Commit b11d8186 authored by Libor Peltan's avatar Libor Peltan

introduced kkeymgr for manipulating KASP db

parent 98020d0b
...@@ -75,6 +75,7 @@ ...@@ -75,6 +75,7 @@
/src/keymgr /src/keymgr
/src/khost /src/khost
/src/kjournalprint /src/kjournalprint
/src/kkeymgr
/src/knot1to2 /src/knot1to2
/src/knotc /src/knotc
/src/knotd /src/knotd
......
...@@ -503,6 +503,11 @@ src/utils/khost/khost_main.c ...@@ -503,6 +503,11 @@ src/utils/khost/khost_main.c
src/utils/khost/khost_params.c src/utils/khost/khost_params.c
src/utils/khost/khost_params.h src/utils/khost/khost_params.h
src/utils/kjournalprint/main.c src/utils/kjournalprint/main.c
src/utils/kkeymgr/bind_privkey.c
src/utils/kkeymgr/bind_privkey.h
src/utils/kkeymgr/functions.c
src/utils/kkeymgr/functions.h
src/utils/kkeymgr/main.c
src/utils/knot1to2/cf-lex.c src/utils/knot1to2/cf-lex.c
src/utils/knot1to2/cf-lex.l src/utils/knot1to2/cf-lex.l
src/utils/knot1to2/cf-parse.tab.c src/utils/knot1to2/cf-parse.tab.c
......
...@@ -3,6 +3,7 @@ ...@@ -3,6 +3,7 @@
# sphinx-build manpages # sphinx-build manpages
/man/kdig.1 /man/kdig.1
/man/keymgr.8 /man/keymgr.8
/man/kkeymgr.8
/man/pykeymgr.8 /man/pykeymgr.8
/man/khost.1 /man/khost.1
/man/kjournalprint.1 /man/kjournalprint.1
......
MANPAGES_IN = man/knot.conf.5in man/knotc.8in man/knotd.8in man/kdig.1in man/khost.1in man/kjournalprint.1in man/knsupdate.1in man/knot1to2.1in man/knsec3hash.1in man/keymgr.8in man/pykeymgr.8in man/kzonecheck.1in MANPAGES_IN = man/knot.conf.5in man/knotc.8in man/knotd.8in man/kdig.1in man/khost.1in man/kjournalprint.1in man/knsupdate.1in man/knot1to2.1in man/knsec3hash.1in man/keymgr.8in man/kkeymgr.8in man/pykeymgr.8in man/kzonecheck.1in
MANPAGES_RST = reference.rst man_knotc.rst man_knotd.rst man_kdig.rst man_khost.rst man_kjournalprint.rst man_knsupdate.rst man_knot1to2.rst man_knsec3hash.rst man_keymgr.rst man_pykeymgr.rst man_kzonecheck.rst MANPAGES_RST = reference.rst man_knotc.rst man_knotd.rst man_kdig.rst man_khost.rst man_kjournalprint.rst man_knsupdate.rst man_knot1to2.rst man_knsec3hash.rst man_keymgr.rst man_kkeymgr.rst man_pykeymgr.rst man_kzonecheck.rst
EXTRA_DIST = \ EXTRA_DIST = \
conf.py \ conf.py \
...@@ -62,7 +62,7 @@ man_MANS += man/knot.conf.5 man/knotc.8 man/knotd.8 ...@@ -62,7 +62,7 @@ man_MANS += man/knot.conf.5 man/knotc.8 man/knotd.8
endif # HAVE_DAEMON endif # HAVE_DAEMON
if HAVE_UTILS if HAVE_UTILS
man_MANS += man/kdig.1 man/khost.1 man/kjournalprint.1 man/knsupdate.1 man/knot1to2.1 man/knsec3hash.1 man/keymgr.8 man/pykeymgr.8 man/kzonecheck.1 man_MANS += man/kdig.1 man/khost.1 man/kjournalprint.1 man/knsupdate.1 man/knot1to2.1 man/knsec3hash.1 man/keymgr.8 man/kkeymgr.8 man/pykeymgr.8 man/kzonecheck.1
endif # HAVE_UTILS endif # HAVE_UTILS
man/knot.conf.5: man/knot.conf.5in man/knot.conf.5: man/knot.conf.5in
...@@ -75,6 +75,7 @@ man/knsupdate.1: man/knsupdate.1in ...@@ -75,6 +75,7 @@ man/knsupdate.1: man/knsupdate.1in
man/knot1to2.1: man/knot1to2.1in man/knot1to2.1: man/knot1to2.1in
man/knsec3hash.1: man/knsec3hash.1in man/knsec3hash.1: man/knsec3hash.1in
man/keymgr.8: man/keymgr.8in man/keymgr.8: man/keymgr.8in
man/kkeymgr.8: man/kkeymgr.8in
man/pykeymgr.8: man/pykeymgr.8in man/pykeymgr.8: man/pykeymgr.8in
man/kzonecheck.1: man/kzonecheck.1in man/kzonecheck.1: man/kzonecheck.1in
......
...@@ -221,6 +221,7 @@ man_pages = [ ...@@ -221,6 +221,7 @@ man_pages = [
('reference', 'knot.conf', 'Knot DNS configuration file', author, 5), ('reference', 'knot.conf', 'Knot DNS configuration file', author, 5),
('man_kdig', 'kdig', 'Advanced DNS lookup utility', author, 1), ('man_kdig', 'kdig', 'Advanced DNS lookup utility', author, 1),
('man_keymgr', 'keymgr', ' DNSSEC key management utility', author, 8), ('man_keymgr', 'keymgr', ' DNSSEC key management utility', author, 8),
('man_kkeymgr', 'kkeymgr', ' DNSSEC key management utility', author, 8),
('man_pykeymgr', 'pykeymgr', ' DNSSEC key management utility', author, 8), ('man_pykeymgr', 'pykeymgr', ' DNSSEC key management utility', author, 8),
('man_khost', 'khost', 'Simple DNS lookup utility', author, 1), ('man_khost', 'khost', 'Simple DNS lookup utility', author, 1),
('man_kjournalprint', 'kjournalprint', 'Knot DNS journal print utility', author, 1), ('man_kjournalprint', 'kjournalprint', 'Knot DNS journal print utility', author, 1),
......
...@@ -88,7 +88,7 @@ Access control list (ACL) ...@@ -88,7 +88,7 @@ Access control list (ACL)
An ACL list specifies which remotes are allowed to send the server a specific An ACL list specifies which remotes are allowed to send the server a specific
request. A remote can be a single IP address or a network subnet. Also a TSIG request. A remote can be a single IP address or a network subnet. Also a TSIG
key can be assigned (see :doc:`keymgr <man_keymgr>` how to generate a TSIG key). key can be assigned (see :doc:`kkeymgr <man_kkeymgr>` how to generate a TSIG key).
With no ACL rule, all the actions are denied for the zone. Each ACL rule With no ACL rule, all the actions are denied for the zone. Each ACL rule
can allow one or more actions for given address/subnet/TSIG, or deny them. can allow one or more actions for given address/subnet/TSIG, or deny them.
...@@ -361,7 +361,7 @@ with manual key management flag has to be set:: ...@@ -361,7 +361,7 @@ with manual key management flag has to be set::
dnssec-signing: on dnssec-signing: on
dnssec-policy: manual dnssec-policy: manual
To generate signing keys, use the :doc:`keymgr <man_keymgr>` utility. To generate signing keys, use the :doc:`kkeymgr <man_kkeymgr>` utility.
Let's use the Single-Type Signing scheme with two algorithms. Run: Let's use the Single-Type Signing scheme with two algorithms. Run:
.. code-block:: console .. code-block:: console
......
.\" Man page generated from reStructuredText.
.
.TH "KKEYMGR" "8" "@RELEASE_DATE@" "@VERSION@" "Knot DNS"
.SH NAME
kkeymgr \- DNSSEC key management utility
.
.nr rst2man-indent-level 0
.
.de1 rstReportMargin
\\$1 \\n[an-margin]
level \\n[rst2man-indent-level]
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
-
\\n[rst2man-indent0]
\\n[rst2man-indent1]
\\n[rst2man-indent2]
..
.de1 INDENT
.\" .rstReportMargin pre:
. RS \\$1
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
. nr rst2man-indent-level +1
.\" .rstReportMargin post:
..
.de UNINDENT
. RE
.\" indent \\n[an-margin]
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.SH SYNOPSIS
.sp
\fBkkeymgr\fP \fIbasic_option\fP [\fIparameters\fP\&...]
.sp
\fBkkeymgr\fP \fIconfig_option\fP \fIconfig_storage\fP \fIzone_name\fP \fIaction\fP \fIparameters\fP\&...
.SH DESCRIPTION
.sp
The \fBkkeymgr\fP utility serves for key management in Knot DNS server.
.sp
Functions for DNSSEC keys and KASP (Key And Signature Policy)
management are provided.
.sp
The DNSSEC and KASP configuration is stored in a so called KASP database.
The databse is backed by LMDB.
.SS Basic options
.INDENT 0.0
.TP
\fB\-h\fP
Print the program help.
.TP
\fB\-t\fP [\fItsig_algorithm\fP] [\fItsig_bits\fP]
Generates TSIG key. TSIG algorithm can be specified by string (default: hmac\-sha256),
bit length of the key by number (default: optimal length given by algorithm).
.UNINDENT
.SS Config options
.INDENT 0.0
.TP
\fB\-d\fP
Use KASP database directory specified by config_storage.
.TP
\fB\-c\fP
Determine KASP database location from Knot DNS configuration file, specified
by config_storage.
.TP
\fB\-C\fP
Determine KASP database location from Knot DNS configuration database,
specified by config_storage.
.UNINDENT
.SS Actions
.INDENT 0.0
.TP
\fBgenerate\fP [\fIarguments\fP\&...]
Generates new DNSSEC key and stores it in KASP database. Prints the key ID.
This action takes some number of arguments (see below). Values for unspecified arguments are taken
from corresponding policy (if \fI\-c\fP or \fI\-C\fP options used) or from Knot policy defaults.
.TP
\fBimport\-bind\fP \fIBIND_key_file\fP
Imports a BIND\-style key into KASP database (converting it to PEM format).
Takes one argument: path to BIND key file (private or public, but both MUST exist).
.UNINDENT
.SS Generate arguments
.sp
Arguments are separated by space, each of them is in format \(aqname=value\(aq.
.INDENT 0.0
.TP
\fBalgorithm\fP
Either an algorithm number (e.g. 14), or text name without dashes (e.g. ECDSAP384SHA384).
.TP
\fBsize\fP
Key length in bits.
.TP
\fBksk\fP
Either \(aqtrue\(aq (KSK will be generated) or \(aqfalse\(aq (ZSK wil be generated).
.TP
\fBcreated\fP
Timestamp of key creation.
.TP
\fBpublish\fP
Timestamp for key to be published.
.TP
\fBactive\fP
Timestamp for key to be activated.
.TP
\fBretire\fP
Timestamp for key to be de\-activated.
.TP
\fBremove\fP
Timestamp for key ot be deleted.
.UNINDENT
.SS Timestamps
.INDENT 0.0
.TP
\fIUNIX_time\fP
Positive number of seconds since 1970.
.TP
\fIYYYYMMDDHHMMSS\fP
Date and time in this format without any punctuation.
.TP
\fIrelative_timestamp\fP
The word "now" followed by sign (+, \-), a number and a shortcut for time unit
(y, mo, d, h, mi, (nothing = seconds)), e.g. now+1mi, now\-2mo, now+10,
now+0, now\-1y, ...
.UNINDENT
.SH EXAMPLES
.INDENT 0.0
.IP 1. 3
Generate TSIG key:
.INDENT 3.0
.INDENT 3.5
.sp
.nf
.ft C
$ kkeymgr \-t my_name hmac\-sha384
.ft P
.fi
.UNINDENT
.UNINDENT
.IP 2. 3
Import a key from BIND:
.INDENT 3.0
.INDENT 3.5
.sp
.nf
.ft C
$ kkeymgr \-d ${knot_data_dir}/keys example.com. import\-bind ~/bind/Kharbinge4d5.+007+63089.key
.ft P
.fi
.UNINDENT
.UNINDENT
.IP 3. 3
Generate new key:
.INDENT 3.0
.INDENT 3.5
.sp
.nf
.ft C
$ kkeymgr \-c ${knot_data_dir}/knot.conf example.com. generate algorithm=ECDSAP256SHA256 size=256 \e
ksk=true created=1488034625 publish=20170223205611 retire=now+10mo remove=now+1y
.ft P
.fi
.UNINDENT
.UNINDENT
.UNINDENT
.SH SEE ALSO
.sp
\fI\%RFC 6781\fP \- DNSSEC Operational Practices.
.sp
\fBknot.conf(5)\fP,
\fBknotc(8)\fP,
\fBknotd(8)\fP\&.
.SH AUTHOR
CZ.NIC Labs <http://www.knot-dns.cz>
.SH COPYRIGHT
Copyright 2010–2017, CZ.NIC, z.s.p.o.
.\" Generated by docutils manpage writer.
.
.. highlight:: console
kkeymgr – Key management utility
=================================
Synopsis
--------
:program:`kkeymgr` *basic_option* [*parameters*...]
:program:`kkeymgr` *config_option* *config_storage* *zone_name* *action* *parameters*...
Description
-----------
The :program:`kkeymgr` utility serves for key management in Knot DNS server.
Functions for DNSSEC keys and KASP (Key And Signature Policy)
management are provided.
The DNSSEC and KASP configuration is stored in a so called KASP database.
The databse is backed by LMDB.
Basic options
..............
**-h**
Print the program help.
**-t** [*tsig_algorithm*] [*tsig_bits*]
Generates TSIG key. TSIG algorithm can be specified by string (default: hmac-sha256),
bit length of the key by number (default: optimal length given by algorithm).
Config options
..............
**-d**
Use KASP database directory specified by config_storage.
**-c**
Determine KASP database location from Knot DNS configuration file, specified
by config_storage.
**-C**
Determine KASP database location from Knot DNS configuration database,
specified by config_storage.
Actions
.......
**generate** [*arguments*...]
Generates new DNSSEC key and stores it in KASP database. Prints the key ID.
This action takes some number of arguments (see below). Values for unspecified arguments are taken
from corresponding policy (if *-c* or *-C* options used) or from Knot policy defaults.
**import-bind** *BIND_key_file*
Imports a BIND-style key into KASP database (converting it to PEM format).
Takes one argument: path to BIND key file (private or public, but both MUST exist).
Generate arguments
..................
Arguments are separated by space, each of them is in format 'name=value'.
**algorithm**
Either an algorithm number (e.g. 14), or text name without dashes (e.g. ECDSAP384SHA384).
**size**
Key length in bits.
**ksk**
Either 'true' (KSK will be generated) or 'false' (ZSK wil be generated).
**created**
Timestamp of key creation.
**publish**
Timestamp for key to be published.
**active**
Timestamp for key to be activated.
**retire**
Timestamp for key to be de-activated.
**remove**
Timestamp for key ot be deleted.
Timestamps
..........
*UNIX_time*
Positive number of seconds since 1970.
*YYYYMMDDHHMMSS*
Date and time in this format without any punctuation.
*relative_timestamp*
The word "now" followed by sign (+, -), a number and a shortcut for time unit
(y, mo, d, h, mi, (nothing = seconds)), e.g. now+1mi, now-2mo, now+10,
now+0, now-1y, ...
Examples
--------
1. Generate TSIG key::
$ kkeymgr -t my_name hmac-sha384
2. Import a key from BIND::
$ kkeymgr -d ${knot_data_dir}/keys example.com. import-bind ~/bind/Kharbinge4d5.+007+63089.key
3. Generate new key::
$ kkeymgr -c ${knot_data_dir}/knot.conf example.com. generate algorithm=ECDSAP256SHA256 size=256 \
ksk=true created=1488034625 publish=20170223205611 retire=now+10mo remove=now+1y
See Also
--------
:rfc:`6781` - DNSSEC Operational Practices.
:manpage:`knot.conf(5)`,
:manpage:`knotc(8)`,
:manpage:`knotd(8)`.
...@@ -12,6 +12,7 @@ the server. This section collects manual pages for all provided binaries: ...@@ -12,6 +12,7 @@ the server. This section collects manual pages for all provided binaries:
man_kdig man_kdig
man_keymgr man_keymgr
man_kkeymgr
man_pykeymgr man_pykeymgr
man_khost man_khost
man_kjournalprint man_kjournalprint
......
...@@ -512,7 +512,7 @@ if HAVE_UTILS ...@@ -512,7 +512,7 @@ if HAVE_UTILS
bin_PROGRAMS = kdig khost knsec3hash knsupdate bin_PROGRAMS = kdig khost knsec3hash knsupdate
if HAVE_DAEMON if HAVE_DAEMON
bin_PROGRAMS += kzonecheck kjournalprint bin_PROGRAMS += kzonecheck kjournalprint kkeymgr
endif # HAVE_DAEMON endif # HAVE_DAEMON
kdig_SOURCES = \ kdig_SOURCES = \
...@@ -550,6 +550,13 @@ kzonecheck_SOURCES = \ ...@@ -550,6 +550,13 @@ kzonecheck_SOURCES = \
kjournalprint_SOURCES = \ kjournalprint_SOURCES = \
utils/kjournalprint/main.c utils/kjournalprint/main.c
kkeymgr_SOURCES = \
utils/kkeymgr/bind_privkey.c \
utils/kkeymgr/bind_privkey.h \
utils/kkeymgr/functions.c \
utils/kkeymgr/functions.h \
utils/kkeymgr/main.c
# bin programs # bin programs
kdig_CPPFLAGS = $(AM_CPPFLAGS) $(gnutls_CFLAGS) kdig_CPPFLAGS = $(AM_CPPFLAGS) $(gnutls_CFLAGS)
kdig_LDADD = $(libidn_LIBS) libknotus.la kdig_LDADD = $(libidn_LIBS) libknotus.la
...@@ -562,6 +569,9 @@ knsec3hash_LDADD = dnssec/libdnssec.la dnssec/libshared.la ...@@ -562,6 +569,9 @@ knsec3hash_LDADD = dnssec/libdnssec.la dnssec/libshared.la
kzonecheck_LDADD = libknotd.la libcontrib.la kzonecheck_LDADD = libknotd.la libcontrib.la
kjournalprint_CPPFLAGS = $(AM_CPPFLAGS) $(gnutls_CFLAGS) $(liburcu_CFLAGS) kjournalprint_CPPFLAGS = $(AM_CPPFLAGS) $(gnutls_CFLAGS) $(liburcu_CFLAGS)
kjournalprint_LDADD = $(libidn_LIBS) $(liburcu_LIBS) libknotd.la libcontrib.la kjournalprint_LDADD = $(libidn_LIBS) $(liburcu_LIBS) libknotd.la libcontrib.la
kkeymgr_CPPFLAGS = $(AM_CPPFLAGS) $(liburcu_CFLAGS) -I$(srcdir)/dnssec/lib/dnssec -I$(srcdir)/dnssec $(gnutls_CFLAGS)
kkeymgr_LDADD = $(libidn_LIBS) $(liburcu_LIBS) libknotd.la libcontrib.la libknotd.la libknotus.la dnssec/libdnssec.la dnssec/libshared.la zscanner/libzscanner.la $(gnutls_LIBS)
# TODO wrap
####################################### #######################################
# Optional Knot DNS Utilities modules # # Optional Knot DNS Utilities modules #
......
This diff is collapsed.
/* Copyright (C) 2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#pragma once
#include <stdint.h>
#include <time.h>
#include "dnssec/binary.h"
#include "dnssec/kasp.h"
/*!
* Legacy private key parameters.
*/
typedef struct {
// key information
uint8_t algorithm;
// RSA
dnssec_binary_t modulus;
dnssec_binary_t public_exponent;
dnssec_binary_t private_exponent;
dnssec_binary_t prime_one;
dnssec_binary_t prime_two;
dnssec_binary_t exponent_one;
dnssec_binary_t exponent_two;
dnssec_binary_t coefficient;
// DSA
dnssec_binary_t prime;
dnssec_binary_t subprime;
dnssec_binary_t base;
dnssec_binary_t private_value;
dnssec_binary_t public_value;
// ECDSA
dnssec_binary_t private_key;
// key lifetime
time_t time_created;
time_t time_publish;
time_t time_activate;
time_t time_revoke;
time_t time_inactive;
time_t time_delete;
} bind_privkey_t;
/*!
* Extract parameters from legacy private key file.
*/
int bind_privkey_parse(const char *filename, bind_privkey_t *params);
/*!
* Free private key parameters.
*/
void bind_privkey_free(bind_privkey_t *params);
/*!
* Generate PEM from pub&priv key.
*/
int bind_privkey_to_pem(dnssec_key_t *key, bind_privkey_t *params, dnssec_binary_t *pem);
/*!
* Extract timing info.
*/
void bind_privkey_to_timing(bind_privkey_t *params, dnssec_kasp_key_timing_t *timing);
This diff is collapsed.
/* Copyright (C) 2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "knot/dnssec/context.h"
int kkeymgr_generate_key(kdnssec_ctx_t *ctx, int argc, char *argv[]);
int kkeymgr_import_bind(kdnssec_ctx_t *ctx, const char *import_file);
int kkeymgr_generate_tsig(const char *tsig_name, const char *alg_name, int bits);
/* Copyright (C) 2017 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include <stdlib.h>
#include "knot/conf/conf.h"
#include "utils/kkeymgr/functions.h"
#include "libknot/libknot.h"
#define PROGRAM_NAME "kkeymgr"
static void print_help(void)
{
printf("Usage: %s [parameter] options/commands...\n"
"\n"
"Parameters:\n"
" -h Display this help.\n"
" -t Generate TSIG key.\n"
" (syntax: -t <tsig_name> [<algorithm>] [<bits>]\n"
" -d Use specified KASP db path.\n"
" (syntax: -d <KASP_dir> <zone> <command> options...)\n"
" -c Use specified Knot config file.\n"
" (syntax: -c <config_file> <zone> <command> options...)\n"
" -C Use specified Knot configuration database.\n"
" (syntax: -C <confdb_dir> <zone> <command> options...)\n"
"\n"
"Commands:\n"
" generate Generate new KASP key.\n"
" (syntax: generate <attribute_name>=<value>...)\n"
" import-bind Import BIND-style key file pair (.key + .private).\n"
" (syntax: import_bind <key_file_name>)\n",
PROGRAM_NAME);
}
static bool init_conf(const char *confdb)
{
conf_flag_t flags = CONF_FNOHOSTNAME;
if (confdb != NULL) {
flags |= CONF_FREADONLY;
}
conf_t *new_conf = NULL;
int ret = conf_new(&new_conf, conf_scheme, confdb, flags);
if (ret != KNOT_EOK) {
printf("Failed opening configuration database %s (%s)\n",
(confdb == NULL ? "" : confdb), knot_strerror(ret));
return false;
}
conf_update(new_conf, CONF_UPD_FNONE);
return true;
}
static bool init_confile(const char *confile)
{
int ret = conf_import(conf(), confile, true);
if (ret != KNOT_EOK) {
printf("Failed opening configuration file %s (%s)\n",
confile, knot_strerror(ret));
return false;
}
return true;
}
int main(int argc, char *argv[])
{
char *kasp_path = NULL;
for (int i = 0; i < argc; i++) {
printf("%s\"%s\"%s", (i == 0 ? "[ " : ""), argv[i], (i == argc - 1 ? " ]\n" : ", "));
}
if (argc <= 1) {
print_help();
return EXIT_SUCCESS;
}
if (strlen(argv[1]) != 2 || argv[1][0] != '-') {
printf("Bad argument: %s\n", argv[1]);
print_help();
return EXIT_FAILURE;
}
#define check_argc_three if (argc < 3) { printf("Option %s requires an argument.\n", argv[1]); print_help(); return EXIT_FAILURE; }
switch (argv[1][1]) {
case 'h':
print_help();
return EXIT_SUCCESS;
case 'd':
check_argc_three
if (!init_conf(NULL)) {
return EXIT_FAILURE;
}
kasp_path = strdup(argv[2]);
break;
case 'c':
check_argc_three
if (!init_conf(NULL) || !init_confile(argv[2])) {
return EXIT_FAILURE;
}
kasp_path = conf_kaspdir(conf());
break;
case 'C':
check_argc_three
if (!init_conf(argv[2])) {
return EXIT_FAILURE;
}
kasp_path = conf_kaspdir(conf());
break;
case 't':
check_argc_three
int tret = kkeymgr_generate_tsig(argv[2], (argc >= 4 ? argv[3] : "hmac-sha256"),
(argc >= 5 ? atol(argv[4]) : 0));
if (tret != KNOT_EOK) {
printf("Failed to generate TSIG (%s)\n", knot_strerror(tret));
}
return (tret == KNOT_EOK ? EXIT_SUCCESS : EXIT_FAILURE);
default:
printf("Wrong option: %s\n", argv[1]);
print_help();
return EXIT_FAILURE;
}
#undef check_argc_three
if (kasp_path == NULL) {
printf("Unable to gather KASP db path from %s\n", argv[2]);
print_help();
return EXIT_FAILURE;
}
if (argc < 5) {
printf("Zone name and/or command not specified.\n");
print_help();
free(kasp_path);
return EXIT_FAILURE;
}
knot_dname_t *zone_name = knot_dname_from_str_alloc(argv[3]);
if (zone_name == NULL) {
free(kasp_path);
return EXIT_FAILURE;
}
(void)knot_dname_to_lower(zone_name);
kdnssec_ctx_t kctx = { 0 };
int ret = kasp_db_init(kaspdb(), kasp_path, 500*1024*1024 /* TODO */);
if (ret != KNOT_EOK) {
printf("Failed to initialize KASP db (%s)\n", knot_strerror(ret));
goto main_end;
}
ret = kdnssec_kasp_init(&kctx, kasp_path, 500*1024*1024 /* TODO */, zone_name, "default");
if (ret != KNOT_EOK) {
printf("Failed to initializize KASP (%s)\n", knot_strerror(ret));
goto main_end;
}
if (strcmp(argv[4], "generate") == 0) {
ret = kkeymgr_generate_key(&kctx, argc - 5, argv + 5);
} else if (strcmp(argv[4], "import-bind") == 0) {
if (argc < 6) {
printf("BIND-style key to import not specified.\n");
ret = KNOT_EINVAL;
goto main_end;
}
ret = kkeymgr_import_bind(&kctx, argv[5]);
} else {
printf("Wrong zone-key command: %s\n", argv[4]);