43 #include <libxml/xmlreader.h> 44 #include <libxml/xpath.h> 59 #include "libhsmdns.h" 65 log_msg(NULL, LOG_ERR,
"Error in server_init, no config provided");
89 hsm_ctx_t *ctx = NULL;
90 char *hsm_error_message = NULL;
93 char *lock_filename = NULL;
96 log_msg(NULL, LOG_ERR,
"Error in server_main, no config provided");
101 if (policy == NULL) {
102 log_msg(config, LOG_ERR,
"Malloc for policy struct failed");
110 log_msg(config, LOG_ERR,
"Error reading config");
118 result = hsm_open(config->
configfile, hsm_check_pin);
120 result = hsm_open(OPENDNSSEC_CONFIG_FILE, hsm_check_pin);
123 hsm_error_message = hsm_get_error(ctx);
124 if (hsm_error_message) {
125 log_msg(config, LOG_ERR,
"%s", hsm_error_message);
126 free(hsm_error_message);
132 log_msg(config, LOG_ERR,
"hsm_open() result: HSM error");
134 case HSM_PIN_INCORRECT:
135 log_msg(config, LOG_ERR,
"hsm_open() result: incorrect PIN");
137 case HSM_CONFIG_FILE_ERROR:
138 log_msg(config, LOG_ERR,
"hsm_open() result: config file error");
140 case HSM_REPOSITORY_NOT_FOUND:
141 log_msg(config, LOG_ERR,
"hsm_open() result: repository not found");
143 case HSM_NO_REPOSITORIES:
144 log_msg(config, LOG_ERR,
"hsm_open() result: no repositories");
147 log_msg(config, LOG_ERR,
"hsm_open() result: %d", result);
150 if (result == HSM_NO_REPOSITORIES) {
156 log_msg(config, LOG_INFO,
"HSM opened successfully.");
157 ctx = hsm_create_context();
160 log_msg(config, LOG_INFO,
"Checking database connection...");
162 log_msg(config, LOG_ERR,
"Database connection failed");
165 log_msg(config, LOG_INFO,
"Database connection ok.");
169 log_msg(config, LOG_ERR,
"cannot write the pidfile %s: %s",
170 config->
pidfile, strerror(errno));
179 log_msg(config, LOG_ERR,
"Error reading config");
189 lock_filename = NULL;
193 lock_fd = fopen(lock_filename,
"w");
197 log_msg(config, LOG_ERR,
"Error getting db lock");
203 log_msg(config, LOG_INFO,
"Connecting to Database...");
207 if (config->
policy != NULL) {
208 log_msg(config, LOG_INFO,
"Will only process policy \"%s\" as specified on the command line with the --policy option.", config->
policy);
211 log_msg(config, LOG_ERR,
"Policy \"%s\" not found. Exiting.", config->
policy);
222 while (status == 0) {
223 log_msg(config, LOG_INFO,
"Policy %s found.", policy->name);
231 if (policy->denial->version == 3)
236 log_msg(config, LOG_ERR,
"Error (%d) updating salt for %s", status, policy->name);
249 if (policy->keys->purge != -1) {
250 status =
do_purge(policy->keys->purge, policy->id);
257 log_msg(config, LOG_ERR,
"Error querying KASP DB for policies.");
273 log_msg(config, LOG_INFO,
"Disconnecting from Database...");
280 log_msg(config, LOG_ERR,
"Error releasing db lock");
287 if (config->
once ==
true ){
288 log_msg(config, LOG_INFO,
"Running once only, exiting...");
293 if (config->
term == 1 ){
294 log_msg(config, LOG_INFO,
"Received SIGTERM, exiting...");
298 if (config->
term == 2 ){
299 log_msg(config, LOG_INFO,
"Received SIGINT, exiting...");
306 log_msg(config, LOG_INFO,
"Sleeping for %i seconds.",config->
interval);
307 select(0, NULL, NULL, NULL, &tv);
310 if (config->
term == 1 ){
311 log_msg(config, LOG_INFO,
"Received SIGTERM, exiting...");
315 if (config->
term == 2 ){
316 log_msg(config, LOG_INFO,
"Received SIGINT, exiting...");
329 hsm_destroy_context(ctx);
332 result = hsm_close();
333 log_msg(config, LOG_INFO,
"all done! hsm_close result: %d", result);
337 if (unlink(config->
pidfile) == -1) {
338 log_msg(config, LOG_ERR,
"unlink pidfile %s failed: %s",
354 hsm_key_t *key = NULL;
355 char *hsm_error_message = NULL;
359 int keys_in_queue = 0;
361 unsigned int current_count = 0;
364 int ksks_created = 0;
370 log_msg(config, LOG_INFO,
"Key sharing is On");
372 log_msg(config, LOG_INFO,
"Key sharing is Off.");
378 if (rightnow == NULL) {
379 log_msg(config, LOG_ERR,
"Couldn't turn \"now\" into a date, quitting...");
399 if (zone_count == 0) {
400 log_msg(config, LOG_INFO,
"No zones on policy %s, skipping...", policy->
name);
405 log_msg(NULL, LOG_ERR,
"Could not count zones on policy %s", policy->
name);
409 log_msg(config, LOG_INFO,
"%d zone(s) found on policy \"%s\"\n", zone_count, policy->
name);
414 log_msg(NULL, LOG_ERR,
"Could not predict ksk requirement for next interval for %s", policy->
name);
420 log_msg(NULL, LOG_ERR,
"Could not count current ksk numbers for policy %s", policy->
name);
425 new_keys = ksks_needed - keys_in_queue;
429 current_count = hsm_count_keys_repository(ctx, policy->
ksk->
sm_name);
431 log_msg(config, LOG_ERR,
"Repository %s is full, cannot create more KSKs for policy %s\n", policy->
ksk->
sm_name, policy->
name);
435 log_msg(config, LOG_WARNING,
"Repository %s is nearly full, will create %lu KSKs for policy %s (reduced from %d)\n", policy->
ksk->
sm_name, policy->
ksk->
sm_capacity - current_count, policy->
name, new_keys);
439 if (new_keys <= 0 ) {
440 log_msg(config, LOG_INFO,
"No new KSKs need to be created.\n");
443 log_msg(config, LOG_INFO,
"%d new KSK(s) (%d bits) need to be created for policy %s: keys_to_generate(%d) = keys_needed(%d) - keys_available(%d).\n", new_keys, policy->
ksk->
bits, policy->
name, new_keys, ksks_needed, keys_in_queue);
447 for (i=new_keys ; i > 0 ; i--){
448 if (hsm_supported_algorithm(policy->
ksk->
algorithm) == 0) {
452 log_msg(config, LOG_DEBUG,
"Created key in repository %s", policy->
ksk->
sm_name);
454 log_msg(config, LOG_ERR,
"Error creating key in repository %s", policy->
ksk->
sm_name);
455 hsm_error_message = hsm_get_error(ctx);
456 if (hsm_error_message) {
457 log_msg(config, LOG_ERR,
"%s", hsm_error_message);
458 free(hsm_error_message);
463 id = hsm_get_key_id(ctx, key);
467 log_msg(config, LOG_ERR,
"Error creating key in Database");
468 hsm_error_message = hsm_get_error(ctx);
469 if (hsm_error_message) {
470 log_msg(config, LOG_ERR,
"%s", hsm_error_message);
471 free(hsm_error_message);
476 log_msg(config, LOG_INFO,
"Created KSK size: %i, alg: %i with id: %s in repository: %s and database.", policy->
ksk->
bits,
480 log_msg(config, LOG_ERR,
"Key algorithm %d unsupported by libhsm, exiting...", policy->
ksk->
algorithm);
485 ksks_created = new_keys;
495 log_msg(NULL, LOG_ERR,
"Could not predict zsk requirement for next intervalfor %s", policy->
name);
501 log_msg(NULL, LOG_ERR,
"Could not count current zsk numbers for policy %s", policy->
name);
507 keys_in_queue -= ksks_needed;
510 new_keys = zsks_needed - keys_in_queue;
514 current_count = hsm_count_keys_repository(ctx, policy->
zsk->
sm_name);
516 log_msg(config, LOG_ERR,
"Repository %s is full, cannot create more ZSKs for policy %s\n", policy->
zsk->
sm_name, policy->
name);
520 log_msg(config, LOG_WARNING,
"Repository %s is nearly full, will create %lu ZSKs for policy %s (reduced from %d)\n", policy->
zsk->
sm_name, policy->
zsk->
sm_capacity - current_count, policy->
name, new_keys);
525 if (new_keys <= 0 ) {
527 log_msg(config, LOG_INFO,
"No new ZSKs need to be created.\n");
530 log_msg(config, LOG_INFO,
"%d new ZSK(s) (%d bits) need to be created for policy %s: keys_to_generate(%d) = keys_needed(%d) - keys_available(%d).\n", new_keys, policy->
zsk->
bits, policy->
name, new_keys, zsks_needed, keys_in_queue);
534 for (i = new_keys ; i > 0 ; i--) {
535 if (hsm_supported_algorithm(policy->
zsk->
algorithm) == 0) {
539 log_msg(config, LOG_DEBUG,
"Created key in repository %s", policy->
zsk->
sm_name);
541 log_msg(config, LOG_ERR,
"Error creating key in repository %s", policy->
zsk->
sm_name);
542 hsm_error_message = hsm_get_error(ctx);
543 if (hsm_error_message) {
544 log_msg(config, LOG_ERR,
"%s", hsm_error_message);
545 free(hsm_error_message);
551 id = hsm_get_key_id(ctx, key);
555 log_msg(config, LOG_ERR,
"Error creating key in Database");
556 hsm_error_message = hsm_get_error(ctx);
557 if (hsm_error_message) {
558 log_msg(config, LOG_ERR,
"%s", hsm_error_message);
559 free(hsm_error_message);
564 log_msg(config, LOG_INFO,
"Created ZSK size: %i, alg: %i with id: %s in repository: %s and database.", policy->
zsk->
bits,
568 log_msg(config, LOG_ERR,
"Key algorithm %d unsupported by libhsm, exiting...", policy->
zsk->
algorithm);
577 log_msg(config, LOG_INFO,
"NOTE: keys generated in repository %s will not become active until they have been backed up", policy->
ksk->
sm_name);
580 log_msg(config, LOG_INFO,
"NOTE: keys generated in repository %s will not become active until they have been backed up", policy->
zsk->
sm_name);
591 xmlTextReaderPtr reader = NULL;
592 xmlDocPtr doc = NULL;
593 xmlXPathContextPtr xpathCtx = NULL;
594 xmlXPathObjectPtr xpathObj = NULL;
597 char* zonelist_filename = NULL;
599 char* current_policy;
600 char* current_filename;
601 char *tag_name = NULL;
604 char* ksk_expected = NULL;
606 xmlChar *name_expr = (
unsigned char*)
"name";
607 xmlChar *policy_expr = (
unsigned char*)
"//Zone/Policy";
608 xmlChar *filename_expr = (
unsigned char*)
"//Zone/SignerConfiguration";
610 char* temp_char = NULL;
613 char* datetime = NULL;
624 log_msg(NULL, LOG_ERR,
"couldn't read zonelist filename");
630 reader = xmlNewTextReaderFilename(zonelist_filename);
631 if (reader != NULL) {
632 ret = xmlTextReaderRead(reader);
634 tag_name = (
char*) xmlTextReaderLocalName(reader);
636 if (strncmp(tag_name,
"Zone", 4) == 0
637 && strncmp(tag_name,
"ZoneList", 8) != 0
638 && xmlTextReaderNodeType(reader) == 1) {
641 temp_char = (
char*) xmlTextReaderGetAttribute(reader, name_expr);
645 if (zone_name == NULL) {
647 log_msg(NULL, LOG_ERR,
"Error extracting zone name from %s", zonelist_filename);
649 ret = xmlTextReaderRead(reader);
655 log_msg(config, LOG_INFO,
"Zone %s found.", zone_name);
659 if (status != 0 || zone_id == -1)
662 log_msg(NULL, LOG_ERR,
"Error looking up zone \"%s\" in database (please make sure that the zonelist file is up to date)", zone_name);
664 ret = xmlTextReaderRead(reader);
671 xmlTextReaderExpand(reader);
672 doc = xmlTextReaderCurrentDoc(reader);
674 log_msg(config, LOG_ERR,
"Error: can not read zone \"%s\"; skipping", zone_name);
676 ret = xmlTextReaderRead(reader);
684 xpathCtx = xmlXPathNewContext(doc);
685 if(xpathCtx == NULL) {
686 log_msg(config, LOG_ERR,
"Error: can not create XPath context for \"%s\"; skipping zone", zone_name);
688 ret = xmlTextReaderRead(reader);
696 xpathObj = xmlXPathEvalExpression(policy_expr, xpathCtx);
697 if(xpathObj == NULL) {
698 log_msg(config, LOG_ERR,
"Error: unable to evaluate xpath expression: %s; skipping zone", policy_expr);
700 ret = xmlTextReaderRead(reader);
705 current_policy = NULL;
706 temp_char = (
char*) xmlXPathCastToString(xpathObj);
709 log_msg(config, LOG_INFO,
"Policy for %s set to %s.", zone_name, current_policy);
710 xmlXPathFreeObject(xpathObj);
712 if (strcmp(current_policy, policy->
name) != 0) {
713 if ( !all_policies ) {
715 log_msg(config, LOG_INFO,
"Skipping zone %s as not on specified policy \"%s\".", zone_name, policy->
name);
717 ret = xmlTextReaderRead(reader);
729 log_msg(config, LOG_ERR,
"Error reading policy");
730 ret = xmlTextReaderRead(reader);
735 log_msg(config, LOG_INFO,
"Policy %s found in DB.", policy->
name);
743 xpathObj = xmlXPathEvalExpression(filename_expr, xpathCtx);
744 xmlXPathFreeContext(xpathCtx);
746 if(xpathObj == NULL) {
747 log_msg(config, LOG_ERR,
"Error: unable to evaluate xpath expression: %s; skipping zone", filename_expr);
749 ret = xmlTextReaderRead(reader);
754 current_filename = NULL;
755 temp_char = (
char*)xmlXPathCastToString(xpathObj);
758 log_msg(config, LOG_INFO,
"Config will be output to %s.", current_filename);
759 xmlXPathFreeObject(xpathObj);
765 log_msg(config, LOG_ERR,
"Error allocating zsks to zone %s", zone_name);
767 ret = xmlTextReaderRead(reader);
775 log_msg(config, LOG_ERR,
"Error allocating ksks to zone %s", zone_name);
777 ret = xmlTextReaderRead(reader);
787 log_msg(config, LOG_ERR,
"Signconf not written for %s", zone_name);
789 ret = xmlTextReaderRead(reader);
795 else if (status2 != 0) {
796 log_msg(config, LOG_ERR,
"Error writing signconf for %s", zone_name);
798 ret = xmlTextReaderRead(reader);
810 if (datetime == NULL) {
811 log_msg(config, LOG_ERR,
"Couldn't turn \"now\" into a date, quiting...");
819 log_msg(config, LOG_INFO,
"No active KSKs yet for zone %s, can't check for impending rollover", zone_name);
821 else if (status2 != 0) {
822 log_msg(config, LOG_ERR,
"Error checking for impending rollover for %s", zone_name);
825 status2 =
DtDateDiff(ksk_expected, datetime, &roll_time);
827 log_msg(config, LOG_ERR,
"Error checking for impending rollover for %s", zone_name);
830 if (roll_time <= config->rolloverNotify) {
831 log_msg(config, LOG_INFO,
"Rollover of KSK expected at %s for %s", ksk_expected, zone_name);
843 ret = xmlTextReaderRead(reader);
846 xmlFreeTextReader(reader);
848 log_msg(config, LOG_ERR,
"%s : failed to parse", zonelist_filename);
851 log_msg(config, LOG_ERR,
"Unable to open %s", zonelist_filename);
866 int commGenSignConf(
char* zone_name,
int zone_id,
char* current_filename,
KSM_POLICY *policy,
int* signer_flag,
int run_interval,
int man_key_gen,
const char* DSSubmitCmd,
int DSSubCKA_ID)
879 char *signer_command;
884 if (datetime == NULL) {
885 log_msg(NULL, LOG_DEBUG,
"Couldn't turn \"now\" into a date, quitting...");
889 if (zone_name == NULL || current_filename == NULL || policy == NULL)
892 log_msg(NULL, LOG_ERR,
"commGenSignConf, NULL policy or zone provided");
898 StrAppend(&old_filename, current_filename);
901 temp_filename = NULL;
902 StrAppend(&temp_filename, current_filename);
905 file = fopen(temp_filename,
"w");
910 log_msg(NULL, LOG_ERR,
"Could not open: %s (%s)", temp_filename,
918 fprintf(file,
"<SignerConfiguration>\n");
919 fprintf(file,
"\t<Zone name=\"%s\">\n", zone_name);
921 fprintf(file,
"\t\t<Signatures>\n");
922 fprintf(file,
"\t\t\t<Resign>PT%dS</Resign>\n", policy->
signature->
resign);
923 fprintf(file,
"\t\t\t<Refresh>PT%dS</Refresh>\n", policy->
signer->
refresh);
924 fprintf(file,
"\t\t\t<Validity>\n");
927 fprintf(file,
"\t\t\t</Validity>\n");
928 fprintf(file,
"\t\t\t<Jitter>PT%dS</Jitter>\n", policy->
signer->
jitter);
929 fprintf(file,
"\t\t\t<InceptionOffset>PT%dS</InceptionOffset>\n", policy->
signature->
clockskew);
930 fprintf(file,
"\t\t</Signatures>\n");
934 fprintf(file,
"\t\t<Denial>\n");
937 fprintf(file,
"\t\t\t<NSEC3>\n");
939 fprintf(file,
"\t\t\t\t<TTL>PT%dS</TTL>\n", policy->
denial->
ttl);
943 fprintf(file,
"\t\t\t\t<OptOut />\n");
945 fprintf(file,
"\t\t\t\t<Hash>\n");
946 fprintf(file,
"\t\t\t\t\t<Algorithm>%d</Algorithm>\n", policy->
denial->
algorithm);
947 fprintf(file,
"\t\t\t\t\t<Iterations>%d</Iterations>\n", policy->
denial->
iteration);
949 fprintf(file,
"\t\t\t\t\t<Salt>-</Salt>\n");
951 fprintf(file,
"\t\t\t\t\t<Salt>%s</Salt>\n", policy->
denial->
salt);
953 fprintf(file,
"\t\t\t\t</Hash>\n");
954 fprintf(file,
"\t\t\t</NSEC3>\n");
956 fprintf(file,
"\t\t\t<NSEC />\n");
959 fprintf(file,
"\t\t</Denial>\n");
964 fprintf(file,
"\t\t<Keys>\n");
965 fprintf(file,
"\t\t\t<TTL>PT%dS</TTL>\n", policy->
ksk->
ttl);
974 log_msg(NULL, LOG_ERR,
"KsmRequestKeys returned: %d", status);
980 if (status2 == 0 && gencnt == 0) {
981 if(man_key_gen == 1) {
982 log_msg(NULL, LOG_ERR,
"There are no KSKs in the generate state; please use \"ods-ksmutil key generate\" to create some.");
984 log_msg(NULL, LOG_WARNING,
"There are no KSKs in the generate state; ods-enforcerd will create some on its next run.");
987 else if (status2 == 0) {
989 if (status2 == 0 && gencnt == 0) {
990 if(man_key_gen == 1) {
991 log_msg(NULL, LOG_ERR,
"There are no ZSKs in the generate state; please use \"ods-ksmutil key generate\" to create some.");
993 log_msg(NULL, LOG_WARNING,
"There are no ZSKs in the generate state; ods-enforcerd will create some on its next run.");
998 log_msg(NULL, LOG_ERR,
"KsmRequestGenerateCount returned: %d", status2);
1002 status = fclose(file);
1003 unlink(temp_filename);
1011 fprintf(file,
"\t\t</Keys>\n");
1013 fprintf(file,
"\n");
1015 fprintf(file,
"\t\t<SOA>\n");
1016 fprintf(file,
"\t\t\t<TTL>PT%dS</TTL>\n", policy->
signer->
soattl);
1017 fprintf(file,
"\t\t\t<Minimum>PT%dS</Minimum>\n", policy->
signer->
soamin);
1019 fprintf(file,
"\t\t</SOA>\n");
1021 fprintf(file,
"\t</Zone>\n");
1022 fprintf(file,
"</SignerConfiguration>\n");
1041 status = fclose(file);
1046 log_msg(NULL, LOG_ERR,
"Could not close: %s", temp_filename);
1053 file = fopen(temp_filename,
"rb");
1057 log_msg(NULL, LOG_ERR,
"Could not reopen: %s", temp_filename);
1063 file2 = fopen(current_filename,
"rb");
1066 if (file2 != NULL) {
1068 while(!feof(file)) {
1069 char1 = fgetc(file);
1071 log_msg(NULL, LOG_ERR,
"Could not read: %s", temp_filename);
1078 char2 = fgetc(file2);
1080 log_msg(NULL, LOG_ERR,
"Could not read: %s", current_filename);
1087 if(char1 != char2) {
1093 status = fclose(file2);
1096 log_msg(NULL, LOG_ERR,
"Could not close: %s", current_filename);
1104 status = fclose(file);
1107 log_msg(NULL, LOG_ERR,
"Could not close: %s", temp_filename);
1118 status = rename(current_filename, old_filename);
1119 if (status != 0 && status != -1)
1122 log_msg(NULL, LOG_ERR,
"Could not rename: %s -> %s", current_filename, old_filename);
1129 if (rename(temp_filename, current_filename) != 0)
1131 log_msg(NULL, LOG_ERR,
"Could not rename: %s -> %s", temp_filename, current_filename);
1137 if (*signer_flag == 1) {
1143 signer_command = NULL;
1144 StrAppend(&signer_command, SIGNER_CLI_UPDATE);
1148 status = system(signer_command);
1151 log_msg(NULL, LOG_ERR,
"Could not call signer engine");
1152 log_msg(NULL, LOG_INFO,
"Will continue: call '%s' to manually update the zone", signer_command);
1156 log_msg(NULL, LOG_INFO,
"Called signer engine: %s", signer_command);
1163 log_msg(NULL, LOG_INFO,
"No change to: %s", current_filename);
1164 if (
remove(temp_filename) != 0)
1166 log_msg(NULL, LOG_ERR,
"Could not remove: %s", temp_filename);
1175 log_msg(NULL, LOG_INFO,
"DSChanged");
1176 status =
NewDSSet(zone_id, zone_name, DSSubmitCmd, DSSubCKA_ID);
1191 FILE *file = (FILE *)context;
1192 int flags = key_data->
keytype;
1197 fprintf(file,
"\t\t\t<Key>\n");
1198 fprintf(file,
"\t\t\t\t<Flags>%d</Flags>\n", flags);
1199 fprintf(file,
"\t\t\t\t<Algorithm>%d</Algorithm>\n", key_data->
algorithm);
1200 fprintf(file,
"\t\t\t\t<Locator>%s</Locator>\n", key_data->
location);
1204 fprintf(file,
"\t\t\t\t<KSK />\n");
1208 fprintf(file,
"\t\t\t\t<ZSK />\n");
1212 fprintf(file,
"\t\t\t\t<Publish />\n");
1216 fprintf(file,
"\t\t\t\t<RFC5011 />\n");
1218 fprintf(file,
"\t\t\t</Key>\n");
1219 fprintf(file,
"\n");
1257 int keys_needed = 0;
1258 int keys_in_queue = 0;
1259 int keys_pending_retirement = 0;
1261 int key_pair_id = 0;
1268 if (datetime == NULL) {
1269 log_msg(NULL, LOG_DEBUG,
"Couldn't turn \"now\" into a date, quitting...");
1273 if (policy == NULL) {
1274 log_msg(NULL, LOG_ERR,
"NULL policy sent to allocateKeysToZone");
1280 log_msg(NULL, LOG_ERR,
"Unknown keytype: %i in allocateKeysToZone", key_type);
1294 status =
KsmKeyPredict(policy->
id, key_type, 1, interval, &keys_needed, rollover_scheme, 1);
1296 log_msg(NULL, LOG_ERR,
"Could not predict key requirement for next interval for %s", zone_name);
1304 log_msg(NULL, LOG_ERR,
"Could not count current key numbers for zone %s", zone_name);
1312 log_msg(NULL, LOG_ERR,
"Could not count keys which may retire before the next run (for zone %s)", zone_name);
1318 new_keys = keys_needed - (keys_in_queue - keys_pending_retirement);
1324 for (i=0 ; i < new_keys ; i++){
1328 if (status == -1 || key_pair_id == 0) {
1329 if (man_key_gen == 0) {
1330 log_msg(NULL, LOG_WARNING,
"Not enough keys to satisfy ksk policy for zone: %s. keys_to_allocate(%d) = keys_needed(%d) - (keys_available(%d) - keys_pending_retirement(%d))\n", zone_name, new_keys, keys_needed, keys_in_queue, keys_pending_retirement);
1331 log_msg(NULL, LOG_WARNING,
"Tried to allocate %d keys, failed on allocating key number %d", new_keys, i+1);
1332 log_msg(NULL, LOG_WARNING,
"ods-enforcerd will create some more keys on its next run");
1335 log_msg(NULL, LOG_ERR,
"Not enough keys to satisfy ksk policy for zone: %s. keys_to_allocate(%d) = keys_needed(%d) - (keys_available(%d) - keys_pending_retirement(%d))\n", zone_name, new_keys, keys_needed, keys_in_queue, keys_pending_retirement);
1336 log_msg(NULL, LOG_ERR,
"Tried to allocate %d keys, failed on allocating key number %d", new_keys, i+1);
1337 log_msg(NULL, LOG_ERR,
"please use \"ods-ksmutil key generate\" to create some more keys.");
1341 else if (status != 0) {
1342 log_msg(NULL, LOG_ERR,
"Could not get an unallocated ksk for zone: %s", zone_name);
1347 if (status == -1 || key_pair_id == 0) {
1348 if (man_key_gen == 0) {
1349 log_msg(NULL, LOG_WARNING,
"Not enough keys to satisfy zsk policy for zone: %s. keys_to_allocate(%d) = keys_needed(%d) - (keys_available(%d) - keys_pending_retirement(%d))\n", zone_name, new_keys, keys_needed, keys_in_queue, keys_pending_retirement);
1350 log_msg(NULL, LOG_WARNING,
"Tried to allocate %d keys, failed on allocating key number %d", new_keys, i+1);
1351 log_msg(NULL, LOG_WARNING,
"ods-enforcerd will create some more keys on its next run");
1354 log_msg(NULL, LOG_WARNING,
"Not enough keys to satisfy zsk policy for zone: %s. keys_to_allocate(%d) = keys_needed(%d) - (keys_available(%d) - keys_pending_retirement(%d))\n", zone_name, new_keys, keys_needed, keys_in_queue, keys_pending_retirement);
1355 log_msg(NULL, LOG_WARNING,
"Tried to allocate %d keys, failed on allocating key number %d", new_keys, i+1);
1356 log_msg(NULL, LOG_ERR,
"please use \"ods-ksmutil key generate\" to create some more keys.");
1360 else if (status != 0) {
1361 log_msg(NULL, LOG_ERR,
"Could not get an unallocated zsk for zone: %s", zone_name);
1365 if(key_pair_id > 0) {
1372 log_msg(NULL, LOG_ERR,
"KsmKeyGetUnallocated returned bad key_id %d for zone: %s; exiting...", key_pair_id, zone_name);
1377 log_msg(NULL, LOG_DEBUG,
"%s key allocation for zone %s: %d key(s) allocated\n", key_type ==
KSM_TYPE_KSK ?
"KSK" :
"ZSK", zone_name, new_keys);
1387 xmlTextReaderPtr reader = NULL;
1388 xmlDocPtr doc = NULL;
1389 xmlXPathContextPtr xpathCtx = NULL;
1390 xmlXPathObjectPtr xpathObj = NULL;
1392 char* temp_char = NULL;
1393 char* tag_name = NULL;
1395 xmlChar *zonelist_expr = (
unsigned char*)
"//Common/ZoneListFile";
1398 reader = xmlNewTextReaderFilename(filename);
1399 if (reader != NULL) {
1400 ret = xmlTextReaderRead(reader);
1402 tag_name = (
char*) xmlTextReaderLocalName(reader);
1404 if (strncmp(tag_name,
"Common", 6) == 0
1405 && xmlTextReaderNodeType(reader) == 1) {
1408 xmlTextReaderExpand(reader);
1409 doc = xmlTextReaderCurrentDoc(reader);
1411 log_msg(NULL, LOG_ERR,
"Error: can not read Common section of %s", filename);
1413 ret = xmlTextReaderRead(reader);
1417 xpathCtx = xmlXPathNewContext(doc);
1418 if(xpathCtx == NULL) {
1419 log_msg(NULL, LOG_ERR,
"Error: can not create XPath context for Common section");
1421 ret = xmlTextReaderRead(reader);
1426 xpathObj = xmlXPathEvalExpression(zonelist_expr, xpathCtx);
1427 if(xpathObj == NULL) {
1428 log_msg(NULL, LOG_ERR,
"Error: unable to evaluate xpath expression: %s", zonelist_expr);
1430 ret = xmlTextReaderRead(reader);
1433 *zone_list_filename = NULL;
1434 temp_char = (
char *)xmlXPathCastToString(xpathObj);
1435 StrAppend(zone_list_filename, temp_char);
1437 xmlXPathFreeObject(xpathObj);
1438 log_msg(NULL, LOG_INFO,
"zonelist filename set to %s.", *zone_list_filename);
1441 ret = xmlTextReaderRead(reader);
1444 xmlFreeTextReader(reader);
1446 log_msg(NULL, LOG_ERR,
"%s : failed to parse", filename);
1450 log_msg(NULL, LOG_ERR,
"Unable to open %s", filename);
1454 xmlXPathFreeContext(xpathCtx);
1495 char* temp_loc = NULL;
1501 hsm_key_t *key = NULL;
1503 log_msg(NULL, LOG_DEBUG,
"Purging keys...");
1508 if (rightnow == NULL) {
1509 log_msg(NULL, LOG_ERR,
"Couldn't turn \"now\" into a date, quitting...");
1514 StrAppend(&sql,
"select distinct id, location from KEYDATA_VIEW where state = 6 ");
1516 if (policy_id != -1) {
1528 while (status == 0) {
1530 DbInt(row, 0, &temp_id);
1539 log_msg(NULL, LOG_ERR,
"DbDateDiff failed\n");
1548 StrAppend(&sql1,
" or state = 6 and DEAD > ");
1603 key = hsm_find_key_by_id(NULL, temp_loc);
1606 log_msg(NULL, LOG_ERR,
"Key not found: %s\n", temp_loc);
1614 status = hsm_remove_key(NULL, key);
1619 log_msg(NULL, LOG_INFO,
"Key remove successful: %s\n", temp_loc);
1621 log_msg(NULL, LOG_ERR,
"Key remove failed: %s\n", temp_loc);
1652 int NewDSSet(
int zone_id,
const char* zone_name,
const char* DSSubmitCmd,
int DSSubCKA_ID) {
1666 char* count_clause = NULL;
1667 char* where_clause = NULL;
1669 int active_count = -1;
1674 char* ds_buffer = NULL;
1675 char* ds_seen_buffer = NULL;
1676 char* temp_char = NULL;
1684 hsm_key_t *key = NULL;
1685 ldns_rr *dnskey_rr = NULL;
1686 hsm_sign_params_t *sign_params = NULL;
1689 int bytes_written = -1;
1691 struct stat stat_ret;
1693 nchar = snprintf(buffer,
sizeof(buffer),
"(%d, %d, %d, %d, %d, %d, %d, %d)",
1697 if (nchar >=
sizeof(buffer)) {
1708 if (zone_id != -1) {
1716 log_msg(NULL, LOG_ERR,
"Error: failed to find ID of key to retire\n");
1720 if (active_count > 0) {
1723 StrAppend(&where_clause,
"select id from KEYDATA_VIEW where state = 4 and keytype = 257 and zone_id = ");
1725 StrAppend(&where_clause,
" and retire = (select min(retire) from KEYDATA_VIEW where state = 4 and keytype = 257 and zone_id = ");
1734 log_msg(NULL, LOG_ERR,
"Error: failed to find ID of key to retire\n");
1744 if (zone_id != -1) {
1766 keyids =
MemMalloc(count *
sizeof(
int));
1774 if (zone_id != -1) {
1786 while (status == 0) {
1787 status =
KsmKey(result, &data);
1818 for (j = 0; j < i; ++j) {
1822 snprintf(buffer,
sizeof(buffer),
"%d", keyids[j]);
1835 log_msg(NULL, LOG_INFO,
"DS Record set has changed, the current set looks like:");
1840 status =
KsmKey(result3, &data3);
1841 while (status == 0) {
1844 key = hsm_find_key_by_id(NULL, data3.
location);
1847 log_msg(NULL, LOG_ERR,
"Key %s in DB but not repository.", data3.
location);
1855 sign_params = hsm_sign_params_new();
1856 sign_params->owner = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, zone_name);
1857 sign_params->algorithm = data3.
algorithm;
1858 sign_params->flags = LDNS_KEY_ZONE_KEY;
1859 sign_params->flags += LDNS_KEY_SEP_KEY;
1860 dnskey_rr = hsm_get_dnskey(NULL, key, sign_params);
1870 ldns_rr_set_ttl(dnskey_rr, rrttl);
1874 temp_char = ldns_rr2str(dnskey_rr);
1875 ldns_rr_free(dnskey_rr);
1878 for (i = 0; temp_char[i]; ++i) {
1879 if (temp_char[i] ==
'\t') {
1883 log_msg(NULL, LOG_INFO,
"%s", temp_char);
1887 for (i = 0; temp_char[i]; ++i) {
1888 if (temp_char[i] ==
';') {
1889 temp_char[i] =
'\n';
1890 temp_char[i+1] =
'\0';
1918 hsm_sign_params_free(sign_params);
1920 status =
KsmKey(result3, &data3);
1930 if (DSSubmitCmd[0] !=
'\0') {
1932 if (stat(DSSubmitCmd, &stat_ret) != 0) {
1933 log_msg(NULL, LOG_WARNING,
"Cannot stat file %s: %s", DSSubmitCmd, strerror(errno));
1936 else if (S_ISREG(stat_ret.st_mode) && !(stat_ret.st_mode & S_IXUSR || stat_ret.st_mode & S_IXGRP || stat_ret.st_mode & S_IXOTH)) {
1937 log_msg(NULL, LOG_WARNING,
"File %s is not executable", DSSubmitCmd);
1942 fp = popen(DSSubmitCmd,
"w");
1944 log_msg(NULL, LOG_ERR,
"Failed to run command: %s: %s", DSSubmitCmd, strerror(errno));
1948 bytes_written = fprintf(fp,
"%s", ds_buffer);
1949 if (bytes_written < 0) {
1950 log_msg(NULL, LOG_ERR,
"Failed to write to %s: %s", DSSubmitCmd, strerror(errno));
1955 if (pclose(fp) == -1) {
1956 log_msg(NULL, LOG_ERR,
"Failed to close %s: %s", DSSubmitCmd, strerror(errno));
1967 log_msg(NULL, LOG_INFO,
"Once the new DS records are seen in DNS please issue the ds-seen command for zone %s with the following cka_ids%s", zone_name, ds_seen_buffer);
1979 char *hsm_error_message = NULL;
1981 result = hsm_check_context(*ctx);
1984 if (result != HSM_OK) {
1987 hsm_destroy_context(*ctx);
1991 result = hsm_close();
1994 result = hsm_open(config->
configfile, hsm_check_pin);
1996 result = hsm_open(OPENDNSSEC_CONFIG_FILE, hsm_check_pin);
1999 hsm_error_message = hsm_get_error(*ctx);
2000 if (hsm_error_message) {
2001 log_msg(config, LOG_ERR, hsm_error_message);
2002 free(hsm_error_message);
2009 log_msg(config, LOG_ERR,
"hsm_open() result: HSM error");
2011 case HSM_PIN_INCORRECT:
2012 log_msg(config, LOG_ERR,
"hsm_open() result: incorrect PIN");
2014 case HSM_CONFIG_FILE_ERROR:
2015 log_msg(config, LOG_ERR,
"hsm_open() result: config file error");
2017 case HSM_REPOSITORY_NOT_FOUND:
2018 log_msg(config, LOG_ERR,
"hsm_open() result: repository not found");
2020 case HSM_NO_REPOSITORIES:
2021 log_msg(config, LOG_ERR,
"hsm_open() result: no repositories");
2024 log_msg(config, LOG_ERR,
"hsm_open() result: %d", result);
2030 log_msg(config, LOG_INFO,
"HSM reopened successfully.");
2031 *ctx = hsm_create_context();
2033 log_msg(config, LOG_INFO,
"HSM connection open.");
void DbFreeResult(DB_RESULT result)
int KsmPolicyInit(DB_RESULT *handle, const char *name)
char name[KSM_NAME_LENGTH]
unsigned long sm_capacity
void kaspConnect(DAEMONCONFIG *config, DB_HANDLE *handle)
void server_main(DAEMONCONFIG *config)
int DbFetchRow(DB_RESULT result, DB_ROW *row)
int KsmPolicy(DB_RESULT handle, KSM_POLICY *data)
char * DqsSpecifyInit(const char *table, const char *fields)
char location[KSM_NAME_LENGTH]
int KsmKeyCountQueue(int keytype, int *count, int zone_id)
KSM_POLICY * KsmPolicyAlloc()
KSM_COMMON_KEY_POLICY * keys
int KsmParameterCollection(KSM_PARCOLL *data, int policy_id)
int kaspTryConnect(DAEMONCONFIG *config, DB_HANDLE *handle)
void check_hsm_connection(hsm_ctx_t **ctx, DAEMONCONFIG *config)
void kaspDisconnect(DB_HANDLE *handle)
void DqsConditionKeyword(char **query, const char *field, DQS_COMPARISON compare, const char *value, int index)
int KsmKeyPairCreate(int policy_id, const char *HSMKeyID, int smID, int size, int alg, const char *generate, DB_ID *id)
int KsmZoneCount(DB_RESULT handle, int *count)
char sm_name[KSM_NAME_LENGTH]
int KsmPolicyUpdateSalt(KSM_POLICY *policy)
int KsmPolicyRead(KSM_POLICY *policy)
void DqsFree(char *query)
#define KSM_STATE_KEYPUBLISH
void DdsFree(char *query)
int read_zonelist_filename(const char *filename, char **zone_list_filename)
int commGenSignConf(char *zone_name, int zone_id, char *current_filename, KSM_POLICY *policy, int *signer_flag, int run_interval, int man_key_gen, const char *DSSubmitCmd, int DSSubCKA_ID)
char * DqsCountInit(const char *table)
int KsmCheckNextRollover(int keytype, int zone_id, char **datetime)
int DbString(DB_ROW row, int field_index, char **result)
char * StrStrdup(const char *string)
void DqsConditionInt(char **query, const char *field, DQS_COMPARISON compare, int value, int index)
char salt[KSM_SALT_LENGTH]
void DdsConditionInt(char **query, const char *field, DQS_COMPARISON compare, int value, int index)
int KsmPolicyIdFromZoneId(int zone_id, int *policy_id)
char * DdsInit(const char *table)
char * DtParseDateTimeString(const char *string)
#define KSM_STATE_DSPUBLISH
KSM_DENIAL_POLICY * denial
int KsmZoneIdFromName(const char *zone_name, int *zone_id)
int do_communication(DAEMONCONFIG *config, KSM_POLICY *policy, bool all_policies)
int KsmParameterValue(const char *name, const char *category, int *value, int policy_id, int *parameter_id)
int KsmKeyInitSql(DB_RESULT *result, const char *sql)
int do_keygen(DAEMONCONFIG *config, KSM_POLICY *policy, hsm_ctx_t *ctx)
#define DB_KEYDATA_FIELDS
const char * DbErrmsg(DB_HANDLE handle)
void KsmPolicyFree(KSM_POLICY *policy)
void DbFreeRow(DB_ROW row)
int KsmKey(DB_RESULT result, KSM_KEYDATA *data)
KSM_SIGNER_POLICY * signer
int ReadConfig(DAEMONCONFIG *config, int verbose)
int KsmKeyPredict(int policy_id, int keytype, int shared_keys, int interval, int *count, int rollover_scheme, int zone_count)
void kaspSetPolicyDefaults(KSM_POLICY *policy, char *name)
const char * KsmKeywordSerialValueToName(int value)
int DbExecuteSql(DB_HANDLE handle, const char *stmt_str, DB_RESULT *result)
int KsmRequestGenerateCount(int keytype, int *count, int zone_id)
int release_lite_lock(FILE *lock_fd)
void StrAppend(char **str1, const char *str2)
int server_init(DAEMONCONFIG *config)
int DbIntQuery(DB_HANDLE handle, int *value, const char *query)
#define KSM_PAR_KSKTTL_CAT
#define KSM_STATE_PUBLISH
int DbDateDiff(const char *start, int delta, int sign, char *buffer, size_t buflen)
void KsmParameterCollectionCache(int enable)
int KsmKeyGetUnallocated(int policy_id, int sm, int bits, int algorithm, int zone_id, int share_keys, int *keypair_id)
int KsmDnssecKeyCreate(int zone_id, int keypair_id, int keytype, int state, int rfc5011, const char *time, const char *retTime, DB_ID *id)
int get_lite_lock(char *lock_filename, FILE *lock_fd)
int KsmPolicyExists(const char *name)
int allocateKeysToZone(KSM_POLICY *policy, int key_type, int zone_id, uint16_t interval, const char *zone_name, int man_key_gen, int rollover_scheme)
int writepid(DAEMONCONFIG *config)
#define KSM_PAR_KSKTTL_STRING
void log_msg(DAEMONCONFIG *config, int priority, const char *format,...)
int KsmRequestPendingRetireCount(int keytype, const char *datetime, KSM_PARCOLL *parameters, int *count, int zone_id, int interval)
int KsmZoneCountInit(DB_RESULT *handle, int id)
void DdsEnd(char **query)
int DbInt(DB_ROW row, int field_index, int *value)
void * MemMalloc(size_t size)
#define KSM_STATE_DSREADY
int NewDSSet(int zone_id, const char *zone_name, const char *DSSubmitCmd, int DSSubCKA_ID)
void KsmKeyEnd(DB_RESULT result)
int KsmRequestKeys(int keytype, int rollover, const char *datetime, KSM_REQUEST_CALLBACK callback, void *context, int policy_id, int zone_id, int run_interval, int *NewDS)
#define KSM_STATE_GENERATE
void DqsEnd(char **query)
int kaspReadPolicy(KSM_POLICY *policy)
int DtDateDiff(const char *date1, const char *date2, int *result)
int DbExecuteSqlNoResult(DB_HANDLE handle, const char *stmt_str)
int KsmKeyCountStillGood(int policy_id, int sm, int bits, int algorithm, int interval, const char *datetime, int *count, int keytype)
int do_purge(int interval, int policy_id)
KSM_SIGNATURE_POLICY * signature
int commKeyConfig(void *context, KSM_KEYDATA *key_data)
void DbStringFree(char *string)