Commit 98e7ba45 authored by Libor Peltan's avatar Libor Peltan Committed by Daniel Salzman

keymgr: implemented NSEC3 salt read/write

parent 16c0d19a
......@@ -101,6 +101,10 @@ Imports a DNSSEC key from PKCS #11 storage. The key parameters (same as for the
specified (mainly algorithm, timers...) because they are not available. In fact, no key
data is imported, only KASP database metadata is created.
.TP
\fBnsec3\-salt\fP [\fInew_salt\fP]
Prints the current NSEC3 salt used for signing. If \fInew_salt\fP is specified, the salt is overwritten.
The salt is printed and expected in hexadecimal, or dash if empty.
.TP
\fBset\fP \fIkey_spec\fP [\fIarguments\fP\&...]
Changes a timing argument (or ksk/zsk) of an existing key to a new value. \fIKey_spec\fP is either the
key tag or a prefix of the key ID; \fIarguments\fP are like for \fBgenerate\fP, but just the related ones.
......
......@@ -78,6 +78,10 @@ Commands
specified (mainly algorithm, timers...) because they are not available. In fact, no key
data is imported, only KASP database metadata is created.
**nsec3-salt** [*new_salt*]
Prints the current NSEC3 salt used for signing. If *new_salt* is specified, the salt is overwritten.
The salt is printed and expected in hexadecimal, or dash if empty.
**set** *key_spec* [*arguments*...]
Changes a timing argument (or ksk/zsk) of an existing key to a new value. *Key_spec* is either the
key tag or a prefix of the key ID; *arguments* are like for **generate**, but just the related ones.
......
......@@ -24,6 +24,7 @@
#include "utils/keymgr/bind_privkey.h"
#include "contrib/base64.h"
#include "contrib/ctype.h"
#include "contrib/string.h"
#include "contrib/strtonum.h"
#include "contrib/tolower.h"
#include "contrib/wire_ctx.h"
......@@ -553,6 +554,53 @@ int keymgr_import_pkcs11(kdnssec_ctx_t *ctx, const char *key_id, int argc, char
return import_key(ctx, KEYSTORE_BACKEND_PKCS11, key_id, argc, argv);
}
int keymgr_nsec3_salt(kdnssec_ctx_t *ctx, const char *new_salt)
{
dnssec_binary_t salt_bin;
knot_time_t created;
int ret = kasp_db_load_nsec3salt(*ctx->kasp_db, ctx->zone->dname,
&salt_bin, &created);
switch (ret) {
case KNOT_EOK:
printf("Current salt: ");
if (salt_bin.size == 0) {
printf("-");
}
for (size_t i = 0; i < salt_bin.size; i++) {
printf("%02X", (unsigned)salt_bin.data[i]);
}
printf("\n");
free(salt_bin.data);
break;
case KNOT_ENOENT:
printf("-- no salt --\n");
ret = KNOT_EOK;
break;
}
if (ret == KNOT_EOK && new_salt != NULL) {
if (strcmp(new_salt, "-") == 0) {
salt_bin.size = 0;
} else {
salt_bin.data = hex_to_bin(new_salt, &salt_bin.size);
if (salt_bin.data == NULL) {
return KNOT_EMALF;
}
}
if (salt_bin.size != ctx->policy->nsec3_salt_length) {
printf("Warning: specified salt doesn't match configured "
"salt length (%d).\n",
(int)ctx->policy->nsec3_salt_length);
}
ret = kasp_db_store_nsec3salt(*ctx->kasp_db, ctx->zone->dname,
&salt_bin, created);
if (salt_bin.size > 0) {
free(salt_bin.data);
}
}
return ret;
}
static void print_tsig(dnssec_tsig_algorithm_t mac, const char *name,
const dnssec_binary_t *secret)
{
......
......@@ -28,6 +28,8 @@ int keymgr_import_pem(kdnssec_ctx_t *ctx, const char *import_file, int argc, cha
int keymgr_import_pkcs11(kdnssec_ctx_t *ctx, const char *key_id, int argc, char *argv[]);
int keymgr_nsec3_salt(kdnssec_ctx_t *ctx, const char *new_salt);
int keymgr_generate_tsig(const char *tsig_name, const char *alg_name, int bits);
int keymgr_get_key(kdnssec_ctx_t *ctx, const char *key_spec, knot_kasp_key_t **key);
......
......@@ -61,6 +61,8 @@ static void print_help(void)
" (syntax: import-pem <pem_file_path> <attribute_name>=<value>...)\n"
" import-pkcs11 Import key stored in PKCS11 storage. Specify its parameters manually.\n"
" (syntax: import-pkcs11 <key_id> <attribute_name>=<value>...)\n"
" nsec3-salt Print current NSEC3 salt. If parameter is specified, set new salt.\n"
" (syntax: nsec3salt [<new_salt>])\n"
" ds Generate DS record(s) for specified key.\n"
" (syntax: ds <key_spec>)\n"
" dnskey Generate DNSKEY record for specified key.\n"
......@@ -158,6 +160,9 @@ static int key_command(int argc, char *argv[], int opt_ind)
} else if (strcmp(argv[1], "import-pkcs11") == 0) {
CHECK_MISSING_ARG("Key ID to import not specified");
ret = keymgr_import_pkcs11(&kctx, argv[2], argc - 3, argv + 3);
} else if (strcmp(argv[1], "nsec3-salt") == 0) {
ret = keymgr_nsec3_salt(&kctx, argc > 2 ? argv[2] : NULL);
print_ok_on_succes = false;
} else if (strcmp(argv[1], "set") == 0) {
CHECK_MISSING_ARG("Key is not specified");
knot_kasp_key_t *key2set;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment