Merge branch 'tsig-keyfile' into 'master'

utilities: support for TSIG key in file See merge request !382

Merge branch 'tsig-keyfile' into 'master'
utilities: support for TSIG key in file See merge request !382
44b106e0 · Daniel Salzman · 3c12f7e1 · 285e7564 · 44b106e0 · 44b106e0
Commit 44b106e0 authored May 27, 2015 by Daniel Salzman
38 changed files
--- a/Knot.files
+++ b/Knot.files
@@ -322,8 +322,6 @@ src/libknot/descriptor.c
 src/libknot/descriptor.h
 src/libknot/dname.c
 src/libknot/dname.h
-src/libknot/dnssec/key.c
-src/libknot/dnssec/key.h
 src/libknot/errcode.c
 src/libknot/errcode.h
 src/libknot/internal/array-sort.h
@@ -417,6 +415,8 @@ src/libknot/rrtype/tsig.c
 src/libknot/rrtype/tsig.h
 src/libknot/tsig-op.c
 src/libknot/tsig-op.h
+src/libknot/tsig.c
+src/libknot/tsig.h
 src/libknot/yparser/yparser.c
 src/libknot/yparser/yparser.h
 src/libknot/yparser/ypbody.c
@@ -439,6 +439,8 @@ src/utils/common/params.c
 src/utils/common/params.h
 src/utils/common/resolv.c
 src/utils/common/resolv.h
+src/utils/common/sign.c
+src/utils/common/sign.h
 src/utils/common/strtonum.h
 src/utils/common/token.c
 src/utils/common/token.h
@@ -512,6 +514,7 @@ tests/rrset.c
 tests/rrset_wire.c
 tests/server.c
 tests/test_conf.h
+tests/tsig_key.c
 tests/utils.c
 tests/wire.c
 tests/worker_pool.c

--- a/doc/man/kdig.1in
+++ b/doc/man/kdig.1in
@@ -86,11 +86,9 @@ Enable debug messages.
 Print help and usage.
 .TP
 \fB\-k\fP \fIkeyfile\fP
-Use TSIG or SIG\-0 key stored in a file \fIkeyfile\fP to authenticate the request.
-Supported file format is the same as generated by ISC \fBdnssec\-keygen\fP\&.
-The key comprises of public (.key extension) and private part (.private
-extension). Either of these file names or a name without the extension can be
-specified as \fIkeyfile\fP parameter.
+Use TSIG key stored in a file \fIkeyfile\fP to authenticate the request. The
+file must contain the key in the same format, which is accepted by the
+\fB\-y\fP option.
 .TP
 \fB\-p\fP \fIport\fP
 Set nameserver port number or service name to send a query to. The default

--- a/doc/man/knotc.8in
+++ b/doc/man/knotc.8in
@@ -50,10 +50,12 @@ Remote UNIX socket/IP address (default is \fB@run_dir@/knot.sock\fP).
 Remote server port (only for IP).
 .TP
 \fB\-y\fP, \fB\-\-key\fP [\fIalg\fP:]\fIname\fP:\fIkey\fP
-Use key specified on the command line (default algorithm is hmac\-md5).
+Use TSIG key specified on the command line (default algorithm is hmac\-md5).
 .TP
 \fB\-k\fP, \fB\-\-keyfile\fP \fIfile\fP
-Use key file.
+Use TSIG key stored in a file \fIfile\fP to authenticate the request. The
+file must contain the key in the same format, which is accepted by the
+\fB\-y\fP option.
 .TP
 \fB\-f\fP, \fB\-\-force\fP
 Force operation. Overrides some checks.

--- a/doc/man/knsupdate.1in
+++ b/doc/man/knsupdate.1in
@@ -52,11 +52,9 @@ Enable debug messages.
 Print help and usage.
 .TP
 \fB\-k\fP \fIkeyfile\fP
-Use TSIG or SIG\-0 key stored in a file \fIkeyfile\fP to authenticate the request.
-Supported file format is the same as generated by ISC \fBdnssec\-keygen\fP\&.
-The key comprises of public (.key extension) and private part (.private
-extension). Either of these file names or a name without the extension can be
-specified as \fIkeyfile\fP parameter.
+Use TSIG key stored in a file \fIkeyfile\fP to authenticate the request. The
+file should contain the key in the same format, which is accepted by the
+\fB\-y\fP option.
 .TP
 \fB\-p\fP \fIport\fP
 Set the port to use for connections to the server (if not explicitly specified

--- a/doc/man_kdig.rst
+++ b/doc/man_kdig.rst
@@ -63,11 +63,9 @@ Options
  Print help and usage.

 **-k** *keyfile*
-  Use TSIG or SIG-0 key stored in a file *keyfile* to authenticate the request.
-  Supported file format is the same as generated by ISC :program:`dnssec-keygen`.
-  The key comprises of public (.key extension) and private part (.private
-  extension). Either of these file names or a name without the extension can be
-  specified as *keyfile* parameter.
+  Use TSIG key stored in a file *keyfile* to authenticate the request. The
+  file must contain the key in the same format, which is accepted by the
+  **-y** option.

 **-p** *port*
  Set nameserver port number or service name to send a query to. The default

--- a/doc/man_knotc.rst
+++ b/doc/man_knotc.rst
@@ -27,10 +27,12 @@ Parameters
  Remote server port (only for IP).

 **-y**, **--key** [*alg*:]\ *name*:*key*
-  Use key specified on the command line (default algorithm is hmac-md5).
+  Use TSIG key specified on the command line (default algorithm is hmac-md5).

 **-k**, **--keyfile** *file*
-  Use key file.
+  Use TSIG key stored in a file *file* to authenticate the request. The
+  file must contain the key in the same format, which is accepted by the
+  **-y** option.

 **-f**, **--force**
  Force operation. Overrides some checks.

--- a/doc/man_knsupdate.rst
+++ b/doc/man_knsupdate.rst
@@ -29,11 +29,9 @@ Options
  Print help and usage.

 **-k** *keyfile*
-  Use TSIG or SIG-0 key stored in a file *keyfile* to authenticate the request.
-  Supported file format is the same as generated by ISC :program:`dnssec-keygen`.
-  The key comprises of public (.key extension) and private part (.private
-  extension). Either of these file names or a name without the extension can be
-  specified as *keyfile* parameter.
+  Use TSIG key stored in a file *keyfile* to authenticate the request. The
+  file should contain the key in the same format, which is accepted by the
+  **-y** option.

 **-p** *port*
  Set the port to use for connections to the server (if not explicitly specified

--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -28,7 +28,6 @@ nobase_libknot_la_HEADERS =			\
 	libknot/consts.h			\
 	libknot/descriptor.h			\
 	libknot/dname.h				\
-	libknot/dnssec/key.h			\
 	libknot/errcode.h			\
 	libknot/libknot.h			\
 	libknot/packet/compr.h			\
@@ -53,7 +52,8 @@ nobase_libknot_la_HEADERS =			\
 	libknot/rrtype/rrsig.h			\
 	libknot/rrtype/soa.h			\
 	libknot/rrtype/tsig.h			\
-	libknot/tsig-op.h
+	libknot/tsig-op.h			\
+	libknot/tsig.h

 libknot_internal_ladir = $(includedir)
 nobase_libknot_internal_la_HEADERS = 		\
@@ -91,7 +91,6 @@ libknot_la_SOURCES =				\
 	libknot/consts.c			\
 	libknot/descriptor.c			\
 	libknot/dname.c				\
-	libknot/dnssec/key.c			\
 	libknot/errcode.c			\
 	libknot/packet/compr.c			\
 	libknot/packet/pkt.c			\
@@ -108,6 +107,7 @@ libknot_la_SOURCES =				\
 	libknot/rrtype/opt.c			\
 	libknot/rrtype/tsig.c			\
 	libknot/tsig-op.c			\
+	libknot/tsig.c				\
 	$(nobase_libknot_la_HEADERS)

 libknot_yparser_la_SOURCES = 			\
@@ -408,6 +408,8 @@ libknotus_la_SOURCES =				\
 	utils/common/params.h			\
 	utils/common/resolv.c			\
 	utils/common/resolv.h			\
+	utils/common/sign.c			\
+	utils/common/sign.h			\
 	utils/common/strtonum.h			\
 	utils/common/token.c			\
 	utils/common/token.h

--- a/src/knot/ctl/knotc_main.c
+++ b/src/knot/ctl/knotc_main.c
@@ -117,7 +117,7 @@ void help(void)
 	       " -p, --port <port>             Remote server port (only for IP).\n"
 	       " -y, --key <[hmac:]name:key>   Use key specified on the command line.\n"
 	       "                                (default algorithm is hmac-md5)\n"
-	       " -k, --keyfile <file>          Use key file (as in config section 'keys').\n"
+	       " -k, --keyfile <file>          Read key from file (same format as -y).\n"
 	       " -f, --force                   Force operation - override some checks.\n"
 	       " -v, --verbose                 Verbose mode - additional runtime information.\n"
 	       " -V, --version                 Print %s server version.\n"
@@ -303,125 +303,6 @@ static int cmd_remote(struct sockaddr_storage *addr, knot_tsig_key_t *key,
 	return rc;
 }

-static int tsig_parse_str(knot_tsig_key_t *key, const char *str)
-{
-	char *h = strdup(str);
-	if (!h) {
-		return KNOT_ENOMEM;
-	}
-
-	char *k = NULL, *s = NULL;
-	if ((k = (char*)strchr(h, ':'))) { /* Second part - NAME|SECRET */
-		*k++ = '\0';               /* String separator */
-		s = (char*)strchr(k, ':'); /* Thirt part - |SECRET */
-	}
-
-	/* Determine algorithm. */
-
-	int algorithm = DNSSEC_TSIG_HMAC_MD5;
-	if (s) {
-		*s++ = '\0';               /* Last part separator */
-		dnssec_tsig_algorithm_t alg = dnssec_tsig_algorithm_from_name(h);
-		if (alg != DNSSEC_TSIG_UNKNOWN) {
-			algorithm = alg;
-		} else {
-			free(h);
-			return KNOT_EINVAL;
-		}
-	} else {
-		s = k; /* Ignore first part, push down. */
-		k = h;
-	}
-
-	/* Parse key name. */
-
-	int result = knot_tsig_create_key(k, algorithm, s, key);
-	free(h);
-	return result;
-}
-
-static int tsig_parse_line(knot_tsig_key_t *k, char *l)
-{
-	const char *n, *a, *s;
-	n = a = s = NULL;
-	int fw = 1; /* 0 = reading word, 1 = between words */
-	while (*l != '\0') {
-		if (isspace((unsigned char)(*l)) || *l == '"') {
-			*l = '\0';
-			fw = 1; /* End word. */
-		} else if (fw) {
-			if      (!n) { n = l; }
-			else if (!a) { a = l; }
-			else         { s = l; }
-			fw = 0; /* Start word. */
-		}
-		l++;
-	}
-
-	/* No name parsed - assume wrong format. */
-	if (!n) {
-		return KNOT_EMALF;
-	}
-
-	/* Assume hmac-md5 if no algo specified. */
-	if (!s) {
-		s = a;
-		a = "hmac-md5";
-	}
-
-	/* Lookup algorithm. */
-	dnssec_tsig_algorithm_t alg = dnssec_tsig_algorithm_from_name(a);
-	if (alg == DNSSEC_TSIG_UNKNOWN) {
-		return KNOT_EMALF;
-	}
-
-	/* Create the key data. */
-	return knot_tsig_create_key(n, alg, s, k);
-}
-
-static int tsig_parse_file(knot_tsig_key_t *k, const char *f)
-{
-	FILE* fp = fopen(f, "r");
-	if (!fp) {
-		log_error("failed to open key-file '%s'", f);
-		return KNOT_EINVAL;
-	}
-
-	int c = 0;
-	int ret = KNOT_EOK;
-	char *line = malloc(64);
-	size_t llen = 0;
-	size_t lres = 0;
-	if (line) {
-		lres = 64;
-	}
-
-	while ((c = fgetc(fp)) != EOF) {
-		if (mreserve(&line, sizeof(char), llen + 1, 512, &lres) != 0) {
-			ret = KNOT_ENOMEM;
-			break;
-		}
-		if (c == '\n') {
-			if (k->name) {
-				log_error("only one key definition allowed "
-				          "in '%s'", f);
-				ret = KNOT_EMALF;
-				break;
-			}
-			line[llen] = '\0';
-			ret = tsig_parse_line(k, line);
-			llen = 0;
-		} else {
-			line[llen++] = (char)c;
-		}
-
-	}
-
-	free(line);
-	fclose(fp);
-	return ret;
-}
-
 int main(int argc, char **argv)
 {
 	/* Parse command line arguments */
@@ -470,14 +351,14 @@ int main(int argc, char **argv)
 			r_port = atoi(optarg);
 			break;
 		case 'y':
-			if (tsig_parse_str(&r_key, optarg) != KNOT_EOK) {
+			if (knot_tsig_key_init_str(&r_key, optarg) != KNOT_EOK) {
 				rc = 1;
 				log_error("failed to parse TSIG key '%s'", optarg);
 				goto exit;
 			}
 			break;
 		case 'k':
-			if (tsig_parse_file(&r_key, optarg) != KNOT_EOK) {
+			if (knot_tsig_key_init_file(&r_key, optarg) != KNOT_EOK) {
 				rc = 1;
 				log_error("failed to parse TSIG key file '%s'", optarg);
 				goto exit;
@@ -624,7 +505,7 @@ int main(int argc, char **argv)

 exit:
 	/* Finish */
-	knot_tsig_key_free(&r_key);
+	knot_tsig_key_deinit(&r_key);
 	conf_free(conf(), false);
 	log_close();


--- a/src/knot/ctl/remote.c
+++ b/src/knot/ctl/remote.c
@@ -909,7 +909,7 @@ int remote_process(server_t *s, struct sockaddr_storage *ctl_addr, int sock,
 		sockaddr_tostr(addr_str, sizeof(addr_str), &ss);

 		/* Prepare tsig parameters. */
-		knot_tsig_key_t tsig = { NULL };
+		knot_tsig_key_t tsig = { 0 };
 		if (pkt->tsig_rr) {
 			tsig.name = pkt->tsig_rr->owner;
 			tsig.algorithm = knot_tsig_rdata_alg(pkt->tsig_rr);

--- a/src/knot/ctl/remote.h
+++ b/src/knot/ctl/remote.h
@@ -28,7 +28,6 @@

 #include "libknot/packet/pkt.h"
 #include "libknot/rrset.h"
-#include "libknot/dnssec/key.h"
 #include "knot/server/server.h"

 /*! \brief Default connection control parameters. */

--- a/src/knot/dnssec/rrset-sign.c
+++ b/src/knot/dnssec/rrset-sign.c
@@ -25,7 +25,6 @@
 #include "dnssec/sign.h"
 #include "knot/dnssec/rrset-sign.h"
 #include "libknot/descriptor.h"
-#include "libknot/dnssec/key.h"
 #include "libknot/libknot.h"
 #include "libknot/packet/rrset-wire.h"
 #include "libknot/packet/wire.h"

--- a/src/knot/nameserver/process_query.c
+++ b/src/knot/nameserver/process_query.c
@@ -556,7 +556,7 @@ bool process_query_acl_check(const knot_dname_t *zone_name, acl_action_t action,
 {
 	knot_pkt_t *query = qdata->query;
 	const struct sockaddr_storage *query_source = qdata->param->remote;
-	knot_tsig_key_t tsig = { NULL };
+	knot_tsig_key_t tsig = { 0 };

 	/* Skip if already checked and valid. */
 	if (qdata->sign.tsig_key.name != NULL) {

--- a/src/libknot/internal/mem.c
+++ b/src/libknot/internal/mem.c
@@ -14,6 +14,7 @@
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */

+#include <ctype.h>
 #include <stdarg.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -131,6 +132,31 @@ char *strcdup(const char *s1, const char *s2)
 	return dst;
 }

+char *strstrip(const char *str)
+{
+	// leading white-spaces
+	const char *scan = str;
+	while (isspace((int)scan[0])) {
+		scan += 1;
+	}
+
+	// trailing white-spaces
+	size_t len = strlen(scan);
+	while (len > 1 && isspace((int)scan[len - 1])) {
+		len -= 1;
+	}
+
+	char *trimmed = malloc(len + 1);
+	if (!trimmed) {
+		return NULL;
+	}
+
+	memcpy(trimmed, scan, len + 1);
+	trimmed[len] = '\0';
+
+	return trimmed;
+}
+
 #ifdef MEM_DEBUG
 /*
 * ((destructor)) attribute executes this function after main().

--- a/src/libknot/internal/mem.h
+++ b/src/libknot/internal/mem.h
@@ -80,3 +80,10 @@ char *sprintf_alloc(const char *fmt, ...);
 * \retval NULL on error.
 */
 char *strcdup(const char *s1, const char *s2);
+
+/*!
+ * \brief Create a copy of a string skipping leading and trailing white spaces.
+ *
+ * \return Newly allocated string, NULL in case of error.
+ */
+char *strstrip(const char *str);
--- a/src/libknot/rrset-dump.c
+++ b/src/libknot/rrset-dump.c
@@ -30,7 +30,6 @@
 #include "libknot/rrset-dump.h"
 #include "libknot/consts.h"
 #include "libknot/descriptor.h"
-#include "libknot/dnssec/key.h"
 #include "libknot/errcode.h"
 #include "libknot/internal/base64.h"
 #include "libknot/internal/base32hex.h"

--- a/src/libknot/rrtype/tsig.h
+++ b/src/libknot/rrtype/tsig.h
@@ -33,14 +33,7 @@
 #include "libknot/binary.h"
 #include "libknot/consts.h"
 #include "libknot/rrset.h"
-
-struct knot_tsig_key {
-	knot_dname_t *name;
-	dnssec_tsig_algorithm_t algorithm;
-	dnssec_binary_t secret;
-};
-
-typedef struct knot_tsig_key knot_tsig_key_t;
+#include "libknot/tsig.h"

 enum tsig_consts {
 	KNOT_TSIG_ITEM_COUNT = 7,
@@ -54,19 +47,6 @@ enum tsig_consts {
 	                          + 6			// time signed
 };

-/*! \brief Packet signing context.
- *  \todo This should be later moved to TSIG files when refactoring. */
-typedef struct knot_sign_context {
-	knot_tsig_key_t tsig_key;
-	uint8_t *tsig_buf;
-	uint8_t *tsig_digest;
-	size_t tsig_buflen;
-	size_t tsig_digestlen;
-	uint8_t tsig_runlen;
-	uint64_t tsig_time_signed;
-	size_t pkt_count;
-} knot_sign_context_t;
-
 /*!
 * \brief Create TSIG RDATA.
 *

--- a/src/libknot/tsig-op.c
+++ b/src/libknot/tsig-op.c
@@ -28,7 +28,6 @@
 #include "libknot/packet/wire.h"
 #include "libknot/consts.h"
 #include "libknot/descriptor.h"
-#include "libknot/dnssec/key.h"
 #include "libknot/packet/wire.h"
 #include "libknot/rrtype/tsig.h"
 #include "libknot/tsig-op.h"

--- a/src/libknot/tsig-op.h
+++ b/src/libknot/tsig-op.h
@@ -28,7 +28,6 @@

 #include <stdint.h>

-#include "libknot/dnssec/key.h"
 #include "libknot/rrtype/tsig.h"
 #include "libknot/rrset.h"


--- a/src/libknot/dnssec/key.c
+++ b/src/libknot/dnssec/key.c
-/*  Copyright (C) 2011 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
+/*  Copyright (C) 2015 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -17,40 +17,52 @@
 #include <assert.h>
 #include <string.h>

-#include "dnssec/binary.h"
-#include "libknot/dnssec/key.h"
-
+#include "dnssec/error.h"
+#include "libknot/errcode.h"
 #include "libknot/internal/getline.h"
 #include "libknot/internal/macros.h"
+#include "libknot/internal/mem.h"
+#include "libknot/tsig.h"

-#include "libknot/descriptor.h"
-#include "libknot/errcode.h"
-#include "libknot/binary.h"
-#include "libknot/dname.h"
-#include "libknot/dnssec/key.h"
-#include "libknot/errcode.h"
-#include "libknot/rrtype/tsig.h"
+_public_
+void knot_tsig_key_deinit(knot_tsig_key_t *key)
+{
+	if (!key) {
+		return;
+	}
+
+	knot_dname_free(&key->name, NULL);
+
+	memset(key->secret.data, 0, key->secret.size);
+	dnssec_binary_free(&key->secret);
+
+	memset(key, '\0', sizeof(*key));
+}

-/*!
- * \brief Creates TSIG key.
- */
 _public_
-int knot_tsig_create_key(const char *name, dnssec_tsig_algorithm_t algorithm,
-                         const char *b64secret_str, knot_tsig_key_t *key)
+int knot_tsig_key_init(knot_tsig_key_t *key, const char *algorithm_name,
+                       const char *name, const char *secret_b64)
 {
-	if (!name || !b64secret_str || !key) {
+	if (!name || !secret_b64 || !key) {
 		return KNOT_EINVAL;
 	}

-	knot_dname_t *dname;
-	dname = knot_dname_from_str_alloc(name);
+	dnssec_tsig_algorithm_t algorithm = DNSSEC_TSIG_HMAC_MD5;
+	if (algorithm_name != NULL) {
+		algorithm = dnssec_tsig_algorithm_from_name(algorithm_name);
+		if (algorithm == DNSSEC_TSIG_UNKNOWN) {
+			return KNOT_EMALF;
+		}
+	}
+
+	knot_dname_t *dname = knot_dname_from_str_alloc(name);
 	if (!dname) {
 		return KNOT_ENOMEM;
 	}

 	dnssec_binary_t b64secret = { 0 };
-	b64secret.data = (uint8_t *)b64secret_str;
-	b64secret.size = strlen(b64secret_str);
+	b64secret.data = (uint8_t *)secret_b64;
+	b64secret.size = strlen(secret_b64);

 	dnssec_binary_t secret = { 0 };
 	int result = dnssec_binary_from_base64(&b64secret, &secret);
@@ -66,89 +78,116 @@ int knot_tsig_create_key(const char *name, dnssec_tsig_algorithm_t algorithm,
 	return KNOT_EOK;
 }

-/*!
- * \brief Frees TSIG key.
- */
 _public_
-int knot_tsig_key_free(knot_tsig_key_t *key)
+int knot_tsig_key_init_str(knot_tsig_key_t *key, const char *params)
 {
-	if (!key) {
+	if (!params) {
 		return KNOT_EINVAL;
 	}

-	knot_dname_free(&key->name, NULL);
-	dnssec_binary_free(&key->secret);
-	memset(key, '\0', sizeof(knot_tsig_key_t));
+	char *copy = strstrip(params);
+	if (!copy) {
+		return KNOT_ENOMEM;
+	}

-	return KNOT_EOK;
-}
+	size_t copy_size = strlen(copy) + 1;

-_public_
-int knot_copy_key_params(const knot_key_params_t *src, knot_key_params_t *dst)
-{
-	if (src == NULL || dst == NULL) {
-		return KNOT_EINVAL;
-	}
+	// format [algorithm:]name:secret

-	knot_key_params_t copy = { 0 };
-	copy.algorithm = src->algorithm;
+	char *algorithm = NULL;
+	char *name = NULL;
+	char *secret = NULL;

-	if (src->name) {
-		copy.name = knot_dname_copy(src->name, NULL);
-		if (!copy.name) {
-			return KNOT_ENOMEM;
-		}
+	// find secret
+
+	char *pos = strrchr(copy, ':');
+	if (pos) {
+		*pos = '\0';
+		secret = pos + 1;
+	} else {
+		memset(copy, 0, copy_size);
+		free(copy);
+		return KNOT_EMALF;
 	}

-	int ret = dnssec_binary_dup(&src->secret, &copy.secret);
-	if (ret != KNOT_EOK) {
-		knot_dname_free(&copy.name, NULL);
+	// find name and optionally algorithm
+
+	pos = strchr(copy, ':');
+	if (pos) {
+		*pos = '\0';
+		algorithm = copy;
+		name = pos + 1;
+	} else {
+		name = copy;
 	}

-	*dst = copy;
+	int result = knot_tsig_key_init(key, algorithm, name, secret);

-	return KNOT_EOK;
+	memset(copy, 0, copy_size);
+	free(copy);
+
+	return result;
 }

 _public_
-int knot_free_key_params(knot_key_params_t *key_params)
+int knot_tsig_key_init_file(knot_tsig_key_t *key, const char *filename)