Merge 'keymgr fixes'

The change set includes some refactoring, many bug fixes, and several
small UI improvements.

doc/man/keymgr.8in

@@ -61,7 +61,7 @@ a name must be unique amongst the other names.
 .TP
 \fB\-\-dir\fP \fIpath\fP
 The location of the KASP database to work with. Defaults to current working
-directory.
+directory or \fBKEYMGR_DIR\fP environment variable (if set).
 .UNINDENT
 .SS Main commands
 .INDENT 0.0
@@ -109,7 +109,7 @@ Change zone configuration. At the moment, only a policy can be changed.
 \fBzone\fP \fBshow\fP \fIzone\-name\fP
 Show zone details.
 .TP
-\fBzone\fP \fBkey\fP \fBlist\fP \fIzone\-name\fP
+\fBzone\fP \fBkey\fP \fBlist\fP \fIzone\-name\fP [\fBfilter\fP]
 List key IDs and tags of zone keys.
 .TP
 \fBzone\fP \fBkey\fP \fBshow\fP \fIzone\-name\fP \fIkey\fP

doc/man_keymgr.rst

@@ -38,7 +38,7 @@ Global options
 
 **--dir** *path*
   The location of the KASP database to work with. Defaults to current working
-  directory.
+  directory or ``KEYMGR_DIR`` environment variable (if set).
 
 Main commands
 .............
@@ -86,7 +86,7 @@ zone commands
 **zone** **show** *zone-name*
   Show zone details.
 
-**zone** **key** **list** *zone-name*
+**zone** **key** **list** *zone-name* [**filter**]
   List key IDs and tags of zone keys.
 
 **zone** **key** **show** *zone-name* *key*

src/dnssec/lib/dnssec/kasp.h

@@ -316,6 +316,13 @@ dnssec_kasp_policy_t *dnssec_kasp_policy_new(const char *name);
  */
 void dnssec_kasp_policy_free(dnssec_kasp_policy_t *policy);
 
+/*!
+ * Validate a KASP policy.
+ *
+ * \param policy  Policy to be validated.
+ */
+int dnssec_kasp_policy_validate(const dnssec_kasp_policy_t *policy);
+
 /*!
  * Set default policy.
  *

src/dnssec/lib/dnssec/key.h

@@ -261,6 +261,14 @@ int dnssec_algorithm_key_size_range(dnssec_key_algorithm_t algorithm,
 bool dnssec_algorithm_key_size_check(dnssec_key_algorithm_t algorithm,
 				     unsigned bits);
 
+/*!
+ * Get default key size for given algorithm.
+ *
+ * The default size is balance between security and response lengths with
+ * respect to use in DNS.
+ */
+int dnssec_algorithm_key_size_default(dnssec_key_algorithm_t algorithm);
+
 /*!
  * DS algorithm numbers.
  *

src/dnssec/lib/kasp/policy.c

@@ -40,42 +40,6 @@ static void clear_policy(dnssec_kasp_policy_t *policy)
 	policy->keystore = keystore;
 }
 
-struct key_size {
-	dnssec_key_algorithm_t algorithm;
-	uint16_t zsk;
-	uint16_t ksk;
-};
-
-static const struct key_size DEFAULT_KEY_SIZES[] = {
-	// DSA: maximum supported by DNSSEC
-	{ DNSSEC_KEY_ALGORITHM_DSA_SHA1,          1024, 1024 },
-	{ DNSSEC_KEY_ALGORITHM_DSA_SHA1_NSEC3,    1024, 1024 },
-	{ DNSSEC_KEY_ALGORITHM_RSA_SHA1_NSEC3,    1024, 1024 },
-	// RSA: small keys for short-lived keys (security/size compromise)
-	{ DNSSEC_KEY_ALGORITHM_RSA_SHA1,          1024, 2048 },
-	{ DNSSEC_KEY_ALGORITHM_RSA_SHA256,        1024, 2048 },
-	{ DNSSEC_KEY_ALGORITHM_RSA_SHA512,        1024, 2048 },
-	// ECDSA: fixed key size
-	{ DNSSEC_KEY_ALGORITHM_ECDSA_P256_SHA256, 256,  256 },
-	{ DNSSEC_KEY_ALGORITHM_ECDSA_P384_SHA384, 384,  384 },
-	{ 0 }
-};
-
-static void default_key_size(dnssec_key_algorithm_t algorithm,
-			     uint16_t *zsk_size, uint16_t *ksk_size)
-{
-	for (const struct key_size *ks = DEFAULT_KEY_SIZES; ks->algorithm; ks++) {
-		if (algorithm == ks->algorithm) {
-			*zsk_size = ks->zsk;
-			*ksk_size = ks->ksk;
-			return;
-		}
-	}
-
-	*zsk_size = 0;
-	*ksk_size = 0;
-}
-
 /* -- public API ----------------------------------------------------------- */
 
 _public_
@@ -107,7 +71,8 @@ void dnssec_kasp_policy_defaults(dnssec_kasp_policy_t *policy)
 	clear_policy(policy);
 
 	policy->algorithm = DNSSEC_KEY_ALGORITHM_ECDSA_P256_SHA256;
-	default_key_size(policy->algorithm, &policy->zsk_size, &policy->ksk_size);
+	policy->zsk_size = dnssec_algorithm_key_size_default(policy->algorithm);
+	policy->ksk_size = dnssec_algorithm_key_size_default(policy->algorithm);
 	policy->dnskey_ttl = 1200;
 
 	policy->zsk_lifetime = DAYS(30);
@@ -131,3 +96,41 @@ void dnssec_kasp_policy_free(dnssec_kasp_policy_t *policy)
 	free(policy->keystore);
 	free(policy);
 }
+
+static bool valid_algorithm(const dnssec_kasp_policy_t *p)
+{
+	return dnssec_algorithm_key_size_check(p->algorithm, p->ksk_size) &&
+	       dnssec_algorithm_key_size_check(p->algorithm, p->zsk_size);
+}
+
+_public_
+int dnssec_kasp_policy_validate(const dnssec_kasp_policy_t *policy)
+{
+	if (!policy) {
+		return DNSSEC_EINVAL;
+	}
+
+	/*
+	 * NOTES:
+	 *
+	 * - Don't check if key store is set.
+	 * - Allow zero TTL for any record.
+	 *
+	 */
+
+	// required parameters
+
+	if (policy->rrsig_lifetime == 0 ||
+	    policy->rrsig_refresh_before == 0
+	) {
+		return DNSSEC_CONFIG_MALFORMED;
+	}
+
+	// signing algorithm constraints
+
+	if (!policy->manual && !valid_algorithm(policy)) {
+		return DNSSEC_INVALID_KEY_SIZE;
+	}
+
+	return DNSSEC_EOK;
+}

src/dnssec/lib/key/algorithm.c

@@ -23,14 +23,67 @@
 
 /* -- internal ------------------------------------------------------------- */
 
-static bool is_dsa(dnssec_key_algorithm_t algorithm)
+struct limits {
+	unsigned min;
+	unsigned max;
+	unsigned def;
+	bool (*validate)(unsigned bits);
+};
+
+static bool dsa_validate(unsigned bits)
 {
+	return (bits % 64 == 0);
+}
+
+static const struct limits *get_limits(dnssec_key_algorithm_t algorithm)
+{
+	static const struct limits DSA = {
+		.min = 512,
+		.max = 1024,
+		.def = 1024,
+		.validate = dsa_validate,
+	};
+
+	static const struct limits RSA = {
+		.min = 512,
+		.max = 4096,
+		.def = 2048,
+	};
+
+	static const struct limits RSA_SHA512 = {
+		.min = 1024,
+		.max = 4096,
+		.def = 2048,
+	};
+
+	static const struct limits EC256 = {
+		.min = 256,
+		.max = 256,
+		.def = 256,
+	};
+
+	static const struct limits EC384 = {
+		.min = 384,
+		.max = 384,
+		.def = 384,
+	};
+
 	switch (algorithm) {
 	case DNSSEC_KEY_ALGORITHM_DSA_SHA1:
 	case DNSSEC_KEY_ALGORITHM_DSA_SHA1_NSEC3:
-		return true;
+		return &DSA;
+	case DNSSEC_KEY_ALGORITHM_RSA_SHA1:
+	case DNSSEC_KEY_ALGORITHM_RSA_SHA1_NSEC3:
+	case DNSSEC_KEY_ALGORITHM_RSA_SHA256:
+		return &RSA;
+	case DNSSEC_KEY_ALGORITHM_RSA_SHA512:
+		return &RSA_SHA512;
+	case DNSSEC_KEY_ALGORITHM_ECDSA_P256_SHA256:
+		return &EC256;
+	case DNSSEC_KEY_ALGORITHM_ECDSA_P384_SHA384:
+		return &EC384;
 	default:
-		return false;
+		return NULL;
 	}
 }
 
@@ -65,29 +118,13 @@ int dnssec_algorithm_key_size_range(dnssec_key_algorithm_t algorithm,
 		return DNSSEC_EINVAL;
 	}
 
-	unsigned min = 0;
-	unsigned max = 0;
-
-	switch (algorithm) {
-	case DNSSEC_KEY_ALGORITHM_DSA_SHA1:
-	case DNSSEC_KEY_ALGORITHM_DSA_SHA1_NSEC3:
-		min = 512; max = 1024; break;
-	case DNSSEC_KEY_ALGORITHM_RSA_SHA1:
-	case DNSSEC_KEY_ALGORITHM_RSA_SHA1_NSEC3:
-	case DNSSEC_KEY_ALGORITHM_RSA_SHA256:
-		min = 512; max = 4096; break;
-	case DNSSEC_KEY_ALGORITHM_RSA_SHA512:
-		min = 1024; max = 4096; break;
-	case DNSSEC_KEY_ALGORITHM_ECDSA_P256_SHA256:
-		min = max = 256; break;
-	case DNSSEC_KEY_ALGORITHM_ECDSA_P384_SHA384:
-		min = max = 384; break;
-	default:
+	const struct limits *limits = get_limits(algorithm);
+	if (!limits) {
 		return DNSSEC_INVALID_KEY_ALGORITHM;
 	}
 
-	if (min_ptr) { *min_ptr = min; }
-	if (max_ptr) { *max_ptr = max; }
+	*min_ptr = limits->min;
+	*max_ptr = limits->max;
 
 	return DNSSEC_EOK;
 }
@@ -96,21 +133,25 @@ _public_
 bool dnssec_algorithm_key_size_check(dnssec_key_algorithm_t algorithm,
 				     unsigned bits)
 {
-	unsigned min = 0;
-	unsigned max = 0;
-
-	int r = dnssec_algorithm_key_size_range(algorithm, &min, &max);
-	if (r != DNSSEC_EOK) {
+	const struct limits *limits = get_limits(algorithm);
+	if (!limits) {
 		return false;
 	}
 
-	if (bits < min || bits > max) {
+	if (bits < limits->min || bits > limits->max) {
 		return false;
 	}
 
-	if (is_dsa(algorithm)) {
-		return (bits % 64 == 0);
+	if (limits->validate && !limits->validate(bits)) {
+		return false;
 	}
 
 	return true;
 }
+
+_public_
+int dnssec_algorithm_key_size_default(dnssec_key_algorithm_t algorithm)
+{
+	const struct limits *limits = get_limits(algorithm);
+	return limits ? limits->def : 0;
+}

src/dnssec/tests/.gitignore

@@ -8,6 +8,7 @@
 /event_keystate
 /kasp_dir_escape
 /kasp_dir_file
+/kasp_policy
 /kasp_store
 /key
 /key_algorithm

src/dnssec/tests/Makefile.am

@@ -23,6 +23,7 @@ check_PROGRAMS = \
 	event_keystate	\
 	kasp_dir_escape	\
 	kasp_dir_file	\
+	kasp_policy	\
 	kasp_store	\
 	key		\
 	key_algorithm	\

src/dnssec/tests/kasp_policy.c

+/*  Copyright (C) 2016 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <tap/basic.h>
+#include <string.h>
+
+#include "dnssec/error.h"
+#include "dnssec/kasp.h"
+
+static void test_new_policy(void)
+{
+	diag("%s", __func__);
+
+	dnssec_kasp_policy_t *p = NULL;
+
+	p = dnssec_kasp_policy_new(NULL);
+	ok(p != NULL, "create policy without name");
+	if (!p) {
+		dnssec_kasp_policy_free(p);
+	}
+
+	p = dnssec_kasp_policy_new("domestic");
+	ok(p != NULL, "create policy with name");
+	if (!p) {
+		return;
+	}
+
+	ok(strcmp(p->name, "domestic") == 0, "policy name is set");
+	ok(p->algorithm == DNSSEC_KEY_ALGORITHM_INVALID, "no algorithm set");
+	ok(dnssec_kasp_policy_validate(p) != DNSSEC_EOK, "validation fails");
+
+	dnssec_kasp_policy_free(p);
+}
+
+static void test_set_parameters(void)
+{
+	diag("%s", __func__);
+
+	dnssec_kasp_policy_t *p = dnssec_kasp_policy_new("monetary");
+	ok(p != NULL, "create policy");
+	if (!p) {
+		return;
+	}
+
+	ok(dnssec_kasp_policy_validate(p) != DNSSEC_EOK, "validation fails with new policy");
+
+	p->algorithm = DNSSEC_KEY_ALGORITHM_RSA_SHA256;
+	p->ksk_size = 2048;
+	p->zsk_size = 1024;
+	p->rrsig_lifetime = 60;
+	p->rrsig_refresh_before = 50;
+	ok(dnssec_kasp_policy_validate(p) == DNSSEC_EOK, "validation succeeds with valid setting");
+
+	p->algorithm = DNSSEC_KEY_ALGORITHM_ECDSA_P256_SHA256;
+	ok(dnssec_kasp_policy_validate(p) != DNSSEC_EOK, "validation fails with incorrect key size");
+
+	p->manual = true;
+	ok(dnssec_kasp_policy_validate(p) == DNSSEC_EOK, "validation succeeds in manual mode");
+
+	dnssec_kasp_policy_free(p);
+}
+
+static void test_default_policy(void)
+{
+	diag("%s", __func__);
+
+	dnssec_kasp_policy_t *p = dnssec_kasp_policy_new("environmental");
+	ok(p != NULL, "create policy");
+	if (!p) {
+		return;
+	}
+
+	ok(dnssec_kasp_policy_validate(p) != DNSSEC_EOK, "validation fails with new policy");
+
+	dnssec_kasp_policy_defaults(p);
+	ok(dnssec_kasp_policy_validate(p) == DNSSEC_EOK, "validation succeeds with defaults");
+
+	ok(p->manual == false, "manual mode disabled");
+	ok(p->algorithm == DNSSEC_KEY_ALGORITHM_ECDSA_P256_SHA256, "algorithm is ECDSAP256SHA256");
+	ok(p->nsec3_enabled == false, "NSEC3 is disabled");
+	ok(p->dnskey_ttl == 1200, "DNSKEY TTL is 1200");
+	ok(p->zsk_lifetime > 0, "ZSK lifetime is set");
+	ok(p->rrsig_lifetime > 0, "RRSIG lifetime is set");
+	ok(p->rrsig_lifetime == p->rrsig_refresh_before * 2, "RRSIG lifetime is double the refresh");
+
+	dnssec_kasp_policy_free(p);
+}
+
+int main(int argc, char *argv[])
+{
+	plan_lazy();
+
+	test_new_policy();
+	test_set_parameters();
+	test_default_policy();
+
+	return 0;
+}

src/dnssec/tests/key_algorithm.c

@@ -29,7 +29,7 @@ static void ok_range(dnssec_key_algorithm_t algo,
 	   "dnssec_algorithm_key_size_range() for %s", name);
 }
 
-void key_check_borders(void)
+static void check_borders(void)
 {
 	dnssec_key_algorithm_t rsa = DNSSEC_KEY_ALGORITHM_RSA_SHA1;
 
@@ -41,27 +41,32 @@ void key_check_borders(void)
 	ok(dnssec_algorithm_key_size_check(rsa, 4097) == false, "rsa 4097");
 }
 
+static void check_defaults(void)
+{
+	is_int(1024, dnssec_algorithm_key_size_default(DNSSEC_KEY_ALGORITHM_DSA_SHA1_NSEC3), "dsa default");
+	is_int(2048, dnssec_algorithm_key_size_default(DNSSEC_KEY_ALGORITHM_RSA_SHA1_NSEC3), "rsa default");
+	is_int(256, dnssec_algorithm_key_size_default(DNSSEC_KEY_ALGORITHM_ECDSA_P256_SHA256), "ecc default");
+}
+
 int main(void)
 {
 	plan_lazy();
 
-	// default ranges
-
+	// ranges
 	ok_range(DNSSEC_KEY_ALGORITHM_DSA_SHA1, 512, 1024, "DSA/SHA1");
 	ok_range(DNSSEC_KEY_ALGORITHM_RSA_SHA256, 512, 4096, "RSA/SHA256");
 	ok_range(DNSSEC_KEY_ALGORITHM_RSA_SHA512, 1024, 4096, "RSA/SHA512");
 	ok_range(DNSSEC_KEY_ALGORITHM_ECDSA_P384_SHA384, 384, 384, "ECDSA/SHA384");
 
-	// key check borders
-
-	key_check_borders();
-
-	// special restrictions on DSA
-
+	// special restrictions
 	dnssec_key_algorithm_t dsa = DNSSEC_KEY_ALGORITHM_DSA_SHA1_NSEC3;
 	ok(dnssec_algorithm_key_size_check(dsa, 512), "dsa 512");
 	ok(dnssec_algorithm_key_size_check(dsa, 704), "dsa 704");
 	ok(dnssec_algorithm_key_size_check(dsa, 832), "dsa 832");
 
+	check_borders();
+
+	check_defaults();
+
 	return 0;
 }

src/dnssec/utils/cmdparse/value.c

@@ -20,6 +20,7 @@
 #include "print.h"
 
 #include <assert.h>
+#include <ctype.h>
 #include <errno.h>
 #include <stdbool.h>
 #include <stdint.h>
@@ -95,12 +96,54 @@ int value_string(int argc, char *argv[], const parameter_t *p, void *data)
 		return -1;
 	}
 
+	char *copy = strdup(argv[0]);
+	if (!copy) {
+		error("Allocation failed for '%s'.", p->name);
+		return -1;
+	}
+
+	char **string = data + p->offset;
+	free(*string);
+	*string = copy;
+
+	return 1;
+}
+
+int value_static_string(int argc, char *argv[], const parameter_t *p, void *data)
+{
+	assert(p);
+	assert(data);
+
+	if (argc < 1) {
+		error_missing_option(p);
+		return -1;
+	}
+
 	char **string = data + p->offset;
 	*string = argv[0];
 
 	return 1;
 }
 
+/*!
+ * Skip non-alphanumerc characters and convert to lower case.
+ */
+static void simplify_algorithm_name(char *name)
+{
+	size_t len = strlen(name);
+
+	int ri, wi;
+	for (ri = 0, wi = 0; ri < len; ri++) {
+		int c = name[ri];
+		if (isalnum(c)) {
+			name[wi] = tolower(c);
+			wi += 1;
+		}
+	}
+
+	name[wi] = '\0';
+}
+
 int value_algorithm(int argc, char *argv[], const parameter_t *p, void *data)
 {
 	assert(p);
@@ -129,7 +172,7 @@ int value_algorithm(int argc, char *argv[], const parameter_t *p, void *data)
 		return 1;
 	}
 
-	// mnemonic (as specified in the IANA algorithm list)
+	// name (IANA mnemonics, simplified)
 
 	struct lookup {
 		const char *name;
@@ -137,19 +180,20 @@ int value_algorithm(int argc, char *argv[], const parameter_t *p, void *data)
 	};
 
 	static const struct lookup mnemonics[] = {
-		{ "dsa",                DNSSEC_KEY_ALGORITHM_DSA_SHA1  },
-		{ "rsasha1",            DNSSEC_KEY_ALGORITHM_RSA_SHA1  },
-		{ "dsa-nsec3-sha1",     DNSSEC_KEY_ALGORITHM_DSA_SHA1_NSEC3  },
-		{ "rsasha1-nsec3-sha1", DNSSEC_KEY_ALGORITHM_RSA_SHA1_NSEC3  },
-		{ "rsasha256",          DNSSEC_KEY_ALGORITHM_RSA_SHA256  },
-		{ "rsasha512",          DNSSEC_KEY_ALGORITHM_RSA_SHA512  },
-		{ "ecdsap256sha256",    DNSSEC_KEY_ALGORITHM_ECDSA_P256_SHA256 },
-		{ "ecdsap384sha384",    DNSSEC_KEY_ALGORITHM_ECDSA_P384_SHA384 },
+		{ "dsa",              DNSSEC_KEY_ALGORITHM_DSA_SHA1  },
+		{ "rsasha1",          DNSSEC_KEY_ALGORITHM_RSA_SHA1  },
+		{ "dsansec3sha1",     DNSSEC_KEY_ALGORITHM_DSA_SHA1_NSEC3  },
+		{ "rsasha1nsec3sha1", DNSSEC_KEY_ALGORITHM_RSA_SHA1_NSEC3  },
+		{ "rsasha256",        DNSSEC_KEY_ALGORITHM_RSA_SHA256  },
+		{ "rsasha512",        DNSSEC_KEY_ALGORITHM_RSA_SHA512  },
+		{ "ecdsap256sha256",  DNSSEC_KEY_ALGORITHM_ECDSA_P256_SHA256 },
+		{ "ecdsap384sha384",  DNSSEC_KEY_ALGORITHM_ECDSA_P384_SHA384 },
 		{ NULL }
 	};
 
+	simplify_algorithm_name(input);
 	for (const struct lookup *m = mnemonics; m->name; m++) {
-		if (strcasecmp(input, m->name) == 0) {
+		if (strcmp(input, m->name) == 0) {
 			*algorithm = m->algorithm;
 			return 1;
 		}

src/dnssec/utils/cmdparse/value.h

@@ -33,6 +33,11 @@ int value_bool(int argc, char *argv[], const parameter_t *p, void *data);
  */
 int value_string(int argc, char *argv[], const parameter_t *p, void *data);
 
+/*!
+ * const char *
+ */
+int value_static_string(int argc, char *argv[], const parameter_t *p, void *data);
+
 /*!
  * dnssec_key_algorithm_t
  */

src/dnssec/utils/keymgr.c

@@ -174,37 +174,111 @@ static bool zone_add_dnskey(dnssec_kasp_zone_t *zone, const char *id,
 	return true;
 }
 
-static void print_key(const char *id, const dnssec_key_t *key)
+/* -- list item matching and printing -------------------------------------- */
+
+/*!
+ * Check if a string item contains a substring (case insensitive).
+ */
+static bool item_match_substring(const void *_item, const char *filter)
+{
+	assert(_item);
+	const char *item = _item;
+
+	return strcasestr(item, filter) != NULL;
+}
+
+/*!
+ * Check if a string contains a prefix (case insensitive).
+ */
+static bool str_prefix_match(const char *str, const char *prefix)
+{
+	size_t str_len = strlen(str);
+	size_t prefix_len = strlen(prefix);
+
+	return prefix_len <= str_len &&
+	       strncasecmp(str, prefix, prefix_len) == 0;
+}
+
+/*!
+ * Check if a string content is matching a key tag.
+ */
+static bool keytag_match(uint16_t keytag, const char *filter)
+{
+	uint16_t converted = 0;
+
+	return str_to_u16(filter, &converted) == DNSSEC_EOK &&
+	       keytag == converted;
+}
+
+/*!
+ * Check if a \dnssec_kasp_key_t item matches a filter.
+ *
+ * The filter can be a key ID prefix or match the key tag.
+ */
+static bool item_match_key(const void *_item, const char *filter)
 {
-	printf("id %s keytag %d\n", id, dnssec_key_get_keytag(key));
+	assert(_item);
+	const dnssec_kasp_key_t *item = _item;
+
+	return str_prefix_match(item->id, filter) ||
+	       keytag_match(dnssec_key_get_keytag(item->key), filter);
 }
 
-/* -- generic list operations ---------------------------------------------- */
+/*!
+ * Print key item.
+ */
+static void item_print_key(const void *item)
+{
+	assert(item);
+	const dnssec_kasp_key_t *key = item;
+
+	printf("- %s %5d\n", key->id, dnssec_key_get_keytag(key->key));
+}
 
 /*!
- * Print filtered items from a string list.
+ * Print key string.
+ */
+static void item_print_string(const void *item)
+{
+	assert(item);
+	const char *str = item;
+	printf("- %s\n", str);
+}
+
+static bool empty_filter(const char *filter)
+{
+	return (filter == NULL || filter[0] == '\0');
+}
+
+typedef bool (*list_match_cb)(const void *item, const char *filter);
+typedef void (*list_print_cb)(const void *item);
+
+/*!
+ * Iterate over a list and print each matching item.
  *
- * \param list    List of strings.
- * \param filter  Filter for case-insensitive substring match. Can be NULL.
+ * \param list    List to walk through.
+ * \param filter  Filter value passed to match callback (can be NULL).
+ * \param match   Item match callback (can be NULL in case filter is NULL).
+ * \param print   Item print callback.
  *
- * \retval DNSSEC_EOK        At least one item was printed.
- * \retval DNSSEC_NOT_FOUND  No item matched the filter.
+ * \return Number of printed items.
  */
-static int print_list(dnssec_list_t *list, const char *filter)
+static int print_list(dnssec_list_t *list, const char *filter,
+		      list_match_cb match, list_print_cb print)
 {
 	assert(list);
 
-	bool found_match = NULL;
+	int found = 0;
 
 	dnssec_list_foreach(item, list) {
-		const char *value = dnssec_item_get(item);
-		if (filter == NULL || strcasestr(value, filter) != NULL) {
-			found_match = true;
-			printf("%s\n", value);
+		const void *value = dnssec_item_get(item);
+		if (empty_filter(filter) || match(value, filter)) {
+			found += 1;
+			print(value);
 		}
 	}
 
-	return found_match ? DNSSEC_EOK : DNSSEC_NOT_FOUND;
+	return found;
 }
 
 /* -- key matching --------------------------------------------------------- */
@@ -572,11 +646,11 @@ static int cmd_zone_add(int argc, char *argv[])
 		return 1;
 	}
 
-	char *zone_name = argv[0];
-	char *policy = DEFAULT_POLICY;
+	const char *zone_name = argv[0];
+	const char *policy = DEFAULT_POLICY;
 
 	static const parameter_t params[] = {
-		{ "policy", value_string },
+		{ "policy", value_static_string },
 		{ NULL }
 	};
 
@@ -648,13 +722,12 @@ static int cmd_zone_list(int argc, char *argv[])
 		return 1;
 	}
 
-	r = print_list(zones, match);
-	if (r == DNSSEC_NOT_FOUND) {
+	int found = print_list(zones, match, item_match_substring, item_print_string);
+	if (found == 0) {
 		error("No matching zone found.");
 		return 1;
 	}
 
-	assert(r == DNSSEC_EOK);
 	return 0;
 }
 
@@ -749,16 +822,17 @@ static int cmd_zone_remove(int argc, char *argv[])
 }
 
 /*
- * keymgr zone key list <zone>
+ * keymgr zone key list <zone> [<filter>]
  */
 static int cmd_zone_key_list(int argc, char *argv[])
 {
-	if (argc != 1) {
-		error("Name of one zone has to be specified.");
+	if (argc < 1 || argc > 2) {
+		error("Zone name and optional filter has to be specified.");
 		return 1;
 	}
 
-	char *zone_name = argv[0];
+	const char *zone_name = argv[0];
+	const char *filter = (argc == 2 ? argv[1] : NULL);
 
 	// list the keys
 
@@ -773,9 +847,10 @@ static int cmd_zone_key_list(int argc, char *argv[])
 	}
 
 	dnssec_list_t *zone_keys = dnssec_kasp_zone_get_keys(zone);
-	dnssec_list_foreach(item, zone_keys) {
-		const dnssec_kasp_key_t *key = dnssec_item_get(item);
-		print_key(key->id, key->key);
+	int count = print_list(zone_keys, filter, item_match_key, item_print_key);
+	if (count == 0) {
+		error("No matching zone key found.");
+		return 1;
 	}
 
 	return 0;
@@ -909,6 +984,15 @@ static int cmd_zone_key_ds(int argc, char *argv[])
 	return 0;
 }
 
+static void assure_key_size(uint16_t *size, dnssec_key_algorithm_t algorithm)
+{
+	assert(size);
+
+	if (*size == 0) {
+		*size = dnssec_algorithm_key_size_default(algorithm);
+	}
+}
+
 /*
  * keymgr zone key generate <zone> algorithm <algorithm> size <size> [ksk]
  *                                 [publish <publish>] [active <active>]
@@ -924,7 +1008,7 @@ static int cmd_zone_key_generate(int argc, char *argv[])
 	struct config {
 		char *name;
 		dnssec_key_algorithm_t algorithm;
-		unsigned size;
+		uint16_t size;
 		bool is_ksk;
 		dnssec_kasp_key_timing_t timing;
 	};
@@ -955,10 +1039,7 @@ static int cmd_zone_key_generate(int argc, char *argv[])
 		return 1;
 	}
 
-	if (config.size == 0) {
-		error("Key size has to be specified.");
-		return 1;
-	}
+	assure_key_size(&config.size, config.algorithm);
 
 	if (!dnssec_algorithm_key_size_check(config.algorithm, config.size)) {
 		error("Key size is invalid for given algorithm.");
@@ -1026,7 +1107,7 @@ static int cmd_zone_key_generate(int argc, char *argv[])
 		return 1;
 	}
 
-	print_key(keyid, dnskey);
+	printf("%s\n", keyid);
 
 	return 0;
 }
@@ -1165,7 +1246,7 @@ static int cmd_zone_key_import(int argc, char *argv[])
 		return 1;
 	}
 
-	print_key(keyid, key);
+	printf("%s\n", keyid);
 
 	return 0;
 }
@@ -1207,7 +1288,7 @@ static int cmd_zone_set(int argc, char *argv[])
 	const char *policy = dnssec_kasp_zone_get_policy(zone);
 
 	static const parameter_t params[] = {
-		{ "policy", value_string },
+		{ "policy", value_static_string },
 		{ NULL }
 	};
 
@@ -1269,13 +1350,12 @@ static int cmd_policy_list(int argc, char *argv[])
 		return 1;
 	}
 
-	r = print_list(policies, match);
-	if (r == DNSSEC_NOT_FOUND) {
+	int found = print_list(policies, match, item_match_substring, item_print_string);
+	if (found == 0) {
 		error("No matching policy found.");
 		return 1;
 	}
 
-	assert(r == DNSSEC_EOK);
 	return 0;
 }
 
@@ -1357,19 +1437,30 @@ static int cmd_policy_add(int argc, char *argv[])
 	dnssec_kasp_policy_defaults(policy);
 	policy->keystore = strdup(DEFAULT_KEYSTORE);
 
-	if (parse_parameters(POLICY_PARAMS, argc -1, argv + 1, policy) != 0) {
+	policy->ksk_size = 0;
+	policy->zsk_size = 0;
+
+	if (parse_parameters(POLICY_PARAMS, argc - 1, argv + 1, policy) != 0) {
 		return 1;
 	}
 
+	assure_key_size(&policy->ksk_size, policy->algorithm);
+	assure_key_size(&policy->zsk_size, policy->algorithm);
+
+	int r = dnssec_kasp_policy_validate(policy);
+	if (r != DNSSEC_EOK) {
+		error("Policy configuration is invalid (%s).", dnssec_strerror(r));
+		return 1;
+	}
 
 	_cleanup_kasp_ dnssec_kasp_t *kasp = get_kasp();
 	if (!kasp) {
 		return 1;
 	}
 
-	int r = dnssec_kasp_policy_exists(kasp, policy_name);
+	r = dnssec_kasp_policy_exists(kasp, policy_name);
 	if (r == DNSSEC_EOK) {
-		error("Policy with given name alredy exists.");
+		error("Policy with given name already exists.");
 		return 1;
 	} else if (r != DNSSEC_NOT_FOUND) {
 		error("Failed to check if given policy exists (%s).", dnssec_strerror(r));
@@ -1409,7 +1500,13 @@ static int cmd_policy_set(int argc, char *argv[])
 		return 1;
 	}
 
-	int r = dnssec_kasp_policy_save(kasp, policy);
+	int r = dnssec_kasp_policy_validate(policy);
+	if (r != DNSSEC_EOK) {
+		error("Policy configuration is invalid (%s).", dnssec_strerror(r));
+		return 1;
+	}
+
+	r = dnssec_kasp_policy_save(kasp, policy);
 	if (r != DNSSEC_EOK) {
 		error("Failed to save updated policy (%s).", dnssec_strerror(r));
 		return 1;
@@ -1538,8 +1635,8 @@ static int cmd_keystore_add(int argc, char *argv[])
 
 	static const parameter_t params[] = {
 		#define off(member) offsetof(dnssec_kasp_keystore_t, member)
-		{ "backend", value_string, .offset = off(backend) },
-		{ "config",  value_string, .offset = off(config) },
+		{ "backend", value_static_string, .offset = off(backend) },
+		{ "config",  value_static_string, .offset = off(config) },
 		{ NULL },
 		#undef off
 	};
@@ -1700,11 +1797,6 @@ int main(int argc, char *argv[])
 {
 	int exit_code = 1;
 
-	// global configuration
-
-	global.kasp_dir = getcwd(NULL, 0);
-	assert(global.kasp_dir);
-
 	// global options
 
 	static const struct option opts[] = {
@@ -1737,6 +1829,19 @@ int main(int argc, char *argv[])
 		}
 	}
 
+	// global configuration
+
+	if (global.kasp_dir == NULL) {
+		char *env = getenv("KEYMGR_DIR");
+		if (env) {
+			global.kasp_dir = strdup(env);
+		} else {
+			global.kasp_dir = getcwd(NULL, 0);
+		}
+	}
+
+	assert(global.kasp_dir);
+
 	// subcommands
 
 	static const command_t commands[] = {