Commit f2c62f07 authored by Jan Včelák's avatar Jan Včelák 🚀

online-signing: pick the keystore from zone policy

parent c4d57ca6
......@@ -429,38 +429,58 @@ static int synth_answer(int state, knot_pkt_t *pkt, struct query_data *qdata, vo
return state;
}
static int get_dnssec_key(dnssec_key_t **key_ptr, char **id_ptr,
const knot_dname_t *zone_name,
static int get_online_key(dnssec_key_t **key_ptr, const knot_dname_t *zone_name,
const char *kasp_path)
{
dnssec_kasp_t *kasp = NULL;
dnssec_kasp_zone_t *zone = NULL;
dnssec_kasp_policy_t *policy = NULL;
dnssec_kasp_keystore_t *kasp_keystore = NULL;
dnssec_keystore_t *keystore = NULL;
// KASP database
dnssec_kasp_t *kasp = NULL;
int r = dnssec_kasp_init_dir(&kasp);
if (r != DNSSEC_EOK) {
return r;
goto fail;
}
r = dnssec_kasp_open(kasp, kasp_path);
if (r != DNSSEC_EOK) {
dnssec_kasp_deinit(kasp);
return r;
goto fail;
}
// KASP zone
char *zone_str = knot_dname_to_str_alloc(zone_name);
if (!zone_str) {
dnssec_kasp_deinit(kasp);
return KNOT_ENOMEM;
r = KNOT_ENOMEM;
goto fail;
}
dnssec_kasp_zone_t *zone = NULL;
r = dnssec_kasp_zone_load(kasp, zone_str, &zone);
free(zone_str);
if (r != DNSSEC_EOK) {
dnssec_kasp_deinit(kasp);
return r;
goto fail;
}
// KASP keystore
const char *policy_id = dnssec_kasp_zone_get_policy(zone);
r = dnssec_kasp_policy_load(kasp, policy_id, &policy);
if (r != DNSSEC_EOK) {
goto fail;
}
r = dnssec_kasp_keystore_load(kasp, policy->keystore, &kasp_keystore);
if (r != DNSSEC_EOK) {
goto fail;
}
r = dnssec_kasp_keystore_open(kasp, kasp_keystore->backend,
kasp_keystore->config, &keystore);
if (r != DNSSEC_EOK) {
goto fail;
}
// DNSSEC key
......@@ -469,75 +489,35 @@ static int get_dnssec_key(dnssec_key_t **key_ptr, char **id_ptr,
assert(list);
dnssec_item_t *item = dnssec_list_nth(list, 0);
if (!item) {
dnssec_kasp_zone_free(zone);
dnssec_kasp_deinit(kasp);
return DNSSEC_NOT_FOUND;
r = DNSSEC_NOT_FOUND;
goto fail;
}
dnssec_kasp_key_t *kasp_key = dnssec_item_get(item);
assert(kasp_key);
char *id = strdup(kasp_key->id);
dnssec_key_t *key = dnssec_key_dup(kasp_key->key);
dnssec_kasp_zone_free(zone);
dnssec_kasp_deinit(kasp);
if (!key || !id) {
dnssec_key_free(key);
free(id);
return KNOT_ENOMEM;
if (!key) {
r = KNOT_ENOMEM;
goto fail;
}
*key_ptr = key;
*id_ptr = id;
return KNOT_EOK;
}
static int load_private_key(dnssec_key_t *key, const char *id, const char *kasp_path)
{
char *keystore_path = sprintf_alloc("%s/keys", kasp_path);
if (!keystore_path) {
return KNOT_ENOMEM;
}
dnssec_keystore_t *store = NULL;
dnssec_keystore_init_pkcs8_dir(&store);
int r = dnssec_keystore_open(store, keystore_path);
free(keystore_path);
if (r != DNSSEC_EOK) {
dnssec_keystore_deinit(store);
return r;
}
r = dnssec_key_import_keystore(key, store, id);
dnssec_keystore_deinit(store);
return r;
}
static int get_online_key(dnssec_key_t **key_ptr, const knot_dname_t *zone_name,
const char *kasp_path)
{
dnssec_key_t *key = NULL;
char *id = NULL;
int r = get_dnssec_key(&key, &id, zone_name, kasp_path);
if (r != KNOT_EOK) {
return r;
}
r = load_private_key(key, id, kasp_path);
free(id);
r = dnssec_key_import_keystore(key, keystore, kasp_key->id);
if (r != DNSSEC_EOK) {
dnssec_key_free(key);
return r;
goto fail;
}
*key_ptr = key;
return KNOT_EOK;
fail:
dnssec_keystore_deinit(keystore);
dnssec_kasp_keystore_free(kasp_keystore);
dnssec_kasp_policy_free(policy);
dnssec_kasp_zone_free(zone);
dnssec_kasp_deinit(kasp);
return r;
}
static void online_sign_ctx_free(online_sign_ctx_t *ctx)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment