version(PROGRAM_NAME);
return EXIT_SUCCESS;
case 'd':
check_argc_three
CHECK_ARGC_THREE
if (!init_conf(NULL) || !init_conf_blank(argv[2])) {
return EXIT_FAILURE;
}
break;
case 'c':
check_argc_three
CHECK_ARGC_THREE
if (!init_conf(NULL) || !init_confile(argv[2])) {
return EXIT_FAILURE;
}
break;
case 'C':
check_argc_three
CHECK_ARGC_THREE
if (!init_conf(argv[2])) {
return EXIT_FAILURE;
}
break;
case 't':
check_argc_three
CHECK_ARGC_THREE
int ret = keymgr_generate_tsig(argv[2], (argc >= 4 ? argv[3] : "hmac-sha256"),
(argc >= 5 ? atol(argv[4]) : 0));
if (ret != KNOT_EOK) {
......@@ -299,7 +298,7 @@ int main(int argc, char *argv[])
return EXIT_FAILURE;
}
#undef check_argc_three
#undef CHECK_ARGC_THREE
argpos = 3;
} else {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment