static inline isc_result_t
fromtext_cert(ARGS_FROMTEXT) {
isc_token_t token;
dns_secalg_t secalg;
dns_cert_t cert;
REQUIRE(type == 37);
UNUSED(type);
UNUSED(rdclass);
UNUSED(origin);
UNUSED(options);
UNUSED(callbacks);
/*
* Cert type.
*/
RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
ISC_FALSE));
RETTOK(dns_cert_fromtext(&cert, &token.value.as_textregion));
RETERR(uint16_tobuffer(cert, target));
/*
* Key tag.
*/
RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
ISC_FALSE));
if (token.value.as_ulong > 0xffffU)
RETTOK(ISC_R_RANGE);
RETERR(uint16_tobuffer(token.value.as_ulong, target));
/*
* Algorithm.
*/
RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
ISC_FALSE));
RETTOK(dns_secalg_fromtext(&secalg, &token.value.as_textregion));
RETERR(mem_tobuffer(target, &secalg, 1));
return (isc_base64_tobuffer(lexer, target, -1));
}
static inline isc_result_t
fromtext_dnskey(ARGS_FROMTEXT) {
isc_token_t token;
dns_secalg_t alg;
dns_secproto_t proto;
dns_keyflags_t flags;
REQUIRE(type == 48);
UNUSED(type);
UNUSED(rdclass);
UNUSED(origin);
UNUSED(options);
UNUSED(callbacks);
/* flags */
RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
ISC_FALSE));
RETTOK(dns_keyflags_fromtext(&flags, &token.value.as_textregion));
RETERR(uint16_tobuffer(flags, target));
/* protocol */
RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
ISC_FALSE));
RETTOK(dns_secproto_fromtext(&proto, &token.value.as_textregion));
RETERR(mem_tobuffer(target, &proto, 1));
/* algorithm */
RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
ISC_FALSE));
RETTOK(dns_secalg_fromtext(&alg, &token.value.as_textregion));
RETERR(mem_tobuffer(target, &alg, 1));
/* No Key? */
if ((flags & 0xc000) == 0xc000)
return (ISC_R_SUCCESS);
return (isc_base64_tobuffer(lexer, target, -1));
}
static inline isc_result_t
fromtext_sig(ARGS_FROMTEXT) {
isc_token_t token;
unsigned char c;
long i;
dns_rdatatype_t covered;
char *e;
isc_result_t result;
dns_name_t name;
isc_buffer_t buffer;
isc_uint32_t time_signed, time_expire;
REQUIRE(type == dns_rdatatype_sig);
UNUSED(type);
UNUSED(rdclass);
UNUSED(callbacks);
/*
* Type covered.
*/
RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
ISC_FALSE));
result = dns_rdatatype_fromtext(&covered, &token.value.as_textregion);
if (result != ISC_R_SUCCESS && result != ISC_R_NOTIMPLEMENTED) {
i = strtol(DNS_AS_STR(token), &e, 10);
if (i < 0 || i > 65535)
RETTOK(ISC_R_RANGE);
if (*e != 0)
RETTOK(result);
covered = (dns_rdatatype_t)i;
}
RETERR(uint16_tobuffer(covered, target));
/*
* Algorithm.
*/
RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
ISC_FALSE));
RETTOK(dns_secalg_fromtext(&c, &token.value.as_textregion));
RETERR(mem_tobuffer(target, &c, 1));
/*
* Labels.
*/
RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
ISC_FALSE));
if (token.value.as_ulong > 0xffU)
RETTOK(ISC_R_RANGE);
c = (unsigned char)token.value.as_ulong;
RETERR(mem_tobuffer(target, &c, 1));
/*
* Original ttl.
*/
RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
ISC_FALSE));
RETERR(uint32_tobuffer(token.value.as_ulong, target));
/*
* Signature expiration.
*/
RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
ISC_FALSE));
RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &time_expire));
RETERR(uint32_tobuffer(time_expire, target));
/*
* Time signed.
*/
RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
ISC_FALSE));
RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &time_signed));
RETERR(uint32_tobuffer(time_signed, target));
/*
* Key footprint.
*/
RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
ISC_FALSE));
RETERR(uint16_tobuffer(token.value.as_ulong, target));
/*
* Signer.
*/
RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
ISC_FALSE));
dns_name_init(&name, NULL);
buffer_fromregion(&buffer, &token.value.as_region);
if (origin == NULL)
origin = dns_rootname;
RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
/*
* Sig.
*/
return (isc_base64_tobuffer(lexer, target, -1));
}
int
main(int argc, char **argv) {
char *algname = NULL, *nametype = NULL, *type = NULL;
char *classname = NULL;
char *endp;
dst_key_t *key = NULL, *oldkey;
dns_fixedname_t fname;
dns_name_t *name;
isc_uint16_t flags = 0, ksk = 0;
dns_secalg_t alg;
isc_boolean_t conflict = ISC_FALSE, null_key = ISC_FALSE;
isc_mem_t *mctx = NULL;
int ch, rsa_exp = 0, generator = 0, param = 0;
int protocol = -1, size = -1, signatory = 0;
isc_result_t ret;
isc_textregion_t r;
char filename[255];
isc_buffer_t buf;
isc_log_t *log = NULL;
isc_entropy_t *ectx = NULL;
dns_rdataclass_t rdclass;
int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
int dbits = 0;
if (argc == 1)
usage();
RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
dns_result_register();
isc_commandline_errprint = ISC_FALSE;
while ((ch = isc_commandline_parse(argc, argv,
"a:b:c:d:ef:g:kn:t:p:s:r:v:h")) != -1)
{
switch (ch) {
case 'a':
algname = isc_commandline_argument;
break;
case 'b':
size = strtol(isc_commandline_argument, &endp, 10);
if (*endp != '\0' || size < 0)
fatal("-b requires a non-negative number");
break;
case 'c':
classname = isc_commandline_argument;
break;
case 'd':
dbits = strtol(isc_commandline_argument, &endp, 10);
if (*endp != '\0' || dbits < 0)
fatal("-d requires a non-negative number");
break;
case 'e':
rsa_exp = 1;
break;
case 'f':
if (strcasecmp(isc_commandline_argument, "KSK") == 0)
ksk = DNS_KEYFLAG_KSK;
else
fatal("unknown flag '%s'",
isc_commandline_argument);
break;
case 'g':
generator = strtol(isc_commandline_argument,
&endp, 10);
if (*endp != '\0' || generator <= 0)
fatal("-g requires a positive number");
break;
case 'k':
options |= DST_TYPE_KEY;
break;
case 'n':
nametype = isc_commandline_argument;
break;
case 't':
type = isc_commandline_argument;
break;
case 'p':
protocol = strtol(isc_commandline_argument, &endp, 10);
if (*endp != '\0' || protocol < 0 || protocol > 255)
fatal("-p must be followed by a number "
"[0..255]");
break;
case 's':
signatory = strtol(isc_commandline_argument,
&endp, 10);
if (*endp != '\0' || signatory < 0 || signatory > 15)
fatal("-s must be followed by a number "
"[0..15]");
break;
case 'r':
setup_entropy(mctx, isc_commandline_argument, &ectx);
break;
case 'v':
endp = NULL;
verbose = strtol(isc_commandline_argument, &endp, 0);
if (*endp != '\0')
fatal("-v must be followed by a number");
break;
case '?':
if (isc_commandline_option != '?')
fprintf(stderr, "%s: invalid argument -%c\n",
program, isc_commandline_option);
case 'h':
usage();
default:
fprintf(stderr, "%s: unhandled option -%c\n",
program, isc_commandline_option);
exit(1);
}
}
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
ret = dst_lib_init(mctx, ectx,
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
if (ret != ISC_R_SUCCESS)
fatal("could not initialize dst");
setup_logging(verbose, mctx, &log);
if (argc < isc_commandline_index + 1)
fatal("the key name was not specified");
if (argc > isc_commandline_index + 1)
fatal("extraneous arguments");
if (algname == NULL)
fatal("no algorithm was specified");
if (strcasecmp(algname, "RSA") == 0) {
fprintf(stderr, "The use of RSA (RSAMD5) is not recommended.\n"
"If you still wish to use RSA (RSAMD5) please "
"specify \"-a RSAMD5\"\n");
return (1);
} else if (strcasecmp(algname, "HMAC-MD5") == 0) {
options |= DST_TYPE_KEY;
alg = DST_ALG_HMACMD5;
} else if (strcasecmp(algname, "HMAC-SHA1") == 0) {
options |= DST_TYPE_KEY;
alg = DST_ALG_HMACSHA1;
} else if (strcasecmp(algname, "HMAC-SHA224") == 0) {
options |= DST_TYPE_KEY;
alg = DST_ALG_HMACSHA224;
} else if (strcasecmp(algname, "HMAC-SHA256") == 0) {
options |= DST_TYPE_KEY;
alg = DST_ALG_HMACSHA256;
} else if (strcasecmp(algname, "HMAC-SHA384") == 0) {
options |= DST_TYPE_KEY;
alg = DST_ALG_HMACSHA384;
} else if (strcasecmp(algname, "HMAC-SHA512") == 0) {
options |= DST_TYPE_KEY;
alg = DST_ALG_HMACSHA512;
} else {
r.base = algname;
r.length = strlen(algname);
ret = dns_secalg_fromtext(&alg, &r);
if (ret != ISC_R_SUCCESS)
fatal("unknown algorithm %s", algname);
if (alg == DST_ALG_DH)
options |= DST_TYPE_KEY;
}
if (type != NULL && (options & DST_TYPE_KEY) != 0) {
if (strcasecmp(type, "NOAUTH") == 0)
flags |= DNS_KEYTYPE_NOAUTH;
else if (strcasecmp(type, "NOCONF") == 0)
flags |= DNS_KEYTYPE_NOCONF;
else if (strcasecmp(type, "NOAUTHCONF") == 0) {
flags |= (DNS_KEYTYPE_NOAUTH | DNS_KEYTYPE_NOCONF);
if (size < 0)
size = 0;
}
else if (strcasecmp(type, "AUTHCONF") == 0)
/* nothing */;
else
fatal("invalid type %s", type);
}
if (size < 0)
fatal("key size not specified (-b option)");
switch (alg) {
case DNS_KEYALG_RSAMD5:
case DNS_KEYALG_RSASHA1:
if (size != 0 && (size < 512 || size > MAX_RSA))
fatal("RSA key size %d out of range", size);
break;
case DNS_KEYALG_DH:
if (size != 0 && (size < 128 || size > 4096))
fatal("DH key size %d out of range", size);
break;
case DNS_KEYALG_DSA:
if (size != 0 && !dsa_size_ok(size))
fatal("invalid DSS key size: %d", size);
break;
case DST_ALG_HMACMD5:
if (size < 1 || size > 512)
fatal("HMAC-MD5 key size %d out of range", size);
if (dbits != 0 && (dbits < 80 || dbits > 128))
fatal("HMAC-MD5 digest bits %d out of range", dbits);
if ((dbits % 8) != 0)
fatal("HMAC-MD5 digest bits %d not divisible by 8",
dbits);
break;
case DST_ALG_HMACSHA1:
if (size < 1 || size > 160)
fatal("HMAC-SHA1 key size %d out of range", size);
if (dbits != 0 && (dbits < 80 || dbits > 160))
fatal("HMAC-SHA1 digest bits %d out of range", dbits);
if ((dbits % 8) != 0)
fatal("HMAC-SHA1 digest bits %d not divisible by 8",
dbits);
break;
case DST_ALG_HMACSHA224:
if (size < 1 || size > 224)
fatal("HMAC-SHA224 key size %d out of range", size);
if (dbits != 0 && (dbits < 112 || dbits > 224))
fatal("HMAC-SHA224 digest bits %d out of range", dbits);
if ((dbits % 8) != 0)
fatal("HMAC-SHA224 digest bits %d not divisible by 8",
dbits);
break;
case DST_ALG_HMACSHA256:
if (size < 1 || size > 256)
fatal("HMAC-SHA256 key size %d out of range", size);
if (dbits != 0 && (dbits < 128 || dbits > 256))
fatal("HMAC-SHA256 digest bits %d out of range", dbits);
if ((dbits % 8) != 0)
fatal("HMAC-SHA256 digest bits %d not divisible by 8",
dbits);
break;
case DST_ALG_HMACSHA384:
if (size < 1 || size > 384)
fatal("HMAC-384 key size %d out of range", size);
if (dbits != 0 && (dbits < 192 || dbits > 384))
fatal("HMAC-SHA384 digest bits %d out of range", dbits);
if ((dbits % 8) != 0)
fatal("HMAC-SHA384 digest bits %d not divisible by 8",
dbits);
break;
case DST_ALG_HMACSHA512:
if (size < 1 || size > 512)
fatal("HMAC-SHA512 key size %d out of range", size);
if (dbits != 0 && (dbits < 256 || dbits > 512))
fatal("HMAC-SHA512 digest bits %d out of range", dbits);
if ((dbits % 8) != 0)
fatal("HMAC-SHA512 digest bits %d not divisible by 8",
dbits);
break;
}
if (!(alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_RSASHA1) &&
rsa_exp != 0)
fatal("specified RSA exponent for a non-RSA key");
if (alg != DNS_KEYALG_DH && generator != 0)
fatal("specified DH generator for a non-DH key");
if (nametype == NULL) {
if ((options & DST_TYPE_KEY) != 0) /* KEY / HMAC */
fatal("no nametype specified");
flags |= DNS_KEYOWNER_ZONE; /* DNSKEY */
} else if (strcasecmp(nametype, "zone") == 0)
flags |= DNS_KEYOWNER_ZONE;
else if ((options & DST_TYPE_KEY) != 0) { /* KEY / HMAC */
if (strcasecmp(nametype, "host") == 0 ||
strcasecmp(nametype, "entity") == 0)
flags |= DNS_KEYOWNER_ENTITY;
else if (strcasecmp(nametype, "user") == 0)
flags |= DNS_KEYOWNER_USER;
else
fatal("invalid KEY nametype %s", nametype);
} else if (strcasecmp(nametype, "other") != 0) /* DNSKEY */
fatal("invalid DNSKEY nametype %s", nametype);
rdclass = strtoclass(classname);
if ((options & DST_TYPE_KEY) != 0) /* KEY / HMAC */
flags |= signatory;
else if ((flags & DNS_KEYOWNER_ZONE) != 0) /* DNSKEY */
flags |= ksk;
if (protocol == -1)
protocol = DNS_KEYPROTO_DNSSEC;
else if ((options & DST_TYPE_KEY) == 0 &&
protocol != DNS_KEYPROTO_DNSSEC)
fatal("invalid DNSKEY protocol: %d", protocol);
if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) {
if (size > 0)
fatal("specified null key with non-zero size");
if ((flags & DNS_KEYFLAG_SIGNATORYMASK) != 0)
fatal("specified null key with signing authority");
}
if ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE &&
(alg == DNS_KEYALG_DH || alg == DST_ALG_HMACMD5 ||
alg == DST_ALG_HMACSHA1 || alg == DST_ALG_HMACSHA224 ||
alg == DST_ALG_HMACSHA256 || alg == DST_ALG_HMACSHA384 ||
alg == DST_ALG_HMACSHA512))
fatal("a key with algorithm '%s' cannot be a zone key",
algname);
dns_fixedname_init(&fname);
name = dns_fixedname_name(&fname);
isc_buffer_init(&buf, argv[isc_commandline_index],
strlen(argv[isc_commandline_index]));
isc_buffer_add(&buf, strlen(argv[isc_commandline_index]));
ret = dns_name_fromtext(name, &buf, dns_rootname, ISC_FALSE, NULL);
if (ret != ISC_R_SUCCESS)
fatal("invalid key name %s: %s", argv[isc_commandline_index],
isc_result_totext(ret));
switch(alg) {
case DNS_KEYALG_RSAMD5:
case DNS_KEYALG_RSASHA1:
param = rsa_exp;
break;
case DNS_KEYALG_DH:
param = generator;
break;
case DNS_KEYALG_DSA:
case DST_ALG_HMACMD5:
case DST_ALG_HMACSHA1:
case DST_ALG_HMACSHA224:
case DST_ALG_HMACSHA256:
case DST_ALG_HMACSHA384:
case DST_ALG_HMACSHA512:
param = 0;
break;
}
if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY)
null_key = ISC_TRUE;
isc_buffer_init(&buf, filename, sizeof(filename) - 1);
do {
conflict = ISC_FALSE;
oldkey = NULL;
/* generate the key */
ret = dst_key_generate(name, alg, size, param, flags, protocol,
rdclass, mctx, &key);
isc_entropy_stopcallbacksources(ectx);
if (ret != ISC_R_SUCCESS) {
char namestr[DNS_NAME_FORMATSIZE];
char algstr[ALG_FORMATSIZE];
dns_name_format(name, namestr, sizeof(namestr));
alg_format(alg, algstr, sizeof(algstr));
fatal("failed to generate key %s/%s: %s\n",
namestr, algstr, isc_result_totext(ret));
exit(-1);
}
dst_key_setbits(key, dbits);
/*
* Try to read a key with the same name, alg and id from disk.
* If there is one we must continue generating a new one
* unless we were asked to generate a null key, in which
* case we return failure.
*/
ret = dst_key_fromfile(name, dst_key_id(key), alg,
DST_TYPE_PRIVATE, NULL, mctx, &oldkey);
/* do not overwrite an existing key */
if (ret == ISC_R_SUCCESS) {
dst_key_free(&oldkey);
conflict = ISC_TRUE;
if (null_key)
break;
}
if (conflict == ISC_TRUE) {
if (verbose > 0) {
isc_buffer_clear(&buf);
ret = dst_key_buildfilename(key, 0, NULL, &buf);
fprintf(stderr,
"%s: %s already exists, "
"generating a new key\n",
program, filename);
}
dst_key_free(&key);
}
} while (conflict == ISC_TRUE);
if (conflict)
fatal("cannot generate a null key when a key with id 0 "
"already exists");
ret = dst_key_tofile(key, options, NULL);
if (ret != ISC_R_SUCCESS) {
char keystr[KEY_FORMATSIZE];
key_format(key, keystr, sizeof(keystr));
fatal("failed to write key %s: %s\n", keystr,
isc_result_totext(ret));
}
isc_buffer_clear(&buf);
ret = dst_key_buildfilename(key, 0, NULL, &buf);
printf("%s\n", filename);
dst_key_free(&key);
cleanup_logging(&log);
cleanup_entropy(&ectx);
dst_lib_destroy();
dns_name_destroy();
if (verbose > 10)
isc_mem_stats(mctx, stdout);
isc_mem_destroy(&mctx);
return (0);
}
static inline isc_result_t
generic_fromtext_ds(ARGS_FROMTEXT) {
isc_token_t token;
unsigned char c;
int length;
UNUSED(type);
UNUSED(rdclass);
UNUSED(origin);
UNUSED(options);
UNUSED(callbacks);
/*
* Key tag.
*/
RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
ISC_FALSE));
if (token.value.as_ulong > 0xffffU)
RETTOK(ISC_R_RANGE);
RETERR(uint16_tobuffer(token.value.as_ulong, target));
/*
* Algorithm.
*/
RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
ISC_FALSE));
RETTOK(dns_secalg_fromtext(&c, &token.value.as_textregion));
RETERR(mem_tobuffer(target, &c, 1));
/*
* Digest type.
*/
RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
ISC_FALSE));
RETTOK(dns_dsdigest_fromtext(&c, &token.value.as_textregion));
RETERR(mem_tobuffer(target, &c, 1));
/*
* Digest.
*/
switch (c) {
case DNS_DSDIGEST_SHA1:
length = ISC_SHA1_DIGESTLENGTH;
break;
case DNS_DSDIGEST_SHA256:
length = ISC_SHA256_DIGESTLENGTH;
break;
#ifdef ISC_GOST_DIGESTLENGTH
case DNS_DSDIGEST_GOST:
length = ISC_GOST_DIGESTLENGTH;
break;
#endif
case DNS_DSDIGEST_SHA384:
length = ISC_SHA384_DIGESTLENGTH;
break;
default:
length = -1;
break;
}
return (isc_hex_tobuffer(lexer, target, length));
}
static inline isc_result_t
fromtext_keydata(ARGS_FROMTEXT) {
isc_result_t result;
isc_token_t token;
dns_secalg_t alg;
dns_secproto_t proto;
dns_keyflags_t flags;
isc_uint32_t refresh, addhd, removehd;
REQUIRE(type == 65533);
UNUSED(type);
UNUSED(rdclass);
UNUSED(origin);
UNUSED(options);
UNUSED(callbacks);
/* refresh timer */
RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
ISC_FALSE));
RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &refresh));
RETERR(uint32_tobuffer(refresh, target));
/* add hold-down */
RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
ISC_FALSE));
RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &addhd));
RETERR(uint32_tobuffer(addhd, target));
/* remove hold-down */
RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
ISC_FALSE));
RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &removehd));
RETERR(uint32_tobuffer(removehd, target));
/* flags */
RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
ISC_FALSE));
RETTOK(dns_keyflags_fromtext(&flags, &token.value.as_textregion));
RETERR(uint16_tobuffer(flags, target));
/* protocol */
RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
ISC_FALSE));
RETTOK(dns_secproto_fromtext(&proto, &token.value.as_textregion));
RETERR(mem_tobuffer(target, &proto, 1));
/* algorithm */
RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
ISC_FALSE));
RETTOK(dns_secalg_fromtext(&alg, &token.value.as_textregion));
RETERR(mem_tobuffer(target, &alg, 1));
/* No Key? */
if ((flags & 0xc000) == 0xc000)
return (ISC_R_SUCCESS);
result = isc_base64_tobuffer(lexer, target, -1);
if (result != ISC_R_SUCCESS)
return (result);
/* Ensure there's at least enough data to compute a key ID for MD5 */
if (alg == DST_ALG_RSAMD5 && isc_buffer_usedlength(target) < 19)
return (ISC_R_UNEXPECTEDEND);
return (ISC_R_SUCCESS);
}
int
main(int argc, char **argv) {
char *algname = NULL, *nametype = NULL, *type = NULL;
char *classname = NULL;
char *endp;
dst_key_t *key = NULL, *oldkey;
dns_fixedname_t fname;
dns_name_t *name;
isc_uint16_t flags = 0, ksk = 0;
dns_secalg_t alg;
isc_boolean_t null_key = ISC_FALSE;
isc_mem_t *mctx = NULL;
int ch;
int protocol = -1, signatory = 0;
isc_result_t ret;
isc_textregion_t r;
char filename[255];
isc_buffer_t buf;
isc_log_t *log = NULL;
isc_entropy_t *ectx = NULL;
dns_rdataclass_t rdclass;
int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
char *label = NULL;
if (argc == 1)
usage();
RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
dns_result_register();
isc_commandline_errprint = ISC_FALSE;
while ((ch = isc_commandline_parse(argc, argv,
"a:c:f:kl:n:p:t:v:h")) != -1)
{
switch (ch) {
case 'a':
algname = isc_commandline_argument;
break;
case 'c':
classname = isc_commandline_argument;
break;
case 'f':
if (strcasecmp(isc_commandline_argument, "KSK") == 0)
ksk = DNS_KEYFLAG_KSK;
else
fatal("unknown flag '%s'",
isc_commandline_argument);
break;
case 'k':
options |= DST_TYPE_KEY;
break;
case 'l':
label = isc_commandline_argument;
break;
case 'n':
nametype = isc_commandline_argument;
break;
case 'p':
protocol = strtol(isc_commandline_argument, &endp, 10);
if (*endp != '\0' || protocol < 0 || protocol > 255)
fatal("-p must be followed by a number "
"[0..255]");
break;
case 't':
type = isc_commandline_argument;
break;
case 'v':
verbose = strtol(isc_commandline_argument, &endp, 0);
if (*endp != '\0')
fatal("-v must be followed by a number");
break;
case '?':
if (isc_commandline_option != '?')
fprintf(stderr, "%s: invalid argument -%c\n",
program, isc_commandline_option);
case 'h':
usage();
default:
fprintf(stderr, "%s: unhandled option -%c\n",
program, isc_commandline_option);
exit(1);
}
}
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
ret = dst_lib_init(mctx, ectx,
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
if (ret != ISC_R_SUCCESS)
fatal("could not initialize dst");
setup_logging(verbose, mctx, &log);
if (label == NULL)
fatal("the key label was not specified");
if (argc < isc_commandline_index + 1)
fatal("the key name was not specified");
if (argc > isc_commandline_index + 1)
fatal("extraneous arguments");
if (algname == NULL)
fatal("no algorithm was specified");
if (strcasecmp(algname, "RSA") == 0) {
fprintf(stderr, "The use of RSA (RSAMD5) is not recommended.\n"
"If you still wish to use RSA (RSAMD5) please "
"specify \"-a RSAMD5\"\n");
return (1);
} else {
r.base = algname;
r.length = strlen(algname);
ret = dns_secalg_fromtext(&alg, &r);
if (ret != ISC_R_SUCCESS)
fatal("unknown algorithm %s", algname);
if (alg == DST_ALG_DH)
options |= DST_TYPE_KEY;
}
if (type != NULL && (options & DST_TYPE_KEY) != 0) {
if (strcasecmp(type, "NOAUTH") == 0)
flags |= DNS_KEYTYPE_NOAUTH;
else if (strcasecmp(type, "NOCONF") == 0)
flags |= DNS_KEYTYPE_NOCONF;
else if (strcasecmp(type, "NOAUTHCONF") == 0) {
flags |= (DNS_KEYTYPE_NOAUTH | DNS_KEYTYPE_NOCONF);
}
else if (strcasecmp(type, "AUTHCONF") == 0)
/* nothing */;
else
fatal("invalid type %s", type);
}
if (nametype == NULL) {
if ((options & DST_TYPE_KEY) != 0) /* KEY */
fatal("no nametype specified");
flags |= DNS_KEYOWNER_ZONE; /* DNSKEY */
} else if (strcasecmp(nametype, "zone") == 0)
flags |= DNS_KEYOWNER_ZONE;
else if ((options & DST_TYPE_KEY) != 0) { /* KEY */
if (strcasecmp(nametype, "host") == 0 ||
strcasecmp(nametype, "entity") == 0)
flags |= DNS_KEYOWNER_ENTITY;
else if (strcasecmp(nametype, "user") == 0)
flags |= DNS_KEYOWNER_USER;
else
fatal("invalid KEY nametype %s", nametype);
} else if (strcasecmp(nametype, "other") != 0) /* DNSKEY */
fatal("invalid DNSKEY nametype %s", nametype);
rdclass = strtoclass(classname);
if ((options & DST_TYPE_KEY) != 0) /* KEY */
flags |= signatory;
else if ((flags & DNS_KEYOWNER_ZONE) != 0) /* DNSKEY */
flags |= ksk;
if (protocol == -1)
protocol = DNS_KEYPROTO_DNSSEC;
else if ((options & DST_TYPE_KEY) == 0 &&
protocol != DNS_KEYPROTO_DNSSEC)
fatal("invalid DNSKEY protocol: %d", protocol);
if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) {
if ((flags & DNS_KEYFLAG_SIGNATORYMASK) != 0)
fatal("specified null key with signing authority");
}
if ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE &&
alg == DNS_KEYALG_DH)
fatal("a key with algorithm '%s' cannot be a zone key",
algname);
dns_fixedname_init(&fname);
name = dns_fixedname_name(&fname);
isc_buffer_init(&buf, argv[isc_commandline_index],
strlen(argv[isc_commandline_index]));
isc_buffer_add(&buf, strlen(argv[isc_commandline_index]));
ret = dns_name_fromtext(name, &buf, dns_rootname, ISC_FALSE, NULL);
if (ret != ISC_R_SUCCESS)
fatal("invalid key name %s: %s", argv[isc_commandline_index],
isc_result_totext(ret));
if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY)
null_key = ISC_TRUE;
isc_buffer_init(&buf, filename, sizeof(filename) - 1);
/* associate the key */
ret = dst_key_fromlabel(name, alg, flags, protocol,
rdclass, "", label, NULL, mctx, &key);
isc_entropy_stopcallbacksources(ectx);
if (ret != ISC_R_SUCCESS) {
char namestr[DNS_NAME_FORMATSIZE];
char algstr[ALG_FORMATSIZE];
dns_name_format(name, namestr, sizeof(namestr));
alg_format(alg, algstr, sizeof(algstr));
fatal("failed to generate key %s/%s: %s\n",
namestr, algstr, isc_result_totext(ret));
exit(-1);
}
/*
* Try to read a key with the same name, alg and id from disk.
* If there is one we must continue generating a new one
* unless we were asked to generate a null key, in which
* case we return failure.
*/
ret = dst_key_fromfile(name, dst_key_id(key), alg,
DST_TYPE_PRIVATE, NULL, mctx, &oldkey);
/* do not overwrite an existing key */
if (ret == ISC_R_SUCCESS) {
isc_buffer_clear(&buf);
ret = dst_key_buildfilename(key, 0, NULL, &buf);
fprintf(stderr, "%s: %s already exists\n",
program, filename);
dst_key_free(&key);
exit (1);
}
ret = dst_key_tofile(key, options, NULL);
if (ret != ISC_R_SUCCESS) {
char keystr[KEY_FORMATSIZE];
key_format(key, keystr, sizeof(keystr));
fatal("failed to write key %s: %s\n", keystr,
isc_result_totext(ret));
}
isc_buffer_clear(&buf);
ret = dst_key_buildfilename(key, 0, NULL, &buf);
printf("%s\n", filename);
dst_key_free(&key);
cleanup_logging(&log);
cleanup_entropy(&ectx);
dst_lib_destroy();
dns_name_destroy();
if (verbose > 10)
isc_mem_stats(mctx, stdout);
isc_mem_destroy(&mctx);
return (0);
}
static void
set_key(dns_client_t *client, char *keynamestr, char *keystr,
isc_boolean_t is_sep, isc_mem_t **mctxp)
{
isc_result_t result;
dns_fixedname_t fkeyname;
size_t namelen;
dns_name_t *keyname;
dns_rdata_dnskey_t keystruct;
unsigned char keydata[4096];
isc_buffer_t keydatabuf;
unsigned char rrdata[4096];
isc_buffer_t rrdatabuf;
isc_buffer_t b;
isc_textregion_t tr;
isc_region_t r;
dns_secalg_t alg;
result = isc_mem_create(0, 0, mctxp);
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "failed to crate mctx\n");
exit(1);
}
if (algname != NULL) {
tr.base = algname;
tr.length = strlen(algname);
result = dns_secalg_fromtext(&alg, &tr);
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "failed to identify the algorithm\n");
exit(1);
}
} else
alg = DNS_KEYALG_RSASHA1;
keystruct.common.rdclass = dns_rdataclass_in;
keystruct.common.rdtype = dns_rdatatype_dnskey;
keystruct.flags = DNS_KEYOWNER_ZONE; /* fixed */
if (is_sep)
keystruct.flags |= DNS_KEYFLAG_KSK;
keystruct.protocol = DNS_KEYPROTO_DNSSEC; /* fixed */
keystruct.algorithm = alg;
isc_buffer_init(&keydatabuf, keydata, sizeof(keydata));
isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata));
result = isc_base64_decodestring(keystr, &keydatabuf);
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "base64 decode failed\n");
exit(1);
}
isc_buffer_usedregion(&keydatabuf, &r);
keystruct.datalen = r.length;
keystruct.data = r.base;
result = dns_rdata_fromstruct(NULL, keystruct.common.rdclass,
keystruct.common.rdtype,
&keystruct, &rrdatabuf);
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "failed to construct key rdata\n");
exit(1);
}
namelen = strlen(keynamestr);
isc_buffer_init(&b, keynamestr, namelen);
isc_buffer_add(&b, namelen);
dns_fixedname_init(&fkeyname);
keyname = dns_fixedname_name(&fkeyname);
result = dns_name_fromtext(keyname, &b, dns_rootname, 0, NULL);
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "failed to construct key name\n");
exit(1);
}
result = dns_client_addtrustedkey(client, dns_rdataclass_in,
keyname, &rrdatabuf);
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "failed to add key for %s\n",
keynamestr);
exit(1);
}
}
