int
cmd_remove (int argc, char *argv[])
{
char *id;
int result;
hsm_key_t *key = NULL;
if (argc != 1) {
usage();
return -1;
}
id = strdup(argv[0]);
key = hsm_find_key_by_id(NULL, id);
if (!key) {
printf("Key not found: %s\n", id);
return -1;
}
result = hsm_remove_key(NULL, key);
if (!result) {
printf("Key remove successful.\n");
} else {
printf("Key remove failed.\n");
}
hsm_key_free(key);
return result;
}
static uint16_t
dnskey_from_id(std::string &dnskey,
const char *id,
::ods::keystate::keyrole role,
const char *zone,
int algorithm,
int bDS,
uint32_t ttl)
{
hsm_key_t *key;
hsm_sign_params_t *sign_params;
ldns_rr *dnskey_rr;
ldns_algorithm algo = (ldns_algorithm)algorithm;
/* Code to output the DNSKEY record (stolen from hsmutil) */
hsm_ctx_t *hsm_ctx = hsm_create_context();
if (!hsm_ctx) {
ods_log_error("[%s] Could not connect to HSM", module_str);
return false;
}
key = hsm_find_key_by_id(hsm_ctx, id);
if (!key) {
// printf("Key %s in DB but not repository\n", id);
hsm_destroy_context(hsm_ctx);
return 0;
}
/*
* Sign params only need to be kept around
* for the hsm_get_dnskey() call.
*/
sign_params = hsm_sign_params_new();
sign_params->owner = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, zone);
sign_params->algorithm = algo;
sign_params->flags = LDNS_KEY_ZONE_KEY;
if (role == ::ods::keystate::KSK)
sign_params->flags += LDNS_KEY_SEP_KEY; /*KSK=>SEP*/
/* Get the DNSKEY record */
dnskey_rr = hsm_get_dnskey(hsm_ctx, key, sign_params);
hsm_sign_params_free(sign_params);
/* Calculate the keytag for this key, we return it. */
uint16_t keytag = ldns_calc_keytag(dnskey_rr);
/* Override the TTL in the dnskey rr */
if (ttl)
ldns_rr_set_ttl(dnskey_rr, ttl);
char *rrstr;
if (!bDS) {
#if 0
ldns_rr_print(stdout, dnskey_rr);
#endif
rrstr = ldns_rr2str(dnskey_rr);
dnskey = rrstr;
LDNS_FREE(rrstr);
} else {
switch (algo) {
case LDNS_RSASHA1: // 5
{
/* DS record (SHA1) */
ldns_rr *ds_sha1_rr = ldns_key_rr2ds(dnskey_rr, LDNS_SHA1);
#if 0
ldns_rr_print(stdout, ds_sha1_rr);
#endif
rrstr = ldns_rr2str(ds_sha1_rr);
dnskey = rrstr;
LDNS_FREE(rrstr);
ldns_rr_free(ds_sha1_rr);
break;
}
case LDNS_RSASHA256: // 8 - RFC 5702
{
/* DS record (SHA256) */
ldns_rr *ds_sha256_rr = ldns_key_rr2ds(dnskey_rr, LDNS_SHA256);
#if 0
ldns_rr_print(stdout, ds_sha256_rr);
#endif
rrstr = ldns_rr2str(ds_sha256_rr);
dnskey = rrstr;
LDNS_FREE(rrstr);
ldns_rr_free(ds_sha256_rr);
break;
}
default:
keytag = 0;
}
}
ldns_rr_free(dnskey_rr);
hsm_key_free(key);
hsm_destroy_context(hsm_ctx);
return keytag;
}
int
main (int argc, char *argv[])
{
int result;
hsm_ctx_t *ctx;
hsm_key_t **keys;
hsm_key_t *key = NULL;
char *id;
size_t key_count = 0;
size_t i;
ldns_rr_list *rrset;
ldns_rr *rr, *sig, *dnskey_rr;
ldns_status status;
hsm_sign_params_t *sign_params;
int do_generate = 0;
int do_sign = 0;
int do_delete = 0;
int do_random = 0;
int res;
uint32_t r32;
uint64_t r64;
char *config = NULL;
const char *repository = "default";
int ch;
progname = argv[0];
while ((ch = getopt(argc, argv, "hgsdrc:")) != -1) {
switch (ch) {
case 'c':
config = strdup(optarg);
break;
case 'g':
do_generate = 1;
break;
case 'h':
usage();
exit(0);
break;
case 's':
do_sign = 1;
break;
case 'd':
do_delete = 1;
break;
case 'r':
do_random = 1;
break;
default:
usage();
exit(1);
}
}
if (!config) {
usage();
exit(1);
}
/*
* Open HSM library
*/
fprintf(stdout, "Starting HSM lib test\n");
result = hsm_open(config, hsm_prompt_pin);
fprintf(stdout, "hsm_open result: %d\n", result);
/*
* Create HSM context
*/
ctx = hsm_create_context();
printf("global: ");
hsm_print_ctx(NULL);
printf("my: ");
hsm_print_ctx(ctx);
/*
* Generate a new key OR find any key with an ID
*/
if (do_generate) {
key = hsm_generate_rsa_key(ctx, repository, 1024);
if (key) {
printf("\nCreated key!\n");
hsm_print_key(key);
printf("\n");
} else {
printf("Error creating key, bad token name?\n");
hsm_print_error(ctx);
exit(1);
}
} else if (do_sign || do_delete) {
keys = hsm_list_keys(ctx, &key_count);
printf("I have found %u keys\n", (unsigned int) key_count);
/* let's just use the very first key we find and throw away the rest */
for (i = 0; i < key_count && !key; i++) {
printf("\nFound key!\n");
hsm_print_key(keys[i]);
id = hsm_get_key_id(ctx, keys[i]);
if (id) {
printf("Using key ID: %s\n", id);
if (key) hsm_key_free(key);
key = hsm_find_key_by_id(ctx, id);
printf("ptr: 0x%p\n", (void *) key);
free(id);
} else {
printf("Got no key ID (broken key?), skipped...\n");
}
hsm_key_free(keys[i]);
}
free(keys);
if (!key) {
printf("Failed to find useful key\n");
exit(1);
}
}
/*
* Do some signing
*/
if (do_sign) {
printf("\nSigning with:\n");
hsm_print_key(key);
printf("\n");
rrset = ldns_rr_list_new();
status = ldns_rr_new_frm_str(&rr, "regress.opendnssec.se. IN A 123.123.123.123", 0, NULL, NULL);
if (status == LDNS_STATUS_OK) ldns_rr_list_push_rr(rrset, rr);
status = ldns_rr_new_frm_str(&rr, "regress.opendnssec.se. IN A 124.124.124.124", 0, NULL, NULL);
if (status == LDNS_STATUS_OK) ldns_rr_list_push_rr(rrset, rr);
sign_params = hsm_sign_params_new();
sign_params->algorithm = LDNS_RSASHA1;
sign_params->owner = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, "opendnssec.se.");
dnskey_rr = hsm_get_dnskey(ctx, key, sign_params);
sign_params->keytag = ldns_calc_keytag(dnskey_rr);
sig = hsm_sign_rrset(ctx, rrset, key, sign_params);
if (sig) {
ldns_rr_list_print(stdout, rrset);
ldns_rr_print(stdout, sig);
ldns_rr_print(stdout, dnskey_rr);
ldns_rr_free(sig);
} else {
hsm_print_error(ctx);
exit(-1);
}
/* cleanup */
ldns_rr_list_deep_free(rrset);
hsm_sign_params_free(sign_params);
ldns_rr_free(dnskey_rr);
}
/*
* Delete key
*/
if (do_delete) {
printf("\nDelete key:\n");
hsm_print_key(key);
/* res = hsm_remove_key(ctx, key); */
res = hsm_remove_key(ctx, key);
printf("Deleted key. Result: %d\n", res);
printf("\n");
}
if (key) hsm_key_free(key);
/*
* Test random{32,64} functions
*/
if (do_random) {
r32 = hsm_random32(ctx);
printf("random 32: %u\n", r32);
r64 = hsm_random64(ctx);
printf("random 64: %llu\n", (long long unsigned int)r64);
}
/*
* Destroy HSM context
*/
if (ctx) {
hsm_destroy_context(ctx);
}
/*
* Close HSM library
*/
result = hsm_close();
fprintf(stdout, "all done! hsm_close result: %d\n", result);
if (config) free(config);
return 0;
}
static bool
retract_dnskey_by_id(int sockfd,
const char *ds_retract_command,
const char *id,
::ods::keystate::keyrole role,
const char *zone,
int algorithm)
{
/* Code to output the DNSKEY record (stolen from hsmutil) */
hsm_ctx_t *hsm_ctx = hsm_create_context();
if (!hsm_ctx) {
ods_log_error_and_printf(sockfd,
module_str,
"could not connect to HSM");
return false;
}
hsm_key_t *key = hsm_find_key_by_id(hsm_ctx, id);
if (!key) {
ods_log_error_and_printf(sockfd,
module_str,
"key %s not found in any HSM",
id);
hsm_destroy_context(hsm_ctx);
return false;
}
bool bOK = false;
char *dnskey_rr_str;
hsm_sign_params_t *sign_params = hsm_sign_params_new();
sign_params->owner = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, zone);
sign_params->algorithm = (ldns_algorithm)algorithm;
sign_params->flags = LDNS_KEY_ZONE_KEY;
sign_params->flags += LDNS_KEY_SEP_KEY; /*KSK=>SEP*/
ldns_rr *dnskey_rr = hsm_get_dnskey(hsm_ctx, key, sign_params);
#if 0
ldns_rr_print(stdout, dnskey_rr);
#endif
dnskey_rr_str = ldns_rr2str(dnskey_rr);
hsm_sign_params_free(sign_params);
ldns_rr_free(dnskey_rr);
hsm_key_free(key);
/* Replace tab with white-space */
for (int i = 0; dnskey_rr_str[i]; ++i) {
if (dnskey_rr_str[i] == '\t') {
dnskey_rr_str[i] = ' ';
}
}
/* We need to strip off trailing comments before we send
to any clients that might be listening */
for (int i = 0; dnskey_rr_str[i]; ++i) {
if (dnskey_rr_str[i] == ';') {
dnskey_rr_str[i] = '\n';
dnskey_rr_str[i+1] = '\0';
break;
}
}
// pass the dnskey rr string to a configured
// delegation signer retract program.
if (ds_retract_command && ds_retract_command[0] != '\0') {
/* send records to the configured command */
FILE *fp = popen(ds_retract_command, "w");
if (fp == NULL) {
ods_log_error_and_printf(sockfd,
module_str,
"failed to run command: %s: %s",
ds_retract_command,
strerror(errno));
} else {
int bytes_written = fprintf(fp, "%s", dnskey_rr_str);
if (bytes_written < 0) {
ods_log_error_and_printf(sockfd,
module_str,
"[%s] Failed to write to %s: %s",
ds_retract_command,
strerror(errno));
} else {
if (pclose(fp) == -1) {
ods_log_error_and_printf(sockfd,
module_str,
"failed to close %s: %s",
ds_retract_command,
strerror(errno));
} else {
bOK = true;
ods_printf(sockfd,
"key %s retracted by %s\n",
id,
ds_retract_command);
}
}
}
} else {
ods_log_error_and_printf(sockfd,
module_str,
"no \"DelegationSignerRetractCommand\" binary "
"configured in conf.xml.");
}
LDNS_FREE(dnskey_rr_str);
hsm_destroy_context(hsm_ctx);
return bOK;
}
static bool
retract_dnskey_by_id(int sockfd,
const char *ds_retract_command,
const char *id,
::ods::keystate::keyrole role,
const char *zone,
int algorithm,
bool force)
{
struct stat stat_ret;
/* Code to output the DNSKEY record (stolen from hsmutil) */
hsm_ctx_t *hsm_ctx = hsm_create_context();
if (!hsm_ctx) {
ods_log_error_and_printf(sockfd,
module_str,
"could not connect to HSM");
return false;
}
hsm_key_t *key = hsm_find_key_by_id(hsm_ctx, id);
if (!key) {
ods_log_error_and_printf(sockfd,
module_str,
"key %s not found in any HSM",
id);
hsm_destroy_context(hsm_ctx);
return false;
}
bool bOK = false;
char *dnskey_rr_str;
hsm_sign_params_t *sign_params = hsm_sign_params_new();
sign_params->owner = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, zone);
sign_params->algorithm = (ldns_algorithm)algorithm;
sign_params->flags = LDNS_KEY_ZONE_KEY;
sign_params->flags += LDNS_KEY_SEP_KEY; /*KSK=>SEP*/
ldns_rr *dnskey_rr = hsm_get_dnskey(hsm_ctx, key, sign_params);
#if 0
ldns_rr_print(stdout, dnskey_rr);
#endif
dnskey_rr_str = ldns_rr2str(dnskey_rr);
hsm_sign_params_free(sign_params);
ldns_rr_free(dnskey_rr);
hsm_key_free(key);
/* Replace tab with white-space */
for (int i = 0; dnskey_rr_str[i]; ++i) {
if (dnskey_rr_str[i] == '\t') {
dnskey_rr_str[i] = ' ';
}
}
/* We need to strip off trailing comments before we send
to any clients that might be listening */
for (int i = 0; dnskey_rr_str[i]; ++i) {
if (dnskey_rr_str[i] == ';') {
dnskey_rr_str[i] = '\n';
dnskey_rr_str[i+1] = '\0';
break;
}
}
// pass the dnskey rr string to a configured
// delegation signer retract program.
if (!ds_retract_command || ds_retract_command[0] == '\0') {
if (!force) {
ods_log_error_and_printf(sockfd, module_str,
"No \"DelegationSignerRetractCommand\" "
"configured. No state changes made. "
"Use --force to override.");
bOK = false;
}
/* else: Do nothing, return keytag. */
} else if (stat(ds_retract_command, &stat_ret) != 0) {
/* First check that the command exists */
ods_log_error_and_printf(sockfd, module_str,
"Cannot stat file %s: %s", ds_retract_command,
strerror(errno));
} else if (S_ISREG(stat_ret.st_mode) &&
!(stat_ret.st_mode & S_IXUSR ||
stat_ret.st_mode & S_IXGRP ||
stat_ret.st_mode & S_IXOTH)) {
/* Then see if it is a regular file, then if usr, grp or
* all have execute set */
ods_log_error_and_printf(sockfd, module_str,
"File %s is not executable", ds_retract_command);
} else {
/* send records to the configured command */
FILE *fp = popen(ds_retract_command, "w");
if (fp == NULL) {
ods_log_error_and_printf(sockfd, module_str,
"failed to run command: %s: %s", ds_retract_command,
strerror(errno));
} else {
int bytes_written = fprintf(fp, "%s", dnskey_rr_str);
if (bytes_written < 0) {
ods_log_error_and_printf(sockfd, module_str,
"[%s] Failed to write to %s: %s", ds_retract_command,
strerror(errno));
} else if (pclose(fp) == -1) {
ods_log_error_and_printf(sockfd, module_str,
"failed to close %s: %s", ds_retract_command,
strerror(errno));
} else {
bOK = true;
ods_printf(sockfd, "key %s retracted by %s\n", id,
ds_retract_command);
}
}
}
LDNS_FREE(dnskey_rr_str);
hsm_destroy_context(hsm_ctx);
return bOK;
}
int
cmd_dnskey (int argc, char *argv[])
{
char *id;
char *name;
int type;
int algo;
hsm_key_t *key = NULL;
ldns_rr *dnskey_rr;
hsm_sign_params_t *sign_params;
if (argc != 4) {
usage();
return -1;
}
id = strdup(argv[0]);
name = strdup(argv[1]);
type = atoi(argv[2]);
algo = atoi(argv[3]);
key = hsm_find_key_by_id(NULL, id);
if (!key) {
printf("Key not found: %s\n", id);
free(name);
free(id);
return -1;
}
if (type != LDNS_KEY_ZONE_KEY && type != LDNS_KEY_ZONE_KEY + LDNS_KEY_SEP_KEY) {
printf("Invalid key type: %i\n", type);
printf("Please use: %i or %i\n", LDNS_KEY_ZONE_KEY, LDNS_KEY_ZONE_KEY + LDNS_KEY_SEP_KEY);
free(name);
free(id);
return -1;
}
hsm_key_info_t *key_info = hsm_get_key_info(NULL, key);
switch (algo) {
case LDNS_SIGN_RSAMD5:
case LDNS_SIGN_RSASHA1:
case LDNS_SIGN_RSASHA1_NSEC3:
case LDNS_SIGN_RSASHA256:
case LDNS_SIGN_RSASHA512:
if (strcmp(key_info->algorithm_name, "RSA") != 0) {
printf("Not an RSA key, the key is of algorithm %s.\n", key_info->algorithm_name);
hsm_key_info_free(key_info);
free(name);
free(id);
return -1;
}
break;
case LDNS_SIGN_DSA:
case LDNS_SIGN_DSA_NSEC3:
if (strcmp(key_info->algorithm_name, "DSA") != 0) {
printf("Not a DSA key, the key is of algorithm %s.\n", key_info->algorithm_name);
hsm_key_info_free(key_info);
free(name);
free(id);
return -1;
}
break;
case LDNS_SIGN_ECC_GOST:
if (strcmp(key_info->algorithm_name, "GOST") != 0) {
printf("Not a GOST key, the key is of algorithm %s.\n", key_info->algorithm_name);
hsm_key_info_free(key_info);
free(name);
free(id);
return -1;
}
break;
/* TODO: We can remove the directive if we require LDNS >= 1.6.13 */
#if !defined LDNS_BUILD_CONFIG_USE_ECDSA || LDNS_BUILD_CONFIG_USE_ECDSA
case LDNS_SIGN_ECDSAP256SHA256:
if (strcmp(key_info->algorithm_name, "ECDSA") != 0) {
printf("Not an ECDSA key, the key is of algorithm %s.\n", key_info->algorithm_name);
hsm_key_info_free(key_info);
free(name);
free(id);
return -1;
}
if (key_info->keysize != 256) {
printf("The key is a ECDSA/%lu, expecting ECDSA/256 for this algorithm.\n", key_info->keysize);
hsm_key_info_free(key_info);
free(name);
free(id);
return -1;
}
break;
case LDNS_SIGN_ECDSAP384SHA384:
if (strcmp(key_info->algorithm_name, "ECDSA") != 0) {
printf("Not an ECDSA key, the key is of algorithm %s.\n", key_info->algorithm_name);
hsm_key_info_free(key_info);
free(name);
free(id);
return -1;
}
if (key_info->keysize != 384) {
printf("The key is a ECDSA/%lu, expecting ECDSA/384 for this algorithm.\n", key_info->keysize);
hsm_key_info_free(key_info);
free(name);
free(id);
return -1;
}
break;
#endif
default:
printf("Invalid algorithm: %i\n", algo);
hsm_key_info_free(key_info);
free(name);
free(id);
return -1;
}
hsm_key_info_free(key_info);
sign_params = hsm_sign_params_new();
sign_params->algorithm = algo;
sign_params->flags = type;
sign_params->owner = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, name);
dnskey_rr = hsm_get_dnskey(NULL, key, sign_params);
sign_params->keytag = ldns_calc_keytag(dnskey_rr);
ldns_rr_print(stdout, dnskey_rr);
hsm_sign_params_free(sign_params);
ldns_rr_free(dnskey_rr);
hsm_key_free(key);
free(name);
free(id);
return 0;
}
/**
* Get key from one of the HSMs.
*
*/
ods_status
lhsm_get_key(hsm_ctx_t* ctx, ldns_rdf* owner, key_type* key_id)
{
char *error = NULL;
int retries = 0;
if (!owner || !key_id) {
ods_log_error("[%s] unable to get key: missing required elements",
hsm_str);
return ODS_STATUS_ASSERT_ERR;
}
lhsm_key_start:
/* set parameters */
if (!key_id->params) {
key_id->params = hsm_sign_params_new();
if (key_id->params) {
key_id->params->owner = ldns_rdf_clone(owner);
key_id->params->algorithm = key_id->algorithm;
key_id->params->flags = key_id->flags;
} else {
/* could not create params */
error = hsm_get_error(ctx);
if (error) {
ods_log_error("[%s] %s", hsm_str, error);
free((void*)error);
} else if (!retries) {
lhsm_clear_key_cache(key_id);
retries++;
goto lhsm_key_start;
}
ods_log_error("[%s] unable to get key: create params for key %s "
"failed", hsm_str, key_id->locator?key_id->locator:"(null)");
return ODS_STATUS_ERR;
}
}
/* lookup key */
if (!key_id->hsmkey) {
key_id->hsmkey = hsm_find_key_by_id(ctx, key_id->locator);
}
if (!key_id->hsmkey) {
error = hsm_get_error(ctx);
if (error) {
ods_log_error("[%s] %s", hsm_str, error);
free((void*)error);
} else if (!retries) {
lhsm_clear_key_cache(key_id);
retries++;
goto lhsm_key_start;
}
/* could not find key */
ods_log_error("[%s] unable to get key: key %s not found", hsm_str,
key_id->locator?key_id->locator:"(null)");
return ODS_STATUS_ERR;
}
/* get dnskey */
if (!key_id->dnskey) {
key_id->dnskey = hsm_get_dnskey(ctx, key_id->hsmkey, key_id->params);
}
if (!key_id->dnskey) {
error = hsm_get_error(ctx);
if (error) {
ods_log_error("[%s] %s", hsm_str, error);
free((void*)error);
} else if (!retries) {
lhsm_clear_key_cache(key_id);
retries++;
goto lhsm_key_start;
}
ods_log_error("[%s] unable to get key: hsm failed to create dnskey",
hsm_str);
return ODS_STATUS_ERR;
}
key_id->params->keytag = ldns_calc_keytag(key_id->dnskey);
return ODS_STATUS_OK;
}
