Commit 4feaa542 authored by Daniel Salzman's avatar Daniel Salzman

keymgr: add import-pkcs11 function

parent 37f32322
......@@ -96,6 +96,11 @@ Takes one argument: path to BIND public key file.
Imports a DNSSEC key from PEM file. The key parameters (same as for the generate action) need to be
specified (mainly algorithm, timers...) because they are not contained in the PEM format.
.TP
\fBimport\-pkcs11\fP \fIkey_id\fP [\fIarguments\fP\&...]
Imports a DNSSEC key from PKCS #11 storage. The key parameters (same as for the generate action) need to be
specified (mainly algorithm, timers...) because they are not available. In fact, no key
data is imported, only KASP database metadata is created.
.TP
\fBset\fP \fIkey_spec\fP [\fIarguments\fP\&...]
Changes a timing argument of an existing key to a new timestamp. \fIKey_spec\fP is either the
key tag or a prefix of the key ID; \fIarguments\fP are like for \fBgenerate\fP, but just the
......
......@@ -73,6 +73,11 @@ Commands
Imports a DNSSEC key from PEM file. The key parameters (same as for the generate action) need to be
specified (mainly algorithm, timers...) because they are not contained in the PEM format.
**import-pkcs11** *key_id* [*arguments*...]
Imports a DNSSEC key from PKCS #11 storage. The key parameters (same as for the generate action) need to be
specified (mainly algorithm, timers...) because they are not available. In fact, no key
data is imported, only KASP database metadata is created.
**set** *key_spec* [*arguments*...]
Changes a timing argument of an existing key to a new timestamp. *Key_spec* is either the
key tag or a prefix of the key ID; *arguments* are like for **generate**, but just the
......
......@@ -477,6 +477,70 @@ fail:
return knot_error_from_libdnssec(ret);
}
int keymgr_import_pkcs11(kdnssec_ctx_t *ctx, const char *keyid, int argc, char *argv[])
{
if (ctx == NULL || keyid == NULL) {
return KNOT_EINVAL;
}
// parse params
knot_time_t now = knot_time();
knot_kasp_key_timing_t timing = { .publish = now, .active = now };
bool isksk = false, iszsk = false;
uint16_t keysize = 0;
if (!genkeyargs(argc, argv, false, &isksk, &iszsk, &ctx->policy->algorithm,
&keysize, &timing, NULL)) {
return KNOT_EINVAL;
}
dnssec_key_t *key = NULL;
// create dnssec key
int ret = dnssec_key_new(&key);
if (ret != DNSSEC_EOK) {
goto fail;
}
ret = dnssec_key_set_dname(key, ctx->zone->dname);
if (ret != DNSSEC_EOK) {
goto fail;
}
dnssec_key_set_flags(key, dnskey_flags(isksk));
dnssec_key_set_algorithm(key, ctx->policy->algorithm);
// fill key structure from keystore (incl. pubkey from privkey computation)
ret = dnssec_key_import_keystore(key, ctx->keystore, keyid);
if (ret != DNSSEC_EOK) {
goto fail;
}
// allocate kasp key
knot_kasp_key_t *kkey = calloc(1, sizeof(*kkey));
if (kkey == NULL) {
ret = KNOT_ENOMEM;
goto fail;
}
kkey->id = strdup(keyid);
kkey->key = key;
kkey->timing = timing;
kkey->is_ksk = isksk;
kkey->is_zsk = iszsk;
// append to zone
ret = kasp_zone_append(ctx->zone, kkey);
free(kkey);
if (ret != KNOT_EOK) {
goto fail;
}
ret = kdnssec_ctx_commit(ctx);
if (ret == KNOT_EOK) {
printf("%s\n", keyid);
return KNOT_EOK;
}
fail:
dnssec_key_free(key);
return knot_error_from_libdnssec(ret);
}
static void print_tsig(dnssec_tsig_algorithm_t mac, const char *name,
const dnssec_binary_t *secret)
{
......
......@@ -22,6 +22,8 @@ int keymgr_import_bind(kdnssec_ctx_t *ctx, const char *import_file, bool pub_onl
int keymgr_import_pem(kdnssec_ctx_t *ctx, const char *import_file, int argc, char *argv[]);
int keymgr_import_pkcs11(kdnssec_ctx_t *ctx, const char *keyid, int argc, char *argv[]);
int keymgr_generate_tsig(const char *tsig_name, const char *alg_name, int bits);
int keymgr_get_key(kdnssec_ctx_t *ctx, const char *key_spec, knot_kasp_key_t **key);
......
......@@ -48,25 +48,27 @@ static void print_help(void)
" -V, --version Print the program version.\n"
"\n"
"Commands:\n"
" list List all zone's DNSSEC keys.\n"
" generate Generate new DNSSEC key.\n"
" (syntax: generate <attribute_name>=<value>...)\n"
" import-bind Import BIND-style key file pair (.key + .private).\n"
" (syntax: import-bind <key_file_name>)\n"
" import-pub Import public-only key to be published in the zone (in BIND .key format).\n"
" (syntax: import-pub <key_file_name>)\n"
" import-pem Import key in PEM format. Specify its parameters manually.\n"
" (syntax: import-pem <pem_file_path> <attribute_name>=<value>...)\n"
" ds Generate DS record(s) for specified key.\n"
" (syntax: ds <key_spec>)\n"
" dnskey Generate DNSKEY record for specified key.\n"
" (syntax: dnskey <key_spec>)\n"
" share Share an existing key of another zone with the specified zone.\n"
" (syntax: share <full_key_ID>\n"
" delete Remove the specified key from zone.\n"
" (syntax: delete <key_spec>)\n"
" set Set existing key's timing attribute.\n"
" (syntax: set <key_spec> <attribute_name>=<value>...)\n"
" list List all zone's DNSSEC keys.\n"
" generate Generate new DNSSEC key.\n"
" (syntax: generate <attribute_name>=<value>...)\n"
" import-bind Import BIND-style key file pair (.key + .private).\n"
" (syntax: import-bind <key_file_name>)\n"
" import-pub Import public-only key to be published in the zone (in BIND .key format).\n"
" (syntax: import-pub <key_file_name>)\n"
" import-pem Import key in PEM format. Specify its parameters manually.\n"
" (syntax: import-pem <pem_file_path> <attribute_name>=<value>...)\n"
" import-pkcs11 Import key stored in PKCS11 storage. Specify its parameters manually.\n"
" (syntax: import-pkcs11 <key_id> <attribute_name>=<value>...)\n"
" ds Generate DS record(s) for specified key.\n"
" (syntax: ds <key_spec>)\n"
" dnskey Generate DNSKEY record for specified key.\n"
" (syntax: dnskey <key_spec>)\n"
" share Share an existing key of another zone with the specified zone.\n"
" (syntax: share <full_key_ID>\n"
" delete Remove the specified key from zone.\n"
" (syntax: delete <key_spec>)\n"
" set Set existing key's timing attribute.\n"
" (syntax: set <key_spec> <attribute_name>=<value>...)\n"
"\n"
"Key specification:\n"
" either the key tag (number) or [a prefix of] key ID.\n"
......@@ -134,6 +136,9 @@ static int key_command(int argc, char *argv[], int optind)
} else if (strcmp(argv[1], "import-pem") == 0) {
CHECK_MISSING_ARG("PEM file to import not specified");
ret = keymgr_import_pem(&kctx, argv[2], argc - 3, argv + 3);
} else if (strcmp(argv[1], "import-pkcs11") == 0) {
CHECK_MISSING_ARG("Key ID to import not specified");
ret = keymgr_import_pkcs11(&kctx, argv[2], argc - 3, argv + 3);
} else if (strcmp(argv[1], "set") == 0) {
CHECK_MISSING_ARG("Key is not specified");
knot_kasp_key_t *key2set;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment