Commit 26e19740 authored by Daniel Salzman's avatar Daniel Salzman Committed by Libor Peltan

kkeymgr: rename to keymgr

parent ee960ad5
......@@ -72,10 +72,9 @@
# Binaries
/src/kdig
/src/keymgr
/src/khost
/src/kjournalprint
/src/kkeymgr
/src/keymgr
/src/knot1to2
/src/knotc
/src/knotd
......
......@@ -141,8 +141,6 @@ src/dnssec/shared/timestamp.h
src/dnssec/shared/wire.h
src/dnssec/tests/binary.c
src/dnssec/tests/crypto.c
src/dnssec/tests/kasp_dir_escape.c
src/dnssec/tests/kasp_dir_file.c
src/dnssec/tests/key.c
src/dnssec/tests/key_algorithm.c
src/dnssec/tests/key_ds.c
......@@ -460,15 +458,15 @@ src/utils/kdig/kdig_exec.h
src/utils/kdig/kdig_main.c
src/utils/kdig/kdig_params.c
src/utils/kdig/kdig_params.h
src/utils/keymgr/bind_privkey.c
src/utils/keymgr/bind_privkey.h
src/utils/keymgr/functions.c
src/utils/keymgr/functions.h
src/utils/keymgr/main.c
src/utils/khost/khost_main.c
src/utils/khost/khost_params.c
src/utils/khost/khost_params.h
src/utils/kjournalprint/main.c
src/utils/kkeymgr/bind_privkey.c
src/utils/kkeymgr/bind_privkey.h
src/utils/kkeymgr/functions.c
src/utils/kkeymgr/functions.h
src/utils/kkeymgr/main.c
src/utils/knot1to2/cf-lex.c
src/utils/knot1to2/cf-lex.l
src/utils/knot1to2/cf-parse.tab.c
......
......@@ -2,7 +2,7 @@
# sphinx-build manpages
/man/kdig.1
/man/kkeymgr.8
/man/keymgr.8
/man/pykeymgr.8
/man/khost.1
/man/kjournalprint.1
......
MANPAGES_IN = man/knot.conf.5in man/knotc.8in man/knotd.8in man/kdig.1in man/khost.1in man/kjournalprint.1in man/knsupdate.1in man/knot1to2.1in man/knsec3hash.1in man/kkeymgr.8in man/pykeymgr.8in man/kzonecheck.1in
MANPAGES_RST = reference.rst man_knotc.rst man_knotd.rst man_kdig.rst man_khost.rst man_kjournalprint.rst man_knsupdate.rst man_knot1to2.rst man_knsec3hash.rst man_kkeymgr.rst man_pykeymgr.rst man_kzonecheck.rst
MANPAGES_IN = man/knot.conf.5in man/knotc.8in man/knotd.8in man/kdig.1in man/khost.1in man/kjournalprint.1in man/knsupdate.1in man/knot1to2.1in man/knsec3hash.1in man/keymgr.8in man/pykeymgr.8in man/kzonecheck.1in
MANPAGES_RST = reference.rst man_knotc.rst man_knotd.rst man_kdig.rst man_khost.rst man_kjournalprint.rst man_knsupdate.rst man_knot1to2.rst man_knsec3hash.rst man_keymgr.rst man_pykeymgr.rst man_kzonecheck.rst
EXTRA_DIST = \
conf.py \
......@@ -62,7 +62,7 @@ man_MANS += man/knot.conf.5 man/knotc.8 man/knotd.8
endif # HAVE_DAEMON
if HAVE_UTILS
man_MANS += man/kdig.1 man/khost.1 man/kjournalprint.1 man/knsupdate.1 man/knot1to2.1 man/knsec3hash.1 man/kkeymgr.8 man/pykeymgr.8 man/kzonecheck.1
man_MANS += man/kdig.1 man/khost.1 man/kjournalprint.1 man/knsupdate.1 man/knot1to2.1 man/knsec3hash.1 man/keymgr.8 man/pykeymgr.8 man/kzonecheck.1
endif # HAVE_UTILS
man/knot.conf.5: man/knot.conf.5in
......@@ -74,7 +74,7 @@ man/kjournalprint.1: man/kjournalprint.1in
man/knsupdate.1: man/knsupdate.1in
man/knot1to2.1: man/knot1to2.1in
man/knsec3hash.1: man/knsec3hash.1in
man/kkeymgr.8: man/kkeymgr.8in
man/keymgr.8: man/keymgr.8in
man/pykeymgr.8: man/pykeymgr.8in
man/kzonecheck.1: man/kzonecheck.1in
......
......@@ -220,7 +220,7 @@ latex_domain_indices = False
man_pages = [
('reference', 'knot.conf', 'Knot DNS configuration file', author, 5),
('man_kdig', 'kdig', 'Advanced DNS lookup utility', author, 1),
('man_kkeymgr', 'kkeymgr', ' DNSSEC key management utility', author, 8),
('man_keymgr', 'keymgr', ' DNSSEC key management utility', author, 8),
('man_pykeymgr', 'pykeymgr', ' DNSSEC key management utility', author, 8),
('man_khost', 'khost', 'Simple DNS lookup utility', author, 1),
('man_kjournalprint', 'kjournalprint', 'Knot DNS journal print utility', author, 1),
......
......@@ -88,7 +88,7 @@ Access control list (ACL)
An ACL list specifies which remotes are allowed to send the server a specific
request. A remote can be a single IP address or a network subnet. Also a TSIG
key can be assigned (see :doc:`kkeymgr <man_kkeymgr>` how to generate a TSIG key).
key can be assigned (see :doc:`keymgr <man_keymgr>` how to generate a TSIG key).
With no ACL rule, all the actions are denied for the zone. Each ACL rule
can allow one or more actions for given address/subnet/TSIG, or deny them.
......@@ -339,7 +339,7 @@ the server logs to see whether everything went well.
.. WARNING::
This guide assumes that the zone *myzone.test* was not signed prior to
enabling the automatic key management. If the zone was already signed, all
existing keys must be imported using ``kkeymgr import-bind`` command
existing keys must be imported using ``keymgr import-bind`` command
before enabling the automatic signing. Also the algorithm in the policy must
match the algorithm of all imported keys. Otherwise the zone will be resigned
at all.
......@@ -361,13 +361,13 @@ with manual key management flag has to be set::
dnssec-signing: on
dnssec-policy: manual
To generate signing keys, use the :doc:`kkeymgr <man_kkeymgr>` utility.
To generate signing keys, use the :doc:`keymgr <man_keymgr>` utility.
Let's use the Single-Type Signing scheme with two algorithms. Run:
.. code-block:: console
$ kkeymgr -d path/to/keydir myzone.test. generate algorithm=RSASHA256 size=1024
$ kkeymgr -d path/to/keydir myzone.test. generate algorithm=ECDSAP256SHA256 size=256
$ keymgr -d path/to/keydir myzone.test. generate algorithm=RSASHA256 size=1024
$ keymgr -d path/to/keydir myzone.test. generate algorithm=ECDSAP256SHA256 size=256
And reload the server. The zone will be signed.
......@@ -377,14 +377,14 @@ it yet:
.. code-block:: console
$ kkeymgr -d path/to/keydir myzone.test. generate algorithm=RSASHA256 size=1024 active=now+1d
$ keymgr -d path/to/keydir myzone.test. generate algorithm=RSASHA256 size=1024 active=now+1d
Take the key ID (or key tag) of the old RSA key and disable it the same time
the new key gets activated:
.. code-block:: console
$ kkeymgr -d path/to/keydir myzone.test. set <old_key_id> retire=now+1d remove=now+1d
$ keymgr -d path/to/keydir myzone.test. set <old_key_id> retire=now+1d remove=now+1d
Reload the server again. The new key will be published (i.e. the DNSKEY record
will be added into the zone). Do not forget to update the DS record in the
......
......@@ -254,7 +254,7 @@ on libidn availability during project building!
.sp
Options \fB\-k\fP and \fB\-y\fP can not be used simultaneously.
.sp
Dnssec\-keygen keyfile format is not supported. Use \fBkkeymgr(8)\fP instead.
Dnssec\-keygen keyfile format is not supported. Use \fBkeymgr(8)\fP instead.
.SH EXAMPLES
.INDENT 0.0
.IP 1. 3
......@@ -315,7 +315,7 @@ $ kdig \-d @185.49.141.38 +tls\-ca +tls\-host=getdnsapi.net \e
\fB/etc/resolv.conf\fP
.SH SEE ALSO
.sp
\fBkhost(1)\fP, \fBknsupdate(1)\fP, \fBkkeymgr(8)\fP\&.
\fBkhost(1)\fP, \fBknsupdate(1)\fP, \fBkeymgr(8)\fP\&.
.SH AUTHOR
CZ.NIC Labs <http://www.knot-dns.cz>
.SH COPYRIGHT
......
.\" Man page generated from reStructuredText.
.
.TH "KKEYMGR" "8" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
.TH "KEYMGR" "8" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
.SH NAME
kkeymgr \- DNSSEC key management utility
keymgr \- DNSSEC key management utility
.
.nr rst2man-indent-level 0
.
......@@ -32,12 +32,12 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
..
.SH SYNOPSIS
.sp
\fBkkeymgr\fP \fIbasic_option\fP [\fIparameters\fP\&...]
\fBkeymgr\fP \fIbasic_option\fP [\fIparameters\fP\&...]
.sp
\fBkkeymgr\fP \fIconfig_option\fP \fIconfig_storage\fP \fIzone_name\fP \fIaction\fP \fIparameters\fP\&...
\fBkeymgr\fP \fIconfig_option\fP \fIconfig_storage\fP \fIzone_name\fP \fIaction\fP \fIparameters\fP\&...
.SH DESCRIPTION
.sp
The \fBkkeymgr\fP utility serves for key management in Knot DNS server.
The \fBkeymgr\fP utility serves for key management in Knot DNS server.
.sp
Functions for DNSSEC keys and KASP (Key And Signature Policy)
management are provided.
......@@ -154,7 +154,7 @@ Generate TSIG key:
.sp
.nf
.ft C
$ kkeymgr \-t my_name hmac\-sha384
$ keymgr \-t my_name hmac\-sha384
.ft P
.fi
.UNINDENT
......@@ -166,7 +166,7 @@ Import a key from BIND:
.sp
.nf
.ft C
$ kkeymgr \-d ${knot_data_dir}/keys example.com. import\-bind ~/bind/Kharbinge4d5.+007+63089.key
$ keymgr \-d ${knot_data_dir}/keys example.com. import\-bind ~/bind/Kharbinge4d5.+007+63089.key
.ft P
.fi
.UNINDENT
......@@ -178,7 +178,7 @@ Generate new key:
.sp
.nf
.ft C
$ kkeymgr \-c ${knot_data_dir}/knot.conf example.com. generate algorithm=ECDSAP256SHA256 size=256 \e
$ keymgr \-c ${knot_data_dir}/knot.conf example.com. generate algorithm=ECDSAP256SHA256 size=256 \e
ksk=true created=1488034625 publish=20170223205611 retire=now+10mo remove=now+1y
.ft P
.fi
......@@ -191,7 +191,7 @@ Configure key timing:
.sp
.nf
.ft C
$ kkeymgr \-d ${knot_data_dir}/keys test.test. set 4208 active=t+2mi retire=t+4mi remove=t+5mi
$ keymgr \-d ${knot_data_dir}/keys test.test. set 4208 active=t+2mi retire=t+4mi remove=t+5mi
.ft P
.fi
.UNINDENT
......@@ -203,7 +203,7 @@ Share a KSK from another zone:
.sp
.nf
.ft C
$ kkeymgr \-c ${knot_data_dir}/knot.conf test.test. share e687cf927029e9db7184d2ece6d663f5d1e5b0e9
$ keymgr \-c ${knot_data_dir}/knot.conf test.test. share e687cf927029e9db7184d2ece6d663f5d1e5b0e9
.ft P
.fi
.UNINDENT
......
......@@ -156,7 +156,7 @@ Quit the program.
.sp
Options \fB\-k\fP and \fB\-y\fP can not be used simultaneously.
.sp
Dnssec\-keygen keyfile format is not supported. Use \fBkkeymgr(8)\fP instead.
Dnssec\-keygen keyfile format is not supported. Use \fBkeymgr(8)\fP instead.
.sp
Zone name/server guessing is not supported if the zone name/server is not specified.
.sp
......@@ -189,7 +189,7 @@ $ knsupdate
.UNINDENT
.SH SEE ALSO
.sp
\fBkdig(1)\fP, \fBkhost(1)\fP, \fBkkeymgr(8)\fP\&.
\fBkdig(1)\fP, \fBkhost(1)\fP, \fBkeymgr(8)\fP\&.
.SH AUTHOR
CZ.NIC Labs <http://www.knot-dns.cz>
.SH COPYRIGHT
......
......@@ -232,7 +232,7 @@ Notes
Options **-k** and **-y** can not be used simultaneously.
Dnssec-keygen keyfile format is not supported. Use :manpage:`kkeymgr(8)` instead.
Dnssec-keygen keyfile format is not supported. Use :manpage:`keymgr(8)` instead.
Examples
--------
......@@ -265,4 +265,4 @@ Files
See Also
--------
:manpage:`khost(1)`, :manpage:`knsupdate(1)`, :manpage:`kkeymgr(8)`.
:manpage:`khost(1)`, :manpage:`knsupdate(1)`, :manpage:`keymgr(8)`.
.. highlight:: console
kkeymgr – Key management utility
=================================
keymgr – Key management utility
===============================
Synopsis
--------
:program:`kkeymgr` *basic_option* [*parameters*...]
:program:`keymgr` *basic_option* [*parameters*...]
:program:`kkeymgr` *config_option* *config_storage* *zone_name* *action* *parameters*...
:program:`keymgr` *config_option* *config_storage* *zone_name* *action* *parameters*...
Description
-----------
The :program:`kkeymgr` utility serves for key management in Knot DNS server.
The :program:`keymgr` utility serves for key management in Knot DNS server.
Functions for DNSSEC keys and KASP (Key And Signature Policy)
management are provided.
......@@ -127,24 +127,24 @@ Examples
1. Generate TSIG key::
$ kkeymgr -t my_name hmac-sha384
$ keymgr -t my_name hmac-sha384
2. Import a key from BIND::
$ kkeymgr -d ${knot_data_dir}/keys example.com. import-bind ~/bind/Kharbinge4d5.+007+63089.key
$ keymgr -d ${knot_data_dir}/keys example.com. import-bind ~/bind/Kharbinge4d5.+007+63089.key
3. Generate new key::
$ kkeymgr -c ${knot_data_dir}/knot.conf example.com. generate algorithm=ECDSAP256SHA256 size=256 \
$ keymgr -c ${knot_data_dir}/knot.conf example.com. generate algorithm=ECDSAP256SHA256 size=256 \
ksk=true created=1488034625 publish=20170223205611 retire=now+10mo remove=now+1y
4. Configure key timing::
$ kkeymgr -d ${knot_data_dir}/keys test.test. set 4208 active=t+2mi retire=t+4mi remove=t+5mi
$ keymgr -d ${knot_data_dir}/keys test.test. set 4208 active=t+2mi retire=t+4mi remove=t+5mi
5. Share a KSK from another zone::
$ kkeymgr -c ${knot_data_dir}/knot.conf test.test. share e687cf927029e9db7184d2ece6d663f5d1e5b0e9
$ keymgr -c ${knot_data_dir}/knot.conf test.test. share e687cf927029e9db7184d2ece6d663f5d1e5b0e9
See Also
--------
......
......@@ -134,7 +134,7 @@ Notes
Options **-k** and **-y** can not be used simultaneously.
Dnssec-keygen keyfile format is not supported. Use :manpage:`kkeymgr(8)` instead.
Dnssec-keygen keyfile format is not supported. Use :manpage:`keymgr(8)` instead.
Zone name/server guessing is not supported if the zone name/server is not specified.
......@@ -161,4 +161,4 @@ Examples
See Also
--------
:manpage:`kdig(1)`, :manpage:`khost(1)`, :manpage:`kkeymgr(8)`.
:manpage:`kdig(1)`, :manpage:`khost(1)`, :manpage:`keymgr(8)`.
......@@ -36,10 +36,10 @@ server configuration:
3. Import all existing zone keys into the KASP database. Make sure that all
the keys were imported correctly::
$ kkeymgr -d path/to/keydir example.com. import-bind path/to/Kexample.com.+013+11111
$ kkeymgr -d path/to/keydir example.com. import-bind path/to/Kexample.com.+013+22222
$ keymgr -d path/to/keydir example.com. import-bind path/to/Kexample.com.+013+11111
$ keymgr -d path/to/keydir example.com. import-bind path/to/Kexample.com.+013+22222
$ ...
$ kkeymgr -d path/to/keydir example.com. list
$ keymgr -d path/to/keydir example.com. list
.. NOTE::
The server can be run under a dedicated user account, usually ``knot``.
......@@ -47,6 +47,6 @@ server configuration:
permissions must be set correctly. This can be achieved for instance by
executing all KASP database management commands under sudo::
$ sudo -u knot kkeymgr ...
$ sudo -u knot keymgr ...
4. Follow :ref:`Automatic DNSSEC signing` steps to configure DNSSEC signing.
......@@ -11,7 +11,7 @@ the server. This section collects manual pages for all provided binaries:
:titlesonly:
man_kdig
man_kkeymgr
man_keymgr
man_pykeymgr
man_khost
man_kjournalprint
......
......@@ -418,7 +418,7 @@ libknotd_la_LIBADD = libknot.la libknot-yparser.la zscanner/libzscanner.la $(lib
if HAVE_DAEMON
sbin_PROGRAMS = knotc knotd
sbin_PROGRAMS = knotc knotd keymgr
libexec_PROGRAMS = knot1to2
noinst_LTLIBRARIES += libknotd.la libknotus.la
......@@ -440,6 +440,13 @@ knotc_SOURCES = \
knotd_SOURCES = \
utils/knotd/main.c
keymgr_SOURCES = \
utils/keymgr/bind_privkey.c \
utils/keymgr/bind_privkey.h \
utils/keymgr/functions.c \
utils/keymgr/functions.h \
utils/keymgr/main.c
knot1to2_SOURCES = \
utils/knot1to2/cf-lex.c \
utils/knot1to2/cf-parse.tab.c \
......@@ -451,11 +458,16 @@ knot1to2_SOURCES = \
utils/knot1to2/main.c \
utils/knot1to2/scheme.h
knotd_CPPFLAGS = $(AM_CPPFLAGS) $(liburcu_CFLAGS)
knotd_LDADD = libknotd.la libcontrib.la $(liburcu_LIBS)
knotc_CPPFLAGS = $(AM_CPPFLAGS) $(libedit_CFLAGS)
knotc_LDADD = libknotd.la libknotus.la $(libedit_LIBS)
knot1to2_LDADD = libcontrib.la
knotd_CPPFLAGS = $(AM_CPPFLAGS) $(liburcu_CFLAGS)
knotd_LDADD = libknotd.la libcontrib.la $(liburcu_LIBS)
knotc_CPPFLAGS = $(AM_CPPFLAGS) $(libedit_CFLAGS)
knotc_LDADD = libknotd.la libknotus.la $(libedit_LIBS)
keymgr_CPPFLAGS = $(AM_CPPFLAGS) $(liburcu_CFLAGS) -I$(srcdir)/dnssec/lib/dnssec \
-I$(srcdir)/dnssec $(gnutls_CFLAGS)
keymgr_LDADD = $(libidn_LIBS) $(liburcu_LIBS) libknotd.la libcontrib.la \
libknotd.la libknotus.la dnssec/libdnssec.la dnssec/libshared.la \
zscanner/libzscanner.la $(gnutls_LIBS)
knot1to2_LDADD = libcontrib.la
####################################
# Optional Knot DNS Daemon modules #
......@@ -491,7 +503,7 @@ if HAVE_UTILS
bin_PROGRAMS = kdig khost knsec3hash knsupdate
if HAVE_DAEMON
bin_PROGRAMS += kzonecheck kjournalprint kkeymgr
bin_PROGRAMS += kzonecheck kjournalprint
endif # HAVE_DAEMON
kdig_SOURCES = \
......@@ -529,13 +541,6 @@ kzonecheck_SOURCES = \
kjournalprint_SOURCES = \
utils/kjournalprint/main.c
kkeymgr_SOURCES = \
utils/kkeymgr/bind_privkey.c \
utils/kkeymgr/bind_privkey.h \
utils/kkeymgr/functions.c \
utils/kkeymgr/functions.h \
utils/kkeymgr/main.c
# bin programs
kdig_CPPFLAGS = $(AM_CPPFLAGS) $(gnutls_CFLAGS)
kdig_LDADD = $(libidn_LIBS) libknotus.la
......@@ -546,11 +551,8 @@ knsupdate_LDADD = zscanner/libzscanner.la libknotus.la
knsec3hash_CPPFLAGS = $(AM_CPPFLAGS) -I$(srcdir)/dnssec/lib/dnssec -I$(srcdir)/dnssec
knsec3hash_LDADD = dnssec/libdnssec.la dnssec/libshared.la
kzonecheck_LDADD = libknotd.la libcontrib.la
kjournalprint_CPPFLAGS = $(AM_CPPFLAGS) $(gnutls_CFLAGS) $(liburcu_CFLAGS)
kjournalprint_CPPFLAGS = $(AM_CPPFLAGS) $(gnutls_CFLAGS) $(liburcu_CFLAGS)
kjournalprint_LDADD = $(libidn_LIBS) $(liburcu_LIBS) libknotd.la libcontrib.la
kkeymgr_CPPFLAGS = $(AM_CPPFLAGS) $(liburcu_CFLAGS) -I$(srcdir)/dnssec/lib/dnssec -I$(srcdir)/dnssec $(gnutls_CFLAGS)
kkeymgr_LDADD = $(libidn_LIBS) $(liburcu_LIBS) libknotd.la libcontrib.la libknotd.la libknotus.la dnssec/libdnssec.la dnssec/libshared.la zscanner/libzscanner.la $(gnutls_LIBS)
# TODO wrap
#######################################
# Optional Knot DNS Utilities modules #
......
......@@ -22,7 +22,7 @@
#include "dnssec/error.h"
#include "shared/pem.h"
#include "shared/shared.h"
#include "utils/kkeymgr/bind_privkey.h"
#include "utils/keymgr/bind_privkey.h"
/* -- private key params conversion ---------------------------------------- */
......
......@@ -14,7 +14,7 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "utils/kkeymgr/functions.h"
#include "utils/keymgr/functions.h"
#include <ctype.h>
#include <limits.h>
......@@ -27,7 +27,7 @@
#include "dnssec/shared/shared.h"
#include "knot/dnssec/kasp/policy.h"
#include "knot/dnssec/zone-keys.h"
#include "utils/kkeymgr/bind_privkey.h"
#include "utils/keymgr/bind_privkey.h"
#include "zscanner/scanner.h"
static time_t arg_timestamp(const char *arg)
......@@ -163,7 +163,7 @@ static bool genkeyargs(int argc, char *argv[], bool just_timing,
}
// modifies ctx->policy options, so don't do anything afterwards !
int kkeymgr_generate_key(kdnssec_ctx_t *ctx, int argc, char *argv[]) {
int keymgr_generate_key(kdnssec_ctx_t *ctx, int argc, char *argv[]) {
time_t now = time(NULL), infty = 0x0fffffffffffff00LLU;
knot_kasp_key_timing_t gen_timing = { now, now, now, infty, infty };
bool isksk = false;
......@@ -272,7 +272,7 @@ static char *genname(const char *orig, const char *wantsuff, const char *altsuff
return res;
}
int kkeymgr_import_bind(kdnssec_ctx_t *ctx, const char *import_file)
int keymgr_import_bind(kdnssec_ctx_t *ctx, const char *import_file)
{
char *pubname = genname(import_file, ".key", ".private");
char *privname = genname(import_file, ".private", ".key");
......@@ -368,7 +368,7 @@ static void print_tsig(dnssec_tsig_algorithm_t mac, const char *name,
printf(" secret: %.*s\n", (int)secret->size, secret->data);
}
int kkeymgr_generate_tsig(const char *tsig_name, const char *alg_name, int bits)
int keymgr_generate_tsig(const char *tsig_name, const char *alg_name, int bits)
{
dnssec_tsig_algorithm_t alg = dnssec_tsig_algorithm_from_name(alg_name);
if (alg == DNSSEC_TSIG_UNKNOWN) {
......@@ -438,7 +438,7 @@ static bool is_hex(const char *string)
return (*string != '\0');
}
int kkeymgr_get_key(kdnssec_ctx_t *ctx, const char *key_spec, knot_kasp_key_t **key)
int keymgr_get_key(kdnssec_ctx_t *ctx, const char *key_spec, knot_kasp_key_t **key)
{
long spec_tag = is_uint32(key_spec), spec_len = strlen(key_spec);
if (spec_tag < 0 && !is_hex(key_spec)) {
......@@ -467,7 +467,7 @@ int kkeymgr_get_key(kdnssec_ctx_t *ctx, const char *key_spec, knot_kasp_key_t **
return KNOT_EOK;
}
int kkeymgr_set_timing(knot_kasp_key_t *key, int argc, char *argv[])
int keymgr_set_timing(knot_kasp_key_t *key, int argc, char *argv[])
{
knot_kasp_key_timing_t temp = key->timing;
......@@ -478,7 +478,7 @@ int kkeymgr_set_timing(knot_kasp_key_t *key, int argc, char *argv[])
return KNOT_EINVAL;
}
int kkeymgr_list_keys(kdnssec_ctx_t *ctx)
int keymgr_list_keys(kdnssec_ctx_t *ctx)
{
for (size_t i = 0; i < ctx->zone->num_keys; i++) {
knot_kasp_key_t *key = &ctx->zone->keys[i];
......@@ -532,7 +532,7 @@ static int create_and_print_ds(const knot_dname_t *zone_name,
return print_ds(zone_name, &rdata);
}
int kkeymgr_generate_ds(const knot_dname_t *dname, const knot_kasp_key_t *key)
int keymgr_generate_ds(const knot_dname_t *dname, const knot_kasp_key_t *key)
{
static const dnssec_key_digest_t digests[] = {
DNSSEC_KEY_DIGEST_SHA1,
......@@ -549,7 +549,7 @@ int kkeymgr_generate_ds(const knot_dname_t *dname, const knot_kasp_key_t *key)
return ret;
}
int kkeymgr_share_key(kdnssec_ctx_t *ctx, const knot_kasp_key_t *key,
int keymgr_share_key(kdnssec_ctx_t *ctx, const knot_kasp_key_t *key,
const char *zone_name_ch)
{
knot_dname_t *zone_name = knot_dname_from_str_alloc(zone_name_ch);
......
......@@ -16,19 +16,19 @@
#include "knot/dnssec/context.h"
int kkeymgr_generate_key(kdnssec_ctx_t *ctx, int argc, char *argv[]);
int keymgr_generate_key(kdnssec_ctx_t *ctx, int argc, char *argv[]);
int kkeymgr_import_bind(kdnssec_ctx_t *ctx, const char *import_file);
int keymgr_import_bind(kdnssec_ctx_t *ctx, const char *import_file);
int kkeymgr_generate_tsig(const char *tsig_name, const char *alg_name, int bits);
int keymgr_generate_tsig(const char *tsig_name, const char *alg_name, int bits);
int kkeymgr_get_key(kdnssec_ctx_t *ctx, const char *key_spec, knot_kasp_key_t **key);
int keymgr_get_key(kdnssec_ctx_t *ctx, const char *key_spec, knot_kasp_key_t **key);
int kkeymgr_set_timing(knot_kasp_key_t *key, int argc, char *argv[]);
int keymgr_set_timing(knot_kasp_key_t *key, int argc, char *argv[]);
int kkeymgr_list_keys(kdnssec_ctx_t *ctx);
int keymgr_list_keys(kdnssec_ctx_t *ctx);
int kkeymgr_generate_ds(const knot_dname_t *dname, const knot_kasp_key_t *key);
int keymgr_generate_ds(const knot_dname_t *dname, const knot_kasp_key_t *key);
int kkeymgr_share_key(kdnssec_ctx_t *ctx, const knot_kasp_key_t *key,
int keymgr_share_key(kdnssec_ctx_t *ctx, const knot_kasp_key_t *key,
const char *zone_name_ch);
......@@ -20,9 +20,9 @@
#include "knot/dnssec/zone-keys.h"
#include "libknot/libknot.h"
#include "utils/common/params.h"
#include "utils/kkeymgr/functions.h"
#include "utils/keymgr/functions.h"
#define PROGRAM_NAME "kkeymgr"
#define PROGRAM_NAME "keymgr"
static void print_help(void)
{
......@@ -138,8 +138,8 @@ int main(int argc, char *argv[])
break;
case 't':
check_argc_three
int tret = kkeymgr_generate_tsig(argv[2], (argc >= 4 ? argv[3] : "hmac-sha256"),
(argc >= 5 ? atol(argv[4]) : 0));
int tret = keymgr_generate_tsig(argv[2], (argc >= 4 ? argv[3] : "hmac-sha256"),
(argc >= 5 ? atol(argv[4]) : 0));
if (tret != KNOT_EOK) {
printf("Failed to generate TSIG (%s)\n", knot_strerror(tret));
}
......@@ -186,14 +186,14 @@ int main(int argc, char *argv[])
}
if (strcmp(argv[4], "generate") == 0) {
ret = kkeymgr_generate_key(&kctx, argc - 5, argv + 5);
ret = keymgr_generate_key(&kctx, argc - 5, argv + 5);
} else if (strcmp(argv[4], "import-bind") == 0) {
if (argc < 6) {
printf("BIND-style key to import not specified.\n");
ret = KNOT_EINVAL;
goto main_end;
}
ret = kkeymgr_import_bind(&kctx, argv[5]);
ret = keymgr_import_bind(&kctx, argv[5]);
} else if (strcmp(argv[4], "set") == 0) {
if (argc < 6) {
printf("Key is not specified.\n");
......@@ -201,15 +201,15 @@ int main(int argc, char *argv[])
goto main_end;
}
knot_kasp_key_t *key2set;
ret = kkeymgr_get_key(&kctx, argv[5], &key2set);
ret = keymgr_get_key(&kctx, argv[5], &key2set);
if (ret == KNOT_EOK) {
ret = kkeymgr_set_timing(key2set, argc - 6, argv + 6);
ret = keymgr_set_timing(key2set, argc - 6, argv + 6);
if (ret == KNOT_EOK) {
ret = kdnssec_ctx_commit(&kctx);
}
}
} else if (strcmp(argv[4], "list") == 0) {
ret = kkeymgr_list_keys(&kctx);
ret = keymgr_list_keys(&kctx);
} else if (strcmp(argv[4], "ds") == 0) {
if (argc < 6) {
printf("Key is not specified.\n");
......@@ -217,9 +217,9 @@ int main(int argc, char *argv[])
goto main_end;
}
knot_kasp_key_t *key2ds;
ret = kkeymgr_get_key(&kctx, argv[5], &key2ds);
ret = keymgr_get_key(&kctx, argv[5], &key2ds);
if (ret == KNOT_EOK) {
ret = kkeymgr_generate_ds(zone_name, key2ds);
ret = keymgr_generate_ds(zone_name, key2ds);
}
} else if (strcmp(argv[4], "share") == 0) {
if (argc < 6) {
......@@ -235,7 +235,7 @@ int main(int argc, char *argv[])
goto main_end;
}
knot_kasp_key_t *key2del;
ret = kkeymgr_get_key(&kctx, argv[5], &key2del);
ret = keymgr_get_key(&kctx, argv[5], &key2del);
if (ret == KNOT_EOK) {
ret = kdnssec_delete_key(&kctx, key2del);
}
......
......@@ -5,7 +5,7 @@
set -xe
KKEYMGR=${1:-kkeymgr}
KEYMGR=${1:-keymgr}
keydir=$(pwd)/keys
rm -rf "${keydir}"
......@@ -21,68 +21,68 @@ pushd "$keydir"
#
# KSK+ZSK, simple
"$KKEYMGR" -d . rsa. generate algorithm=8 size=2048 publish="$TIME_PAST" active="$TIME_PAST" ksk=True
"$KKEYMGR" -d . rsa. generate algorithm=8 size=1024 publish="$TIME_PAST" active="$TIME_PAST" ksk=False
"$KEYMGR" -d . rsa. generate algorithm=8 size=2048 publish="$TIME_PAST" active="$TIME_PAST" ksk=True
"$KEYMGR" -d . rsa. generate algorithm=8 size=1024 publish="$TIME_PAST" active="$TIME_PAST" ksk=False
# KSK+ZSK, two algorithms
"$KKEYMGR" -d . rsa_ecdsa. generate algorithm=8 size=2048 publish="$TIME_PAST" active="$TIME_PAST" ksk=True
"$KKEYMGR" -d . rsa_ecdsa. generate algorithm=8 size=1024 publish="$TIME_PAST" active="$TIME_PAST" ksk=False
"$KKEYMGR" -d . rsa_ecdsa. generate algorithm=13 size=256 publish="$TIME_PAST" active="$TIME_PAST" ksk=True
"$KKEYMGR" -d . rsa_ecdsa. generate algorithm=13 size=256 publish="$TIME_PAST" active="$TIME_PAST" ksk=False
"$KEYMGR" -d . rsa_ecdsa. generate algorithm=8 size=2048 publish="$TIME_PAST" active="$TIME_PAST" ksk=True
"$KEYMGR" -d . rsa_ecdsa. generate algorithm=8 size=1024 publish="$TIME_PAST" active="$TIME_PAST" ksk=False
"$KEYMGR" -d . rsa_ecdsa. generate algorithm=13 size=256 publish="$TIME_PAST" active="$TIME_PAST" ksk=True
"$KEYMGR" -d . rsa_ecdsa. generate algorithm=13 size=256 publish="$TIME_PAST" active="$TIME_PAST" ksk=False
# KSK+ZSK: RSA enabled, ECDSA in future
"$KKEYMGR" -d . rsa_now_ecdsa_future. generate algorithm=8 size=2048 publish="$TIME_PAST" active="$TIME_PAST" ksk=True
"$KKEYMGR" -d . rsa_now_ecdsa_future. generate algorithm=8 size=1024 publish="$TIME_PAST" active="$TIME_PAST" ksk=False
"$KKEYMGR" -d . rsa_now_ecdsa_future. generate algorithm=13 size=256 publish="$TIME_FUTURE" active="$TIME_FUTURE" ksk=True
"$KKEYMGR" -d . rsa_now_ecdsa_future. generate algorithm=13 size=256 publish="$TIME_FUTURE" active="$TIME_FUTURE" ksk=False
"$KEYMGR" -d . rsa_now_ecdsa_future. generate algorithm=8 size=2048 publish="$TIME_PAST" active="$TIME_PAST" ksk=True
"$KEYMGR" -d . rsa_now_ecdsa_future. generate algorithm=8 size=1024 publish="$TIME_PAST" active="$TIME_PAST" ksk=False
"$KEYMGR" -d . rsa_now_ecdsa_future. generate algorithm=13 size=256 publish="$TIME_FUTURE" active="$TIME_FUTURE" ksk=True
"$KEYMGR" -d . rsa_now_ecdsa_future. generate algorithm=13 size=256 publish="$TIME_FUTURE" active="$TIME_FUTURE" ksk=False
# KSK+ZSK, algorithm rollover (signatures pre-published)
"$KKEYMGR" -d . rsa_ecdsa_roll. generate algorithm=8 size=2048 publish="$TIME_PAST" active="$TIME_PAST" ksk=True
"$KKEYMGR" -d . rsa_ecdsa_roll. generate algorithm=8 size=1024 publish="$TIME_PAST" active="$TIME_PAST" ksk=False
"$KKEYMGR" -d . rsa_ecdsa_roll. generate algorithm=13 size=256 publish="$TIME_FUTURE" active="$TIME_PAST" ksk=True
"$KKEYMGR" -d . rsa_ecdsa_roll. generate algorithm=13 size=256 publish="$TIME_FUTURE" active="$TIME_PAST" ksk=False
"$KEYMGR" -d . rsa_ecdsa_roll. generate algorithm=8 size=2048 publish="$TIME_PAST" active="$TIME_PAST" ksk=True
"$KEYMGR" -d . rsa_ecdsa_roll. generate algorithm=8 size=1024 publish="$TIME_PAST" active="$TIME_PAST" ksk=False
"$KEYMGR" -d . rsa_ecdsa_roll. generate algorithm=13 size=256 publish="$TIME_FUTURE" active="$TIME_PAST" ksk=True
"$KEYMGR" -d . rsa_ecdsa_roll. generate algorithm=13 size=256 publish="$TIME_FUTURE" active="$TIME_PAST" ksk=False
# STSS: KSK only
"$KKEYMGR" -d . stss_ksk. generate algorithm=8 size=2048 publish="$TIME_PAST" active="$TIME_PAST" ksk=True
"$KEYMGR" -d . stss_ksk. generate algorithm=8 size=2048 publish="$TIME_PAST" active="$TIME_PAST" ksk=True
# STSS: ZSK only
"$KKEYMGR" -d . stss_zsk. generate algorithm=8 size=2048 publish="$TIME_PAST" active="$TIME_PAST" ksk=False
"$KEYMGR" -d . stss_zsk. generate algorithm=8 size=2048 publish="$TIME_PAST" active="$TIME_PAST" ksk=False
# STSS: two KSKs
"$KKEYMGR" -d . stss_two_ksk. generate algorithm=8 size=1024 publish="$TIME_PAST" active="$TIME_PAST" ksk=True
"$KKEYMGR" -d . stss_two_ksk. generate algorithm=8 size=1024 publish="$TIME_PAST" active="$TIME_PAST" ksk=True
"$KEYMGR" -d . stss_two_ksk. generate algorithm=8 size=1024 publish="$TIME_PAST" active="$TIME_PAST" ksk=True
"$KEYMGR" -d . stss_two_ksk. generate algorithm=8 size=1024 publish="$TIME_PAST" active="$TIME_PAST" ksk=True
# STSS: different algorithms
"$KKEYMGR" -d . stss_rsa256_rsa512. generate algorithm=8 size=2048 publish="$TIME_PAST" active="$TIME_PAST" ksk=True
"$KKEYMGR" -d . stss_rsa256_rsa512. generate algorithm=10 size=2048 publish="$TIME_PAST" active="$TIME_PAST" ksk=False
"$KEYMGR" -d . stss_rsa256_rsa512. generate algorithm=8 size=2048 publish="$TIME_PAST" active="$TIME_PAST" ksk=True
"$KEYMGR" -d . stss_rsa256_rsa512. generate algorithm=10 size=2048 publish="$TIME_PAST" active="$TIME_PAST" ksk=False
# KSK+ZSK for RSA, STSS for ECDSA
"$KKEYMGR" -d . rsa_split_ecdsa_stss. generate algorithm=8 size=2048 publish="$TIME_PAST" active="$TIME_PAST" ksk=True
"$KKEYMGR" -d . rsa_split_ecdsa_stss. generate algorithm=8 size=1024 publish="$TIME_PAST" active="$TIME_PAST" ksk=False
"$KKEYMGR" -d . rsa_split_ecdsa_stss. generate algorithm=13 size=256 publish="$TIME_PAST" active="$TIME_PAST" ksk=True
"$KEYMGR" -d . rsa_split_ecdsa_stss. generate algorithm=8 size=2048 publish="$TIME_PAST" active="$TIME_PAST" ksk=True
"$KEYMGR" -d . rsa_split_ecdsa_stss. generate algorithm=8 size=1024 publish="$TIME_PAST" active="$TIME_PAST" ksk=False
"$KEYMGR" -d . rsa_split_ecdsa_stss. generate algorithm=13 size=256 publish="$TIME_PAST" active="$TIME_PAST" ksk=True
#
# invalid scenarios
#
# no key for now
"$KKEYMGR" -d . rsa_future_all. generate algorithm=8 size=2048 publish="$TIME_FUTURE" active="$TIME_FUTURE" ksk=True
"$KKEYMGR" -d . rsa_future_all. generate algorithm=8 size=1024 publish="$TIME_FUTURE" active="$TIME_FUTURE" ksk=False
"$KEYMGR" -d . rsa_future_all. generate algorithm=8 size=2048 publish="$TIME_FUTURE" active="$TIME_FUTURE" ksk=True
"$KEYMGR" -d . rsa_future_all. generate algorithm=8 size=1024 publish="$TIME_FUTURE" active="$TIME_FUTURE" ksk=False
# key active, not published
"$KKEYMGR" -d . rsa_future_publish. generate algorithm=8 size=2048 publish="$TIME_FUTURE" active="$TIME_PAST" ksk=True
"$KKEYMGR" -d . rsa_future_publish. generate algorithm=8 size=1024 publish="$TIME_FUTURE" active="$TIME_PAST" ksk=False
"$KEYMGR" -d . rsa_future_publish. generate algorithm=8 size=2048 publish="$TIME_FUTURE" active="$TIME_PAST" ksk=True
"$KEYMGR" -d . rsa_future_publish. generate algorithm=8 size=1024 publish="$TIME_FUTURE" active="$TIME_PAST" ksk=False
# key published, not active