/contrib/bind9/bin/dnssec/dnssec-revoke.c

https://bitbucket.org/freebsd/freebsd-head/ · C · 277 lines · 212 code · 39 blank · 26 comment · 56 complexity · 673b7a0174dd321671385ec1508c8a1d MD5 · raw file

  1. /*
  2. * Copyright (C) 2009-2011 Internet Systems Consortium, Inc. ("ISC")
  3. *
  4. * Permission to use, copy, modify, and/or distribute this software for any
  5. * purpose with or without fee is hereby granted, provided that the above
  6. * copyright notice and this permission notice appear in all copies.
  7. *
  8. * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  9. * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  10. * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  11. * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  12. * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  13. * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  14. * PERFORMANCE OF THIS SOFTWARE.
  15. */
  16. /* $Id: dnssec-revoke.c,v 1.22.124.2 2011/10/20 23:46:27 tbox Exp $ */
  17. /*! \file */
  18. #include <config.h>
  19. #include <libgen.h>
  20. #include <stdlib.h>
  21. #include <unistd.h>
  22. #include <isc/buffer.h>
  23. #include <isc/commandline.h>
  24. #include <isc/entropy.h>
  25. #include <isc/file.h>
  26. #include <isc/hash.h>
  27. #include <isc/mem.h>
  28. #include <isc/print.h>
  29. #include <isc/string.h>
  30. #include <isc/util.h>
  31. #include <dns/keyvalues.h>
  32. #include <dns/result.h>
  33. #include <dst/dst.h>
  34. #include "dnssectool.h"
  35. const char *program = "dnssec-revoke";
  36. int verbose;
  37. static isc_mem_t *mctx = NULL;
  38. ISC_PLATFORM_NORETURN_PRE static void
  39. usage(void) ISC_PLATFORM_NORETURN_POST;
  40. static void
  41. usage(void) {
  42. fprintf(stderr, "Usage:\n");
  43. fprintf(stderr, " %s [options] keyfile\n\n", program);
  44. fprintf(stderr, "Version: %s\n", VERSION);
  45. #ifdef USE_PKCS11
  46. fprintf(stderr, " -E engine: specify OpenSSL engine "
  47. "(default \"pkcs11\")\n");
  48. #else
  49. fprintf(stderr, " -E engine: specify OpenSSL engine\n");
  50. #endif
  51. fprintf(stderr, " -f: force overwrite\n");
  52. fprintf(stderr, " -K directory: use directory for key files\n");
  53. fprintf(stderr, " -h: help\n");
  54. fprintf(stderr, " -r: remove old keyfiles after "
  55. "creating revoked version\n");
  56. fprintf(stderr, " -v level: set level of verbosity\n");
  57. fprintf(stderr, "Output:\n");
  58. fprintf(stderr, " K<name>+<alg>+<new id>.key, "
  59. "K<name>+<alg>+<new id>.private\n");
  60. exit (-1);
  61. }
  62. int
  63. main(int argc, char **argv) {
  64. isc_result_t result;
  65. #ifdef USE_PKCS11
  66. const char *engine = "pkcs11";
  67. #else
  68. const char *engine = NULL;
  69. #endif
  70. char *filename = NULL, *dir = NULL;
  71. char newname[1024], oldname[1024];
  72. char keystr[DST_KEY_FORMATSIZE];
  73. char *endp;
  74. int ch;
  75. isc_entropy_t *ectx = NULL;
  76. dst_key_t *key = NULL;
  77. isc_uint32_t flags;
  78. isc_buffer_t buf;
  79. isc_boolean_t force = ISC_FALSE;
  80. isc_boolean_t remove = ISC_FALSE;
  81. isc_boolean_t id = ISC_FALSE;
  82. if (argc == 1)
  83. usage();
  84. result = isc_mem_create(0, 0, &mctx);
  85. if (result != ISC_R_SUCCESS)
  86. fatal("Out of memory");
  87. dns_result_register();
  88. isc_commandline_errprint = ISC_FALSE;
  89. while ((ch = isc_commandline_parse(argc, argv, "E:fK:rRhv:")) != -1) {
  90. switch (ch) {
  91. case 'E':
  92. engine = isc_commandline_argument;
  93. break;
  94. case 'f':
  95. force = ISC_TRUE;
  96. break;
  97. case 'K':
  98. /*
  99. * We don't have to copy it here, but do it to
  100. * simplify cleanup later
  101. */
  102. dir = isc_mem_strdup(mctx, isc_commandline_argument);
  103. if (dir == NULL) {
  104. fatal("Failed to allocate memory for "
  105. "directory");
  106. }
  107. break;
  108. case 'r':
  109. remove = ISC_TRUE;
  110. break;
  111. case 'R':
  112. id = ISC_TRUE;
  113. break;
  114. case 'v':
  115. verbose = strtol(isc_commandline_argument, &endp, 0);
  116. if (*endp != '\0')
  117. fatal("-v must be followed by a number");
  118. break;
  119. case '?':
  120. if (isc_commandline_option != '?')
  121. fprintf(stderr, "%s: invalid argument -%c\n",
  122. program, isc_commandline_option);
  123. /* Falls into */
  124. case 'h':
  125. usage();
  126. default:
  127. fprintf(stderr, "%s: unhandled option -%c\n",
  128. program, isc_commandline_option);
  129. exit(1);
  130. }
  131. }
  132. if (argc < isc_commandline_index + 1 ||
  133. argv[isc_commandline_index] == NULL)
  134. fatal("The key file name was not specified");
  135. if (argc > isc_commandline_index + 1)
  136. fatal("Extraneous arguments");
  137. if (dir != NULL) {
  138. filename = argv[isc_commandline_index];
  139. } else {
  140. result = isc_file_splitpath(mctx, argv[isc_commandline_index],
  141. &dir, &filename);
  142. if (result != ISC_R_SUCCESS)
  143. fatal("cannot process filename %s: %s",
  144. argv[isc_commandline_index],
  145. isc_result_totext(result));
  146. if (strcmp(dir, ".") == 0) {
  147. isc_mem_free(mctx, dir);
  148. dir = NULL;
  149. }
  150. }
  151. if (ectx == NULL)
  152. setup_entropy(mctx, NULL, &ectx);
  153. result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
  154. if (result != ISC_R_SUCCESS)
  155. fatal("Could not initialize hash");
  156. result = dst_lib_init2(mctx, ectx, engine,
  157. ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
  158. if (result != ISC_R_SUCCESS)
  159. fatal("Could not initialize dst: %s",
  160. isc_result_totext(result));
  161. isc_entropy_stopcallbacksources(ectx);
  162. result = dst_key_fromnamedfile(filename, dir,
  163. DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
  164. mctx, &key);
  165. if (result != ISC_R_SUCCESS)
  166. fatal("Invalid keyfile name %s: %s",
  167. filename, isc_result_totext(result));
  168. if (id) {
  169. fprintf(stdout, "%u\n", dst_key_rid(key));
  170. goto cleanup;
  171. }
  172. dst_key_format(key, keystr, sizeof(keystr));
  173. if (verbose > 2)
  174. fprintf(stderr, "%s: %s\n", program, keystr);
  175. if (force)
  176. set_keyversion(key);
  177. else
  178. check_keyversion(key, keystr);
  179. flags = dst_key_flags(key);
  180. if ((flags & DNS_KEYFLAG_REVOKE) == 0) {
  181. isc_stdtime_t now;
  182. if ((flags & DNS_KEYFLAG_KSK) == 0)
  183. fprintf(stderr, "%s: warning: Key is not flagged "
  184. "as a KSK. Revoking a ZSK is "
  185. "legal, but undefined.\n",
  186. program);
  187. isc_stdtime_get(&now);
  188. dst_key_settime(key, DST_TIME_REVOKE, now);
  189. dst_key_setflags(key, flags | DNS_KEYFLAG_REVOKE);
  190. isc_buffer_init(&buf, newname, sizeof(newname));
  191. dst_key_buildfilename(key, DST_TYPE_PUBLIC, dir, &buf);
  192. if (access(newname, F_OK) == 0 && !force) {
  193. fatal("Key file %s already exists; "
  194. "use -f to force overwrite", newname);
  195. }
  196. result = dst_key_tofile(key, DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
  197. dir);
  198. if (result != ISC_R_SUCCESS) {
  199. dst_key_format(key, keystr, sizeof(keystr));
  200. fatal("Failed to write key %s: %s", keystr,
  201. isc_result_totext(result));
  202. }
  203. isc_buffer_clear(&buf);
  204. dst_key_buildfilename(key, 0, dir, &buf);
  205. printf("%s\n", newname);
  206. /*
  207. * Remove old key file, if told to (and if
  208. * it isn't the same as the new file)
  209. */
  210. if (remove && dst_key_alg(key) != DST_ALG_RSAMD5) {
  211. isc_buffer_init(&buf, oldname, sizeof(oldname));
  212. dst_key_setflags(key, flags & ~DNS_KEYFLAG_REVOKE);
  213. dst_key_buildfilename(key, DST_TYPE_PRIVATE, dir, &buf);
  214. if (strcmp(oldname, newname) == 0)
  215. goto cleanup;
  216. if (access(oldname, F_OK) == 0)
  217. unlink(oldname);
  218. isc_buffer_clear(&buf);
  219. dst_key_buildfilename(key, DST_TYPE_PUBLIC, dir, &buf);
  220. if (access(oldname, F_OK) == 0)
  221. unlink(oldname);
  222. }
  223. } else {
  224. dst_key_format(key, keystr, sizeof(keystr));
  225. fatal("Key %s is already revoked", keystr);
  226. }
  227. cleanup:
  228. dst_key_free(&key);
  229. dst_lib_destroy();
  230. isc_hash_destroy();
  231. cleanup_entropy(&ectx);
  232. if (verbose > 10)
  233. isc_mem_stats(mctx, stdout);
  234. if (dir != NULL)
  235. isc_mem_free(mctx, dir);
  236. isc_mem_destroy(&mctx);
  237. return (0);
  238. }