/contrib/bind9/bin/dnssec/dnssec-dsfromkey.c

https://bitbucket.org/freebsd/freebsd-head/ · C · 519 lines · 407 code · 87 blank · 25 comment · 117 complexity · 09871fe0dc01ead2c6c8b2a4b8d44895 MD5 · raw file

  1. /*
  2. * Copyright (C) 2008-2011 Internet Systems Consortium, Inc. ("ISC")
  3. *
  4. * Permission to use, copy, modify, and/or distribute this software for any
  5. * purpose with or without fee is hereby granted, provided that the above
  6. * copyright notice and this permission notice appear in all copies.
  7. *
  8. * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  9. * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  10. * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  11. * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  12. * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  13. * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  14. * PERFORMANCE OF THIS SOFTWARE.
  15. */
  16. /* $Id: dnssec-dsfromkey.c,v 1.19.14.2 2011/09/05 23:45:53 tbox Exp $ */
  17. /*! \file */
  18. #include <config.h>
  19. #include <stdlib.h>
  20. #include <isc/buffer.h>
  21. #include <isc/commandline.h>
  22. #include <isc/entropy.h>
  23. #include <isc/hash.h>
  24. #include <isc/mem.h>
  25. #include <isc/print.h>
  26. #include <isc/string.h>
  27. #include <isc/util.h>
  28. #include <dns/db.h>
  29. #include <dns/dbiterator.h>
  30. #include <dns/ds.h>
  31. #include <dns/fixedname.h>
  32. #include <dns/log.h>
  33. #include <dns/keyvalues.h>
  34. #include <dns/master.h>
  35. #include <dns/name.h>
  36. #include <dns/rdata.h>
  37. #include <dns/rdataclass.h>
  38. #include <dns/rdataset.h>
  39. #include <dns/rdatasetiter.h>
  40. #include <dns/rdatatype.h>
  41. #include <dns/result.h>
  42. #include <dst/dst.h>
  43. #include "dnssectool.h"
  44. #ifndef PATH_MAX
  45. #define PATH_MAX 1024 /* AIX, WIN32, and others don't define this. */
  46. #endif
  47. const char *program = "dnssec-dsfromkey";
  48. int verbose;
  49. static dns_rdataclass_t rdclass;
  50. static dns_fixedname_t fixed;
  51. static dns_name_t *name = NULL;
  52. static isc_mem_t *mctx = NULL;
  53. static isc_result_t
  54. initname(char *setname) {
  55. isc_result_t result;
  56. isc_buffer_t buf;
  57. dns_fixedname_init(&fixed);
  58. name = dns_fixedname_name(&fixed);
  59. isc_buffer_init(&buf, setname, strlen(setname));
  60. isc_buffer_add(&buf, strlen(setname));
  61. result = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
  62. return (result);
  63. }
  64. static isc_result_t
  65. loadsetfromfile(char *filename, dns_rdataset_t *rdataset) {
  66. isc_result_t result;
  67. dns_db_t *db = NULL;
  68. dns_dbnode_t *node = NULL;
  69. char setname[DNS_NAME_FORMATSIZE];
  70. dns_name_format(name, setname, sizeof(setname));
  71. result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone,
  72. rdclass, 0, NULL, &db);
  73. if (result != ISC_R_SUCCESS)
  74. fatal("can't create database");
  75. result = dns_db_load(db, filename);
  76. if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE)
  77. fatal("can't load %s: %s", filename, isc_result_totext(result));
  78. result = dns_db_findnode(db, name, ISC_FALSE, &node);
  79. if (result != ISC_R_SUCCESS)
  80. fatal("can't find %s node in %s", setname, filename);
  81. result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_dnskey,
  82. 0, 0, rdataset, NULL);
  83. if (result == ISC_R_NOTFOUND)
  84. fatal("no DNSKEY RR for %s in %s", setname, filename);
  85. else if (result != ISC_R_SUCCESS)
  86. fatal("dns_db_findrdataset");
  87. if (node != NULL)
  88. dns_db_detachnode(db, &node);
  89. if (db != NULL)
  90. dns_db_detach(&db);
  91. return (result);
  92. }
  93. static isc_result_t
  94. loadkeyset(char *dirname, dns_rdataset_t *rdataset) {
  95. isc_result_t result;
  96. char filename[PATH_MAX + 1];
  97. isc_buffer_t buf;
  98. dns_rdataset_init(rdataset);
  99. isc_buffer_init(&buf, filename, sizeof(filename));
  100. if (dirname != NULL) {
  101. /* allow room for a trailing slash */
  102. if (strlen(dirname) >= isc_buffer_availablelength(&buf))
  103. return (ISC_R_NOSPACE);
  104. isc_buffer_putstr(&buf, dirname);
  105. if (dirname[strlen(dirname) - 1] != '/')
  106. isc_buffer_putstr(&buf, "/");
  107. }
  108. if (isc_buffer_availablelength(&buf) < 7)
  109. return (ISC_R_NOSPACE);
  110. isc_buffer_putstr(&buf, "keyset-");
  111. result = dns_name_tofilenametext(name, ISC_FALSE, &buf);
  112. check_result(result, "dns_name_tofilenametext()");
  113. if (isc_buffer_availablelength(&buf) == 0)
  114. return (ISC_R_NOSPACE);
  115. isc_buffer_putuint8(&buf, 0);
  116. return (loadsetfromfile(filename, rdataset));
  117. }
  118. static void
  119. loadkey(char *filename, unsigned char *key_buf, unsigned int key_buf_size,
  120. dns_rdata_t *rdata)
  121. {
  122. isc_result_t result;
  123. dst_key_t *key = NULL;
  124. isc_buffer_t keyb;
  125. isc_region_t r;
  126. dns_rdata_init(rdata);
  127. isc_buffer_init(&keyb, key_buf, key_buf_size);
  128. result = dst_key_fromnamedfile(filename, NULL, DST_TYPE_PUBLIC,
  129. mctx, &key);
  130. if (result != ISC_R_SUCCESS)
  131. fatal("invalid keyfile name %s: %s",
  132. filename, isc_result_totext(result));
  133. if (verbose > 2) {
  134. char keystr[DST_KEY_FORMATSIZE];
  135. dst_key_format(key, keystr, sizeof(keystr));
  136. fprintf(stderr, "%s: %s\n", program, keystr);
  137. }
  138. result = dst_key_todns(key, &keyb);
  139. if (result != ISC_R_SUCCESS)
  140. fatal("can't decode key");
  141. isc_buffer_usedregion(&keyb, &r);
  142. dns_rdata_fromregion(rdata, dst_key_class(key),
  143. dns_rdatatype_dnskey, &r);
  144. rdclass = dst_key_class(key);
  145. dns_fixedname_init(&fixed);
  146. name = dns_fixedname_name(&fixed);
  147. result = dns_name_copy(dst_key_name(key), name, NULL);
  148. if (result != ISC_R_SUCCESS)
  149. fatal("can't copy name");
  150. dst_key_free(&key);
  151. }
  152. static void
  153. logkey(dns_rdata_t *rdata)
  154. {
  155. isc_result_t result;
  156. dst_key_t *key = NULL;
  157. isc_buffer_t buf;
  158. char keystr[DST_KEY_FORMATSIZE];
  159. isc_buffer_init(&buf, rdata->data, rdata->length);
  160. isc_buffer_add(&buf, rdata->length);
  161. result = dst_key_fromdns(name, rdclass, &buf, mctx, &key);
  162. if (result != ISC_R_SUCCESS)
  163. return;
  164. dst_key_format(key, keystr, sizeof(keystr));
  165. fprintf(stderr, "%s: %s\n", program, keystr);
  166. dst_key_free(&key);
  167. }
  168. static void
  169. emit(unsigned int dtype, isc_boolean_t showall, char *lookaside,
  170. dns_rdata_t *rdata)
  171. {
  172. isc_result_t result;
  173. unsigned char buf[DNS_DS_BUFFERSIZE];
  174. char text_buf[DST_KEY_MAXTEXTSIZE];
  175. char name_buf[DNS_NAME_MAXWIRE];
  176. char class_buf[10];
  177. isc_buffer_t textb, nameb, classb;
  178. isc_region_t r;
  179. dns_rdata_t ds;
  180. dns_rdata_dnskey_t dnskey;
  181. isc_buffer_init(&textb, text_buf, sizeof(text_buf));
  182. isc_buffer_init(&nameb, name_buf, sizeof(name_buf));
  183. isc_buffer_init(&classb, class_buf, sizeof(class_buf));
  184. dns_rdata_init(&ds);
  185. result = dns_rdata_tostruct(rdata, &dnskey, NULL);
  186. if (result != ISC_R_SUCCESS)
  187. fatal("can't convert DNSKEY");
  188. if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 && !showall)
  189. return;
  190. result = dns_ds_buildrdata(name, rdata, dtype, buf, &ds);
  191. if (result != ISC_R_SUCCESS)
  192. fatal("can't build record");
  193. result = dns_name_totext(name, ISC_FALSE, &nameb);
  194. if (result != ISC_R_SUCCESS)
  195. fatal("can't print name");
  196. /* Add lookaside origin, if set */
  197. if (lookaside != NULL) {
  198. if (isc_buffer_availablelength(&nameb) < strlen(lookaside))
  199. fatal("DLV origin '%s' is too long", lookaside);
  200. isc_buffer_putstr(&nameb, lookaside);
  201. if (lookaside[strlen(lookaside) - 1] != '.') {
  202. if (isc_buffer_availablelength(&nameb) < 1)
  203. fatal("DLV origin '%s' is too long", lookaside);
  204. isc_buffer_putstr(&nameb, ".");
  205. }
  206. }
  207. result = dns_rdata_totext(&ds, (dns_name_t *) NULL, &textb);
  208. if (result != ISC_R_SUCCESS)
  209. fatal("can't print rdata");
  210. result = dns_rdataclass_totext(rdclass, &classb);
  211. if (result != ISC_R_SUCCESS)
  212. fatal("can't print class");
  213. isc_buffer_usedregion(&nameb, &r);
  214. printf("%.*s ", (int)r.length, r.base);
  215. isc_buffer_usedregion(&classb, &r);
  216. printf("%.*s", (int)r.length, r.base);
  217. if (lookaside == NULL)
  218. printf(" DS ");
  219. else
  220. printf(" DLV ");
  221. isc_buffer_usedregion(&textb, &r);
  222. printf("%.*s\n", (int)r.length, r.base);
  223. }
  224. ISC_PLATFORM_NORETURN_PRE static void
  225. usage(void) ISC_PLATFORM_NORETURN_POST;
  226. static void
  227. usage(void) {
  228. fprintf(stderr, "Usage:\n");
  229. fprintf(stderr, " %s options [-K dir] keyfile\n\n", program);
  230. fprintf(stderr, " %s options [-K dir] [-c class] -s dnsname\n\n",
  231. program);
  232. fprintf(stderr, " %s options -f zonefile (as zone name)\n\n", program);
  233. fprintf(stderr, " %s options -f zonefile zonename\n\n", program);
  234. fprintf(stderr, "Version: %s\n", VERSION);
  235. fprintf(stderr, "Options:\n");
  236. fprintf(stderr, " -v <verbose level>\n");
  237. fprintf(stderr, " -K <directory>: directory in which to find "
  238. "key file or keyset file\n");
  239. fprintf(stderr, " -a algorithm: digest algorithm "
  240. "(SHA-1, SHA-256 or GOST)\n");
  241. fprintf(stderr, " -1: use SHA-1\n");
  242. fprintf(stderr, " -2: use SHA-256\n");
  243. fprintf(stderr, " -l: add lookaside zone and print DLV records\n");
  244. fprintf(stderr, " -s: read keyset from keyset-<dnsname> file\n");
  245. fprintf(stderr, " -c class: rdata class for DS set (default: IN)\n");
  246. fprintf(stderr, " -f file: read keyset from zone file\n");
  247. fprintf(stderr, " -A: when used with -f, "
  248. "include all keys in DS set, not just KSKs\n");
  249. fprintf(stderr, "Output: DS or DLV RRs\n");
  250. exit (-1);
  251. }
  252. int
  253. main(int argc, char **argv) {
  254. char *algname = NULL, *classname = NULL;
  255. char *filename = NULL, *dir = NULL, *namestr;
  256. char *lookaside = NULL;
  257. char *endp;
  258. int ch;
  259. unsigned int dtype = DNS_DSDIGEST_SHA1;
  260. isc_boolean_t both = ISC_TRUE;
  261. isc_boolean_t usekeyset = ISC_FALSE;
  262. isc_boolean_t showall = ISC_FALSE;
  263. isc_result_t result;
  264. isc_log_t *log = NULL;
  265. isc_entropy_t *ectx = NULL;
  266. dns_rdataset_t rdataset;
  267. dns_rdata_t rdata;
  268. dns_rdata_init(&rdata);
  269. if (argc == 1)
  270. usage();
  271. result = isc_mem_create(0, 0, &mctx);
  272. if (result != ISC_R_SUCCESS)
  273. fatal("out of memory");
  274. dns_result_register();
  275. isc_commandline_errprint = ISC_FALSE;
  276. while ((ch = isc_commandline_parse(argc, argv,
  277. "12Aa:c:d:Ff:K:l:sv:h")) != -1) {
  278. switch (ch) {
  279. case '1':
  280. dtype = DNS_DSDIGEST_SHA1;
  281. both = ISC_FALSE;
  282. break;
  283. case '2':
  284. dtype = DNS_DSDIGEST_SHA256;
  285. both = ISC_FALSE;
  286. break;
  287. case 'A':
  288. showall = ISC_TRUE;
  289. break;
  290. case 'a':
  291. algname = isc_commandline_argument;
  292. both = ISC_FALSE;
  293. break;
  294. case 'c':
  295. classname = isc_commandline_argument;
  296. break;
  297. case 'd':
  298. fprintf(stderr, "%s: the -d option is deprecated; "
  299. "use -K\n", program);
  300. /* fall through */
  301. case 'K':
  302. dir = isc_commandline_argument;
  303. if (strlen(dir) == 0U)
  304. fatal("directory must be non-empty string");
  305. break;
  306. case 'f':
  307. filename = isc_commandline_argument;
  308. break;
  309. case 'l':
  310. lookaside = isc_commandline_argument;
  311. if (strlen(lookaside) == 0U)
  312. fatal("lookaside must be a non-empty string");
  313. break;
  314. case 's':
  315. usekeyset = ISC_TRUE;
  316. break;
  317. case 'v':
  318. verbose = strtol(isc_commandline_argument, &endp, 0);
  319. if (*endp != '\0')
  320. fatal("-v must be followed by a number");
  321. break;
  322. case 'F':
  323. /* Reserved for FIPS mode */
  324. /* FALLTHROUGH */
  325. case '?':
  326. if (isc_commandline_option != '?')
  327. fprintf(stderr, "%s: invalid argument -%c\n",
  328. program, isc_commandline_option);
  329. /* FALLTHROUGH */
  330. case 'h':
  331. usage();
  332. default:
  333. fprintf(stderr, "%s: unhandled option -%c\n",
  334. program, isc_commandline_option);
  335. exit(1);
  336. }
  337. }
  338. if (algname != NULL) {
  339. if (strcasecmp(algname, "SHA1") == 0 ||
  340. strcasecmp(algname, "SHA-1") == 0)
  341. dtype = DNS_DSDIGEST_SHA1;
  342. else if (strcasecmp(algname, "SHA256") == 0 ||
  343. strcasecmp(algname, "SHA-256") == 0)
  344. dtype = DNS_DSDIGEST_SHA256;
  345. #ifdef HAVE_OPENSSL_GOST
  346. else if (strcasecmp(algname, "GOST") == 0)
  347. dtype = DNS_DSDIGEST_GOST;
  348. #endif
  349. else
  350. fatal("unknown algorithm %s", algname);
  351. }
  352. rdclass = strtoclass(classname);
  353. if (usekeyset && filename != NULL)
  354. fatal("cannot use both -s and -f");
  355. /* When not using -f, -A is implicit */
  356. if (filename == NULL)
  357. showall = ISC_TRUE;
  358. if (argc < isc_commandline_index + 1 && filename == NULL)
  359. fatal("the key file name was not specified");
  360. if (argc > isc_commandline_index + 1)
  361. fatal("extraneous arguments");
  362. if (ectx == NULL)
  363. setup_entropy(mctx, NULL, &ectx);
  364. result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
  365. if (result != ISC_R_SUCCESS)
  366. fatal("could not initialize hash");
  367. result = dst_lib_init(mctx, ectx,
  368. ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
  369. if (result != ISC_R_SUCCESS)
  370. fatal("could not initialize dst: %s",
  371. isc_result_totext(result));
  372. isc_entropy_stopcallbacksources(ectx);
  373. setup_logging(verbose, mctx, &log);
  374. dns_rdataset_init(&rdataset);
  375. if (usekeyset || filename != NULL) {
  376. if (argc < isc_commandline_index + 1 && filename != NULL) {
  377. /* using zone name as the zone file name */
  378. namestr = filename;
  379. } else
  380. namestr = argv[isc_commandline_index];
  381. result = initname(namestr);
  382. if (result != ISC_R_SUCCESS)
  383. fatal("could not initialize name %s", namestr);
  384. if (usekeyset)
  385. result = loadkeyset(dir, &rdataset);
  386. else
  387. result = loadsetfromfile(filename, &rdataset);
  388. if (result != ISC_R_SUCCESS)
  389. fatal("could not load DNSKEY set: %s\n",
  390. isc_result_totext(result));
  391. for (result = dns_rdataset_first(&rdataset);
  392. result == ISC_R_SUCCESS;
  393. result = dns_rdataset_next(&rdataset)) {
  394. dns_rdata_init(&rdata);
  395. dns_rdataset_current(&rdataset, &rdata);
  396. if (verbose > 2)
  397. logkey(&rdata);
  398. if (both) {
  399. emit(DNS_DSDIGEST_SHA1, showall, lookaside,
  400. &rdata);
  401. emit(DNS_DSDIGEST_SHA256, showall, lookaside,
  402. &rdata);
  403. } else
  404. emit(dtype, showall, lookaside, &rdata);
  405. }
  406. } else {
  407. unsigned char key_buf[DST_KEY_MAXSIZE];
  408. loadkey(argv[isc_commandline_index], key_buf,
  409. DST_KEY_MAXSIZE, &rdata);
  410. if (both) {
  411. emit(DNS_DSDIGEST_SHA1, showall, lookaside, &rdata);
  412. emit(DNS_DSDIGEST_SHA256, showall, lookaside, &rdata);
  413. } else
  414. emit(dtype, showall, lookaside, &rdata);
  415. }
  416. if (dns_rdataset_isassociated(&rdataset))
  417. dns_rdataset_disassociate(&rdataset);
  418. cleanup_logging(&log);
  419. dst_lib_destroy();
  420. isc_hash_destroy();
  421. cleanup_entropy(&ectx);
  422. dns_name_destroy();
  423. if (verbose > 10)
  424. isc_mem_stats(mctx, stdout);
  425. isc_mem_destroy(&mctx);
  426. fflush(stdout);
  427. if (ferror(stdout)) {
  428. fprintf(stderr, "write error\n");
  429. return (1);
  430. } else
  431. return (0);
  432. }