Merge branch 'key_log_evo' into 'master'

Key logging evolution See merge request !852

Merge branch 'key_log_evo' into 'master'
Key logging evolution See merge request !852
ffa2e4a0 · Daniel Salzman · 00e6b17e · 663dd17d · ffa2e4a0 · ffa2e4a0
Commit ffa2e4a0 authored Oct 24, 2017 by Daniel Salzman
4 changed files
--- a/src/knot/dnssec/zone-events.c
+++ b/src/knot/dnssec/zone-events.c
@@ -162,7 +162,7 @@ int knot_dnssec_zone_sign(zone_update_t *update,
 	}

 	result = load_zone_keys(ctx.zone, ctx.keystore,
-	                        ctx.policy->nsec3_enabled, ctx.now, &keyset);
+				ctx.policy->nsec3_enabled, ctx.now, &keyset, true);
 	if (result != KNOT_EOK) {
 		log_zone_error(zone_name, "DNSSEC, failed to load keys (%s)",
 		               knot_strerror(result));
@@ -248,7 +248,7 @@ int knot_dnssec_sign_update(zone_update_t *update, zone_sign_reschedule_t *resch
 	}

 	result = load_zone_keys(ctx.zone, ctx.keystore,
-	                        ctx.policy->nsec3_enabled, ctx.now, &keyset);
+				ctx.policy->nsec3_enabled, ctx.now, &keyset, false);
 	if (result != KNOT_EOK) {
 		log_zone_error(zone_name, "DNSSEC, failed to load keys (%s)",
 		               knot_strerror(result));

--- a/src/knot/dnssec/zone-keys.c
+++ b/src/knot/dnssec/zone-keys.c
@@ -22,6 +22,8 @@
 #include "knot/dnssec/zone-keys.h"
 #include "libknot/libknot.h"

+#define MAX_KEY_INFO 128
+
 dynarray_define(keyptr, zone_key_t *, DYNARRAY_VISIBILITY_PUBLIC)

 const uint16_t DNSKEY_FLAGS_KSK = 257;
@@ -381,27 +383,43 @@ static int load_private_keys(dnssec_keystore_t *keystore, zone_keyset_t *keyset)
 /*!
 * \brief Log information about zone keys.
 */
-static void log_key_info(const zone_key_t *key, const knot_dname_t *zone_name)
+static void log_key_info(const zone_key_t *key, char *out, size_t out_len)
 {
 	assert(key);
-	assert(zone_name);
+	assert(out);

-	log_zone_info(zone_name, "DNSSEC, loaded key, tag %5d, algorithm %d, "
-	                         "KSK %s, ZSK %s, public %s, ready %s, active %s",
-	              dnssec_key_get_keytag(key->key),
-	              dnssec_key_get_algorithm(key->key),
-	              key->is_ksk           ? "yes" : "no",
-	              key->is_zsk           ? "yes" : "no",
-	              key->is_public        ? "yes" : "no",
-	              key->cds_priority > 1 ? "yes" : "no",
-	              key->is_active        ? "yes" : "no");
+	uint8_t alg_code = dnssec_key_get_algorithm(key->key);
+	const knot_lookup_t *alg = knot_lookup_by_id(knot_dnssec_alg_names, alg_code);
+
+	char alg_code_str[8] = "";
+	if (alg == NULL) {
+		(void)snprintf(alg_code_str, sizeof(alg_code_str), "%d", alg_code);
+	}
+
+	(void)snprintf(out, out_len, "DNSSEC, key, tag %5d, algorithm %s%s%s%s%s",
+	               dnssec_key_get_keytag(key->key),
+	               (alg != NULL           ? alg->name  : alg_code_str),
+	               (key->is_ksk           ? ", KSK"    : ""),
+	               (key->is_public        ? ", public" : ""),
+	               (key->cds_priority > 1 ? ", ready"  : ""),
+	               (key->is_active        ? ", active" : ""));
+}
+
+int log_key_sort(const void *a, const void *b)
+{
+	const char *alg_a = strstr(a, "alg");
+	const char *alg_b = strstr(b, "alg");
+	assert(alg_a != NULL && alg_b != NULL);
+
+	return strcmp(alg_a, alg_b);
 }

 /*!
 * \brief Load zone keys and init cryptographic context.
 */
 int load_zone_keys(knot_kasp_zone_t *zone, dnssec_keystore_t *store,
-                   bool nsec3_enabled, knot_time_t now, zone_keyset_t *keyset_ptr)
+                   bool nsec3_enabled, knot_time_t now, zone_keyset_t *keyset_ptr,
+                   bool verbose)
 {
 	if (!zone || !store || !keyset_ptr) {
 		return KNOT_EINVAL;
@@ -421,10 +439,21 @@ int load_zone_keys(knot_kasp_zone_t *zone, dnssec_keystore_t *store,
 		return KNOT_ENOMEM;
 	}

+	char key_info[zone->num_keys][MAX_KEY_INFO];
 	for (size_t i = 0; i < zone->num_keys; i++) {
 		knot_kasp_key_t *kasp_key = &zone->keys[i];
 		set_key(kasp_key, now, &keyset.keys[i]);
-		log_key_info(&keyset.keys[i], zone->dname);
+		if (verbose) {
+			log_key_info(&keyset.keys[i], key_info[i], MAX_KEY_INFO);
+		}
+	}
+
+	// Sort the keys by algorithm name.
+	if (verbose) {
+		qsort(key_info, zone->num_keys, MAX_KEY_INFO, log_key_sort);
+		for (size_t i = 0; i < zone->num_keys; i++) {
+			log_zone_info(zone->dname, "%s", key_info[i]);
+		}
 	}

 	int r = prepare_and_check_keys(zone->dname, nsec3_enabled, &keyset);

--- a/src/knot/dnssec/zone-keys.h
+++ b/src/knot/dnssec/zone-keys.h
@@ -104,7 +104,8 @@ int kdnssec_delete_key(kdnssec_ctx_t *ctx, knot_kasp_key_t *key_ptr);
 * \return Error code, KNOT_EOK if successful.
 */
 int load_zone_keys(knot_kasp_zone_t *zone, dnssec_keystore_t *store,
-                   bool nsec3_enabled, knot_time_t now, zone_keyset_t *keyset_ptr);
+                   bool nsec3_enabled, knot_time_t now, zone_keyset_t *keyset_ptr,
+                   bool verbose);

 /*!
 * \brief Get zone keys by a keytag.

--- a/src/knot/events/handlers/parent_ds_query.c
+++ b/src/knot/events/handlers/parent_ds_query.c
@@ -200,7 +200,7 @@ int event_parent_ds_q(conf_t *conf, zone_t *zone)
 	}

 	zone_keyset_t keyset = { 0 };
-	ret = load_zone_keys(ctx.zone, ctx.keystore, false, ctx.now, &keyset);
+	ret = load_zone_keys(ctx.zone, ctx.keystore, false, ctx.now, &keyset, false);
 	if (ret != KNOT_EOK) {
 		kdnssec_ctx_deinit(&ctx);
 		return ret;