33#include "cmdhandler.h"
39#include "clientpipe.h"
40#include "longgetopt.h"
50static const char *module_str =
"keystate_export_cmd";
59get_dnskey(
const char *
id,
const char *zone,
const char *keytype,
int alg, uint32_t ttl)
62 hsm_sign_params_t *sign_params;
65 hsm_ctx_t *hsm_ctx = hsm_create_context();
67 ods_log_error(
"[%s] Could not connect to HSM", module_str);
70 if (!(key = hsm_find_key_by_id(hsm_ctx,
id))) {
71 hsm_destroy_context(hsm_ctx);
77 sign_params = hsm_sign_params_new();
78 sign_params->owner = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, zone);
79 sign_params->algorithm = (ldns_algorithm) alg;
80 sign_params->flags = LDNS_KEY_ZONE_KEY;
82 if (keytype && (!strcasecmp(keytype,
"KSK") || !strcasecmp(keytype,
"CSK")))
83 sign_params->flags = sign_params->flags | LDNS_KEY_SEP_KEY;
86 dnskey_rr = hsm_get_dnskey(hsm_ctx, key, sign_params);
89 hsm_sign_params_free(sign_params);
90 hsm_destroy_context(hsm_ctx);
94 ldns_rr_set_ttl(dnskey_rr, ttl);
110print_ds_from_id(
int sockfd,
key_data_t *key,
const char *zone,
111 const char* state,
int bind_style,
int print_sha1)
139 ds_sha_rr = ldns_key_rr2ds(dnskey_rr, LDNS_SHA1);
140 rrstr = ldns_rr2str(ds_sha_rr);
141 ldns_rr_free(ds_sha_rr);
143 (void)client_printf(sockfd,
";%s %s DS record (SHA1):\n%s", state,
key_data_role_text(key), rrstr);
146 ds_sha_rr = ldns_key_rr2ds(dnskey_rr, LDNS_SHA256);
147 rrstr = ldns_rr2str(ds_sha_rr);
148 ldns_rr_free(ds_sha_rr);
150 (void)client_printf(sockfd,
";%s %s DS record (SHA256):\n%s", state,
key_data_role_text(key), rrstr);
154 rrstr = ldns_rr2str_fmt(ldns_output_format_nocomments, dnskey_rr);
156 (void)client_printf(sockfd,
"%s", rrstr);
160 ldns_rr_free(dnskey_rr);
166 const char *zonename,
const char *keytype,
const char *keystate,
167 const hsm_key_t *hsmkey,
int all,
int bind_style,
int print_sha1)
173 const char *azonename = NULL;
187 ods_log_error(
"[%s] Error fetching from database", module_str);
200 ods_log_error(
"[%s] Error fetching from database", module_str);
212 if (keystate && strcasecmp(
map_keystate(key), keystate)) {
216 if (!keytype && !keystate && !hsmkey &&
227 ods_log_error(
"[%s] Error fetching from database", module_str);
228 client_printf_err(sockfd,
"Error fetching from database \n");
233 if (print_ds_from_id(sockfd, key, (
const char*)azonename?azonename:zonename, (const char*)
map_keystate(key), bind_style, print_sha1)) {
234 ods_log_error(
"[%s] Error in print_ds_from_id", module_str);
235 client_printf_err(sockfd,
"Error in print_ds_from_id \n");
238 ods_log_error(
"[%s] Error fetching from database", module_str);
239 client_printf_err(sockfd,
"Error fetching from database \n");
253 client_printf(sockfd,
255 " --zone <zone> | --all aka -z | -a \n"
256 " --keystate <state> aka -e\n"
257 " --keytype <type> aka -t \n"
258 " --cka_id <CKA_ID> aka -k \n"
259 " [--ds [--sha1]] aka -d [-s]\n"
266 client_printf(sockfd,
267 "Export DNSKEY(s) for a given zone or all of them from the database.\n"
268 "If keytype and keystate are not specified, KSKs which are waiting for command ds-submit, ds-seen, ds-retract and ds-gone are shown. Otherwise both keystate and keytype must be given.\n"
269 "If cka_id is specified then that key is output for the specified zones.\n"
272 "zone|all specify a zone or all of them\n"
273 "keystate limit the output to a given state\n"
274 "keytype limit the output to a given type, can be ZSK, KSK, or CSK\n"
275 "cka_id limit the output to the given key locator\n"
276 "ds export DS in BIND format which can be used for upload to a registry\n"
277 "sha1 When outputting DS print sha1 instead of sha256\n");
281run(cmdhandler_ctx_type* context,
int argc,
char* argv[])
283 int sockfd = context->sockfd;
284 struct longgetopt optctx;
285 const char *zonename = NULL;
286 const char* keytype = NULL;
287 const char* keystate = NULL;
288 const char* cka_id = NULL;
294 int long_index = 0, opt = 0;
297 static struct option long_options[] = {
298 {
"zone", required_argument, 0,
'z'},
299 {
"keytype", required_argument, 0,
't'},
300 {
"keystate", required_argument, 0,
'e'},
301 {
"cka_id", required_argument, 0,
'k'},
302 {
"all", no_argument, 0,
'a'},
303 {
"ds", no_argument, 0,
'd'},
304 {
"sha1", no_argument, 0,
's'},
308 for(opt = longgetopt(argc, argv,
"z:t:e:k:ads", long_options, &long_index, &optctx); opt != -1;
309 opt = longgetopt(argc, argv, NULL, long_options, &long_index, &optctx)) {
312 zonename = optctx.optarg;
315 keytype = optctx.optarg;
318 keystate = optctx.optarg;
321 cka_id = optctx.optarg;
333 client_printf_err(sockfd,
"unknown arguments\n");
334 ods_log_error(
"[%s] unknown arguments for key export command", module_str);
340 if (strcasecmp(keytype,
"KSK") && strcasecmp(keytype,
"ZSK") && strcasecmp(keytype,
"CSK")) {
341 ods_log_error(
"[%s] unknown keytype, should be one of KSK, ZSK, or CSK", module_str);
342 client_printf_err(sockfd,
"unknown keytype, should be one of KSK, ZSK, or CSK\n");
348 if (strcasecmp(keystate,
"generate") && strcasecmp(keystate,
"publish") && strcasecmp(keystate,
"ready") && strcasecmp(keystate,
"active") && strcasecmp(keystate,
"retire") && strcasecmp(keystate,
"unknown") && strcasecmp(keystate,
"mixed")) {
349 ods_log_error(
"[%s] unknown keystate", module_str);
350 client_printf_err(sockfd,
"unknown keystate\n");
356 if ((!zonename && !all) || (zonename && all)) {
357 ods_log_error(
"[%s] expected either --zone or --all for key export command", module_str);
358 client_printf_err(sockfd,
"expected either --zone or --all \n");
362 ods_log_error(
"[%s] Unknown zone: %s", module_str, zonename);
363 client_printf_err(sockfd,
"Unknown zone: %s\n", zonename);
373 if ((keytype && !keystate) || (!keytype && keystate)) {
374 ods_log_error(
"[%s] expected both --keystate and --keytype together or none of them", module_str);
375 client_printf_err(sockfd,
"expected both --keystate and --keytype together or none of them\n");
380 client_printf_err(sockfd,
"CKA_ID %s can not be found!\n", cka_id);
385 return perform_keystate_export(sockfd, dbconn, zonename, (
const char*) keytype, (
const char*) keystate, hsmkey, all, ds, bsha1);
389 "key export", &usage, &help, NULL, NULL, &run, NULL
db_clause_list_t * db_clause_list_new(void)
void db_clause_list_free(db_clause_list_t *clause_list)
db_connection_t * getconnectioncontext(cmdhandler_ctx_type *context)
const char * hsm_key_locator(const hsm_key_t *hsm_key)
hsm_key_t * hsm_key_new_get_by_locator(const db_connection_t *connection, const char *locator)
const db_value_t * hsm_key_id(const hsm_key_t *hsm_key)
void key_data_free(key_data_t *key_data)
const hsm_key_t * key_data_hsm_key(const key_data_t *key_data)
db_clause_t * key_data_hsm_key_id_clause(db_clause_list_t *clause_list, const db_value_t *hsm_key_id)
key_data_list_t * key_data_list_new_get(const db_connection_t *connection)
int key_data_list_get_by_clauses(key_data_list_t *key_data_list, const db_clause_list_t *clause_list)
const char * key_data_role_text(const key_data_t *key_data)
void key_data_list_free(key_data_list_t *key_data_list)
key_data_t * key_data_list_get_next(key_data_list_t *key_data_list)
int key_data_cache_hsm_key(key_data_t *key_data)
key_data_list_t * key_data_list_new(const db_connection_t *connection)
unsigned int key_data_algorithm(const key_data_t *key_data)
db_clause_t * key_data_zone_id_clause(db_clause_list_t *clause_list, const db_value_t *zone_id)
const db_value_t * key_data_zone_id(const key_data_t *key_data)
@ KEY_DATA_DS_AT_PARENT_SUBMITTED
@ KEY_DATA_DS_AT_PARENT_RETRACT
@ KEY_DATA_DS_AT_PARENT_SUBMIT
@ KEY_DATA_DS_AT_PARENT_RETRACTED
int key_data_cache_key_states(key_data_t *key_data)
const key_state_t * key_data_cached_dnskey(key_data_t *key_data)
const key_state_t * key_data_cached_ds(key_data_t *key_data)
unsigned int key_state_ttl(const key_state_t *key_state)
struct cmd_func_block key_export_funcblock
const char * map_keystate(key_data_t *key)
void zone_db_free(zone_db_t *zone)
const char * zone_db_name(const zone_db_t *zone)
int zone_db_get_by_id(zone_db_t *zone, const db_value_t *id)
zone_db_t * zone_db_new(const db_connection_t *connection)
const db_value_t * zone_db_id(const zone_db_t *zone)
zone_db_t * zone_db_new_get_by_name(const db_connection_t *connection, const char *name)