43 #include <libxml/xmlreader.h>
44 #include <libxml/xpath.h>
59 #include "libhsmdns.h"
65 log_msg(NULL, LOG_ERR,
"Error in server_init, no config provided");
71 config->
pidfile = OPENDNSSEC_ENFORCER_PIDFILE;
89 hsm_ctx_t *ctx = NULL;
90 char *hsm_error_message = NULL;
93 char *lock_filename = NULL;
96 log_msg(NULL, LOG_ERR,
"Error in server_main, no config provided");
101 if (policy == NULL) {
102 log_msg(config, LOG_ERR,
"Malloc for policy struct failed");
110 log_msg(config, LOG_ERR,
"Error reading config");
118 result = hsm_open(config->
configfile, hsm_check_pin);
120 result = hsm_open(OPENDNSSEC_CONFIG_FILE, hsm_check_pin);
123 hsm_error_message = hsm_get_error(ctx);
124 if (hsm_error_message) {
125 log_msg(config, LOG_ERR,
"%s", hsm_error_message);
126 free(hsm_error_message);
132 log_msg(config, LOG_ERR,
"hsm_open() result: HSM error");
134 case HSM_PIN_INCORRECT:
135 log_msg(config, LOG_ERR,
"hsm_open() result: incorrect PIN");
137 case HSM_CONFIG_FILE_ERROR:
138 log_msg(config, LOG_ERR,
"hsm_open() result: config file error");
140 case HSM_REPOSITORY_NOT_FOUND:
141 log_msg(config, LOG_ERR,
"hsm_open() result: repository not found");
143 case HSM_NO_REPOSITORIES:
144 log_msg(config, LOG_ERR,
"hsm_open() result: no repositories");
147 log_msg(config, LOG_ERR,
"hsm_open() result: %d", result);
152 log_msg(config, LOG_INFO,
"HSM opened successfully.");
153 ctx = hsm_create_context();
156 log_msg(config, LOG_INFO,
"Checking database connection...");
158 log_msg(config, LOG_ERR,
"Database connection failed");
161 log_msg(config, LOG_INFO,
"Database connection ok.");
165 log_msg(config, LOG_ERR,
"cannot write the pidfile %s: %s",
166 config->
pidfile, strerror(errno));
175 log_msg(config, LOG_ERR,
"Error reading config");
185 lock_filename = NULL;
189 lock_fd = fopen(lock_filename,
"w");
193 log_msg(config, LOG_ERR,
"Error getting db lock");
199 log_msg(config, LOG_INFO,
"Connecting to Database...");
203 if (config->
policy != NULL) {
204 log_msg(config, LOG_INFO,
"Will only process policy \"%s\" as specified on the command line with the --policy option.", config->
policy);
207 log_msg(config, LOG_ERR,
"Policy \"%s\" not found. Exiting.", config->
policy);
218 while (status == 0) {
219 log_msg(config, LOG_INFO,
"Policy %s found.", policy->name);
227 if (policy->denial->version == 3)
232 log_msg(config, LOG_ERR,
"Error (%d) updating salt for %s", status, policy->name);
245 if (policy->keys->purge != -1) {
246 status =
do_purge(policy->keys->purge, policy->id);
253 log_msg(config, LOG_ERR,
"Error querying KASP DB for policies.");
269 log_msg(config, LOG_INFO,
"Disconnecting from Database...");
276 log_msg(config, LOG_ERR,
"Error releasing db lock");
283 if (config->
once ==
true ){
284 log_msg(config, LOG_INFO,
"Running once only, exiting...");
289 if (config->
term == 1 ){
290 log_msg(config, LOG_INFO,
"Received SIGTERM, exiting...");
294 if (config->
term == 2 ){
295 log_msg(config, LOG_INFO,
"Received SIGINT, exiting...");
302 log_msg(config, LOG_INFO,
"Sleeping for %i seconds.",config->
interval);
303 select(0, NULL, NULL, NULL, &tv);
306 if (config->
term == 1 ){
307 log_msg(config, LOG_INFO,
"Received SIGTERM, exiting...");
311 if (config->
term == 2 ){
312 log_msg(config, LOG_INFO,
"Received SIGINT, exiting...");
325 hsm_destroy_context(ctx);
328 result = hsm_close();
329 log_msg(config, LOG_INFO,
"all done! hsm_close result: %d", result);
333 if (unlink(config->
pidfile) == -1) {
334 log_msg(config, LOG_ERR,
"unlink pidfile %s failed: %s",
350 hsm_key_t *key = NULL;
351 char *hsm_error_message = NULL;
355 int keys_in_queue = 0;
357 unsigned int current_count = 0;
360 int ksks_created = 0;
366 log_msg(config, LOG_INFO,
"Key sharing is On");
368 log_msg(config, LOG_INFO,
"Key sharing is Off.");
374 if (rightnow == NULL) {
375 log_msg(config, LOG_ERR,
"Couldn't turn \"now\" into a date, quitting...");
395 if (zone_count == 0) {
396 log_msg(config, LOG_INFO,
"No zones on policy %s, skipping...", policy->
name);
401 log_msg(NULL, LOG_ERR,
"Could not count zones on policy %s", policy->
name);
405 log_msg(config, LOG_INFO,
"%d zone(s) found on policy \"%s\"\n", zone_count, policy->
name);
410 log_msg(NULL, LOG_ERR,
"Could not predict ksk requirement for next interval for %s", policy->
name);
416 log_msg(NULL, LOG_ERR,
"Could not count current ksk numbers for policy %s", policy->
name);
421 new_keys = ksks_needed - keys_in_queue;
425 current_count = hsm_count_keys_repository(ctx, policy->
ksk->
sm_name);
427 log_msg(config, LOG_ERR,
"Repository %s is full, cannot create more KSKs for policy %s\n", policy->
ksk->
sm_name, policy->
name);
431 log_msg(config, LOG_WARNING,
"Repository %s is nearly full, will create %lu KSKs for policy %s (reduced from %d)\n", policy->
ksk->
sm_name, policy->
ksk->
sm_capacity - current_count, policy->
name, new_keys);
435 if (new_keys <= 0 ) {
436 log_msg(config, LOG_INFO,
"No new KSKs need to be created.\n");
439 log_msg(config, LOG_INFO,
"%d new KSK(s) (%d bits) need to be created for policy %s: keys_to_generate(%d) = keys_needed(%d) - keys_available(%d).\n", new_keys, policy->
ksk->
bits, policy->
name, new_keys, ksks_needed, keys_in_queue);
443 for (i=new_keys ; i > 0 ; i--){
444 if (hsm_supported_algorithm(policy->
ksk->
algorithm) == 0) {
448 log_msg(config, LOG_DEBUG,
"Created key in repository %s", policy->
ksk->
sm_name);
450 log_msg(config, LOG_ERR,
"Error creating key in repository %s", policy->
ksk->
sm_name);
451 hsm_error_message = hsm_get_error(ctx);
452 if (hsm_error_message) {
453 log_msg(config, LOG_ERR,
"%s", hsm_error_message);
454 free(hsm_error_message);
459 id = hsm_get_key_id(ctx, key);
463 log_msg(config, LOG_ERR,
"Error creating key in Database");
464 hsm_error_message = hsm_get_error(ctx);
465 if (hsm_error_message) {
466 log_msg(config, LOG_ERR,
"%s", hsm_error_message);
467 free(hsm_error_message);
472 log_msg(config, LOG_INFO,
"Created KSK size: %i, alg: %i with id: %s in repository: %s and database.", policy->
ksk->
bits,
476 log_msg(config, LOG_ERR,
"Key algorithm %d unsupported by libhsm, exiting...", policy->
ksk->
algorithm);
481 ksks_created = new_keys;
491 log_msg(NULL, LOG_ERR,
"Could not predict zsk requirement for next intervalfor %s", policy->
name);
497 log_msg(NULL, LOG_ERR,
"Could not count current zsk numbers for policy %s", policy->
name);
503 keys_in_queue -= ksks_needed;
506 new_keys = zsks_needed - keys_in_queue;
510 current_count = hsm_count_keys_repository(ctx, policy->
zsk->
sm_name);
512 log_msg(config, LOG_ERR,
"Repository %s is full, cannot create more ZSKs for policy %s\n", policy->
zsk->
sm_name, policy->
name);
516 log_msg(config, LOG_WARNING,
"Repository %s is nearly full, will create %lu ZSKs for policy %s (reduced from %d)\n", policy->
zsk->
sm_name, policy->
zsk->
sm_capacity - current_count, policy->
name, new_keys);
521 if (new_keys <= 0 ) {
523 log_msg(config, LOG_INFO,
"No new ZSKs need to be created.\n");
526 log_msg(config, LOG_INFO,
"%d new ZSK(s) (%d bits) need to be created for policy %s: keys_to_generate(%d) = keys_needed(%d) - keys_available(%d).\n", new_keys, policy->
zsk->
bits, policy->
name, new_keys, zsks_needed, keys_in_queue);
530 for (i = new_keys ; i > 0 ; i--) {
531 if (hsm_supported_algorithm(policy->
zsk->
algorithm) == 0) {
535 log_msg(config, LOG_DEBUG,
"Created key in repository %s", policy->
zsk->
sm_name);
537 log_msg(config, LOG_ERR,
"Error creating key in repository %s", policy->
zsk->
sm_name);
538 hsm_error_message = hsm_get_error(ctx);
539 if (hsm_error_message) {
540 log_msg(config, LOG_ERR,
"%s", hsm_error_message);
541 free(hsm_error_message);
547 id = hsm_get_key_id(ctx, key);
551 log_msg(config, LOG_ERR,
"Error creating key in Database");
552 hsm_error_message = hsm_get_error(ctx);
553 if (hsm_error_message) {
554 log_msg(config, LOG_ERR,
"%s", hsm_error_message);
555 free(hsm_error_message);
560 log_msg(config, LOG_INFO,
"Created ZSK size: %i, alg: %i with id: %s in repository: %s and database.", policy->
zsk->
bits,
564 log_msg(config, LOG_ERR,
"Key algorithm %d unsupported by libhsm, exiting...", policy->
zsk->
algorithm);
573 log_msg(config, LOG_INFO,
"NOTE: keys generated in repository %s will not become active until they have been backed up", policy->
ksk->
sm_name);
576 log_msg(config, LOG_INFO,
"NOTE: keys generated in repository %s will not become active until they have been backed up", policy->
zsk->
sm_name);
587 xmlTextReaderPtr reader = NULL;
588 xmlDocPtr doc = NULL;
589 xmlXPathContextPtr xpathCtx = NULL;
590 xmlXPathObjectPtr xpathObj = NULL;
593 char* zonelist_filename = NULL;
595 char* current_policy;
596 char* current_filename;
597 char *tag_name = NULL;
600 char* ksk_expected = NULL;
602 xmlChar *name_expr = (
unsigned char*)
"name";
603 xmlChar *policy_expr = (
unsigned char*)
"//Zone/Policy";
604 xmlChar *filename_expr = (
unsigned char*)
"//Zone/SignerConfiguration";
606 char* temp_char = NULL;
609 char* datetime = NULL;
620 log_msg(NULL, LOG_ERR,
"couldn't read zonelist filename");
626 reader = xmlNewTextReaderFilename(zonelist_filename);
627 if (reader != NULL) {
628 ret = xmlTextReaderRead(reader);
630 tag_name = (
char*) xmlTextReaderLocalName(reader);
632 if (strncmp(tag_name,
"Zone", 4) == 0
633 && strncmp(tag_name,
"ZoneList", 8) != 0
634 && xmlTextReaderNodeType(reader) == 1) {
637 temp_char = (
char*) xmlTextReaderGetAttribute(reader, name_expr);
641 if (zone_name == NULL) {
643 log_msg(NULL, LOG_ERR,
"Error extracting zone name from %s", zonelist_filename);
645 ret = xmlTextReaderRead(reader);
651 log_msg(config, LOG_INFO,
"Zone %s found.", zone_name);
655 if (status != 0 || zone_id == -1)
658 log_msg(NULL, LOG_ERR,
"Error looking up zone \"%s\" in database (please make sure that the zonelist file is up to date)", zone_name);
660 ret = xmlTextReaderRead(reader);
667 xmlTextReaderExpand(reader);
668 doc = xmlTextReaderCurrentDoc(reader);
670 log_msg(config, LOG_ERR,
"Error: can not read zone \"%s\"; skipping", zone_name);
672 ret = xmlTextReaderRead(reader);
680 xpathCtx = xmlXPathNewContext(doc);
681 if(xpathCtx == NULL) {
682 log_msg(config, LOG_ERR,
"Error: can not create XPath context for \"%s\"; skipping zone", zone_name);
684 ret = xmlTextReaderRead(reader);
692 xpathObj = xmlXPathEvalExpression(policy_expr, xpathCtx);
693 if(xpathObj == NULL) {
694 log_msg(config, LOG_ERR,
"Error: unable to evaluate xpath expression: %s; skipping zone", policy_expr);
696 ret = xmlTextReaderRead(reader);
701 current_policy = NULL;
702 temp_char = (
char*) xmlXPathCastToString(xpathObj);
705 log_msg(config, LOG_INFO,
"Policy for %s set to %s.", zone_name, current_policy);
706 xmlXPathFreeObject(xpathObj);
708 if (strcmp(current_policy, policy->
name) != 0) {
709 if ( !all_policies ) {
711 log_msg(config, LOG_INFO,
"Skipping zone %s as not on specified policy \"%s\".", zone_name, policy->
name);
713 ret = xmlTextReaderRead(reader);
725 log_msg(config, LOG_ERR,
"Error reading policy");
726 ret = xmlTextReaderRead(reader);
731 log_msg(config, LOG_INFO,
"Policy %s found in DB.", policy->
name);
739 xpathObj = xmlXPathEvalExpression(filename_expr, xpathCtx);
740 xmlXPathFreeContext(xpathCtx);
742 if(xpathObj == NULL) {
743 log_msg(config, LOG_ERR,
"Error: unable to evaluate xpath expression: %s; skipping zone", filename_expr);
745 ret = xmlTextReaderRead(reader);
750 current_filename = NULL;
751 temp_char = (
char*)xmlXPathCastToString(xpathObj);
754 log_msg(config, LOG_INFO,
"Config will be output to %s.", current_filename);
755 xmlXPathFreeObject(xpathObj);
761 log_msg(config, LOG_ERR,
"Error allocating zsks to zone %s", zone_name);
763 ret = xmlTextReaderRead(reader);
771 log_msg(config, LOG_ERR,
"Error allocating ksks to zone %s", zone_name);
773 ret = xmlTextReaderRead(reader);
783 log_msg(config, LOG_ERR,
"Signconf not written for %s", zone_name);
785 ret = xmlTextReaderRead(reader);
791 else if (status2 != 0) {
792 log_msg(config, LOG_ERR,
"Error writing signconf for %s", zone_name);
794 ret = xmlTextReaderRead(reader);
806 if (datetime == NULL) {
807 log_msg(config, LOG_ERR,
"Couldn't turn \"now\" into a date, quiting...");
815 log_msg(config, LOG_INFO,
"No active KSKs yet for zone %s, can't check for impending rollover", zone_name);
817 else if (status2 != 0) {
818 log_msg(config, LOG_ERR,
"Error checking for impending rollover for %s", zone_name);
821 status2 =
DtDateDiff(ksk_expected, datetime, &roll_time);
823 log_msg(config, LOG_ERR,
"Error checking for impending rollover for %s", zone_name);
826 if (roll_time <= config->rolloverNotify) {
827 log_msg(config, LOG_INFO,
"Rollover of KSK expected at %s for %s", ksk_expected, zone_name);
839 ret = xmlTextReaderRead(reader);
842 xmlFreeTextReader(reader);
844 log_msg(config, LOG_ERR,
"%s : failed to parse", zonelist_filename);
847 log_msg(config, LOG_ERR,
"Unable to open %s", zonelist_filename);
862 int commGenSignConf(
char* zone_name,
int zone_id,
char* current_filename,
KSM_POLICY *policy,
int* signer_flag,
int run_interval,
int man_key_gen,
const char* DSSubmitCmd,
int DSSubCKA_ID)
875 char *signer_command;
880 if (datetime == NULL) {
881 log_msg(NULL, LOG_DEBUG,
"Couldn't turn \"now\" into a date, quitting...");
885 if (zone_name == NULL || current_filename == NULL || policy == NULL)
888 log_msg(NULL, LOG_ERR,
"commGenSignConf, NULL policy or zone provided");
894 StrAppend(&old_filename, current_filename);
897 temp_filename = NULL;
898 StrAppend(&temp_filename, current_filename);
901 file = fopen(temp_filename,
"w");
906 log_msg(NULL, LOG_ERR,
"Could not open: %s (%s)", temp_filename,
914 fprintf(file,
"<SignerConfiguration>\n");
915 fprintf(file,
"\t<Zone name=\"%s\">\n", zone_name);
917 fprintf(file,
"\t\t<Signatures>\n");
918 fprintf(file,
"\t\t\t<Resign>PT%dS</Resign>\n", policy->
signature->
resign);
919 fprintf(file,
"\t\t\t<Refresh>PT%dS</Refresh>\n", policy->
signer->
refresh);
920 fprintf(file,
"\t\t\t<Validity>\n");
923 fprintf(file,
"\t\t\t</Validity>\n");
924 fprintf(file,
"\t\t\t<Jitter>PT%dS</Jitter>\n", policy->
signer->
jitter);
925 fprintf(file,
"\t\t\t<InceptionOffset>PT%dS</InceptionOffset>\n", policy->
signature->
clockskew);
926 fprintf(file,
"\t\t</Signatures>\n");
930 fprintf(file,
"\t\t<Denial>\n");
933 fprintf(file,
"\t\t\t<NSEC3>\n");
935 fprintf(file,
"\t\t\t\t<TTL>PT%dS</TTL>\n", policy->
denial->
ttl);
939 fprintf(file,
"\t\t\t\t<OptOut />\n");
941 fprintf(file,
"\t\t\t\t<Hash>\n");
942 fprintf(file,
"\t\t\t\t\t<Algorithm>%d</Algorithm>\n", policy->
denial->
algorithm);
943 fprintf(file,
"\t\t\t\t\t<Iterations>%d</Iterations>\n", policy->
denial->
iteration);
945 fprintf(file,
"\t\t\t\t\t<Salt>-</Salt>\n");
947 fprintf(file,
"\t\t\t\t\t<Salt>%s</Salt>\n", policy->
denial->
salt);
949 fprintf(file,
"\t\t\t\t</Hash>\n");
950 fprintf(file,
"\t\t\t</NSEC3>\n");
952 fprintf(file,
"\t\t\t<NSEC />\n");
955 fprintf(file,
"\t\t</Denial>\n");
960 fprintf(file,
"\t\t<Keys>\n");
961 fprintf(file,
"\t\t\t<TTL>PT%dS</TTL>\n", policy->
ksk->
ttl);
970 log_msg(NULL, LOG_ERR,
"KsmRequestKeys returned: %d", status);
976 if (status2 == 0 && gencnt == 0) {
977 if(man_key_gen == 1) {
978 log_msg(NULL, LOG_ERR,
"There are no KSKs in the generate state; please use \"ods-ksmutil key generate\" to create some.");
980 log_msg(NULL, LOG_WARNING,
"There are no KSKs in the generate state; ods-enforcerd will create some on its next run.");
983 else if (status2 == 0) {
985 if (status2 == 0 && gencnt == 0) {
986 if(man_key_gen == 1) {
987 log_msg(NULL, LOG_ERR,
"There are no ZSKs in the generate state; please use \"ods-ksmutil key generate\" to create some.");
989 log_msg(NULL, LOG_WARNING,
"There are no ZSKs in the generate state; ods-enforcerd will create some on its next run.");
994 log_msg(NULL, LOG_ERR,
"KsmRequestGenerateCount returned: %d", status2);
998 status = fclose(file);
999 unlink(temp_filename);
1007 fprintf(file,
"\t\t</Keys>\n");
1009 fprintf(file,
"\n");
1011 fprintf(file,
"\t\t<SOA>\n");
1012 fprintf(file,
"\t\t\t<TTL>PT%dS</TTL>\n", policy->
signer->
soattl);
1013 fprintf(file,
"\t\t\t<Minimum>PT%dS</Minimum>\n", policy->
signer->
soamin);
1015 fprintf(file,
"\t\t</SOA>\n");
1017 fprintf(file,
"\t</Zone>\n");
1018 fprintf(file,
"</SignerConfiguration>\n");
1037 status = fclose(file);
1042 log_msg(NULL, LOG_ERR,
"Could not close: %s", temp_filename);
1049 file = fopen(temp_filename,
"rb");
1053 log_msg(NULL, LOG_ERR,
"Could not reopen: %s", temp_filename);
1059 file2 = fopen(current_filename,
"rb");
1062 if (file2 != NULL) {
1064 while(!feof(file)) {
1065 char1 = fgetc(file);
1067 log_msg(NULL, LOG_ERR,
"Could not read: %s", temp_filename);
1074 char2 = fgetc(file2);
1076 log_msg(NULL, LOG_ERR,
"Could not read: %s", current_filename);
1083 if(char1 != char2) {
1089 status = fclose(file2);
1092 log_msg(NULL, LOG_ERR,
"Could not close: %s", current_filename);
1100 status = fclose(file);
1103 log_msg(NULL, LOG_ERR,
"Could not close: %s", temp_filename);
1114 status = rename(current_filename, old_filename);
1115 if (status != 0 && status != -1)
1118 log_msg(NULL, LOG_ERR,
"Could not rename: %s -> %s", current_filename, old_filename);
1125 if (rename(temp_filename, current_filename) != 0)
1127 log_msg(NULL, LOG_ERR,
"Could not rename: %s -> %s", temp_filename, current_filename);
1133 if (*signer_flag == 1) {
1139 signer_command = NULL;
1140 StrAppend(&signer_command, SIGNER_CLI_UPDATE);
1144 status = system(signer_command);
1147 log_msg(NULL, LOG_ERR,
"Could not call signer engine");
1148 log_msg(NULL, LOG_INFO,
"Will continue: call '%s' to manually update the zone", signer_command);
1152 log_msg(NULL, LOG_INFO,
"Called signer engine: %s", signer_command);
1159 log_msg(NULL, LOG_INFO,
"No change to: %s", current_filename);
1160 if (
remove(temp_filename) != 0)
1162 log_msg(NULL, LOG_ERR,
"Could not remove: %s", temp_filename);
1171 log_msg(NULL, LOG_INFO,
"DSChanged");
1172 status =
NewDSSet(zone_id, zone_name, DSSubmitCmd, DSSubCKA_ID);
1187 FILE *file = (FILE *)context;
1189 fprintf(file,
"\t\t\t<Key>\n");
1190 fprintf(file,
"\t\t\t\t<Flags>%d</Flags>\n", key_data->
keytype);
1191 fprintf(file,
"\t\t\t\t<Algorithm>%d</Algorithm>\n", key_data->
algorithm);
1192 fprintf(file,
"\t\t\t\t<Locator>%s</Locator>\n", key_data->
location);
1196 fprintf(file,
"\t\t\t\t<KSK />\n");
1200 fprintf(file,
"\t\t\t\t<ZSK />\n");
1204 fprintf(file,
"\t\t\t\t<Publish />\n");
1206 fprintf(file,
"\t\t\t</Key>\n");
1207 fprintf(file,
"\n");
1245 int keys_needed = 0;
1246 int keys_in_queue = 0;
1247 int keys_pending_retirement = 0;
1249 int key_pair_id = 0;
1256 if (datetime == NULL) {
1257 log_msg(NULL, LOG_DEBUG,
"Couldn't turn \"now\" into a date, quitting...");
1261 if (policy == NULL) {
1262 log_msg(NULL, LOG_ERR,
"NULL policy sent to allocateKeysToZone");
1268 log_msg(NULL, LOG_ERR,
"Unknown keytype: %i in allocateKeysToZone", key_type);
1282 status =
KsmKeyPredict(policy->
id, key_type, 1, interval, &keys_needed, rollover_scheme, 1);
1284 log_msg(NULL, LOG_ERR,
"Could not predict key requirement for next interval for %s", zone_name);
1292 log_msg(NULL, LOG_ERR,
"Could not count current key numbers for zone %s", zone_name);
1300 log_msg(NULL, LOG_ERR,
"Could not count keys which may retire before the next run (for zone %s)", zone_name);
1306 new_keys = keys_needed - (keys_in_queue - keys_pending_retirement);
1312 for (i=0 ; i < new_keys ; i++){
1316 if (status == -1 || key_pair_id == 0) {
1317 if (man_key_gen == 0) {
1318 log_msg(NULL, LOG_WARNING,
"Not enough keys to satisfy ksk policy for zone: %s. keys_to_allocate(%d) = keys_needed(%d) - (keys_available(%d) - keys_pending_retirement(%d))\n", zone_name, new_keys, keys_needed, keys_in_queue, keys_pending_retirement);
1319 log_msg(NULL, LOG_WARNING,
"Tried to allocate %d keys, failed on allocating key number %d", new_keys, i+1);
1320 log_msg(NULL, LOG_WARNING,
"ods-enforcerd will create some more keys on its next run");
1323 log_msg(NULL, LOG_ERR,
"Not enough keys to satisfy ksk policy for zone: %s. keys_to_allocate(%d) = keys_needed(%d) - (keys_available(%d) - keys_pending_retirement(%d))\n", zone_name, new_keys, keys_needed, keys_in_queue, keys_pending_retirement);
1324 log_msg(NULL, LOG_ERR,
"Tried to allocate %d keys, failed on allocating key number %d", new_keys, i+1);
1325 log_msg(NULL, LOG_ERR,
"please use \"ods-ksmutil key generate\" to create some more keys.");
1329 else if (status != 0) {
1330 log_msg(NULL, LOG_ERR,
"Could not get an unallocated ksk for zone: %s", zone_name);
1335 if (status == -1 || key_pair_id == 0) {
1336 if (man_key_gen == 0) {
1337 log_msg(NULL, LOG_WARNING,
"Not enough keys to satisfy zsk policy for zone: %s. keys_to_allocate(%d) = keys_needed(%d) - (keys_available(%d) - keys_pending_retirement(%d))\n", zone_name, new_keys, keys_needed, keys_in_queue, keys_pending_retirement);
1338 log_msg(NULL, LOG_WARNING,
"Tried to allocate %d keys, failed on allocating key number %d", new_keys, i+1);
1339 log_msg(NULL, LOG_WARNING,
"ods-enforcerd will create some more keys on its next run");
1342 log_msg(NULL, LOG_WARNING,
"Not enough keys to satisfy zsk policy for zone: %s. keys_to_allocate(%d) = keys_needed(%d) - (keys_available(%d) - keys_pending_retirement(%d))\n", zone_name, new_keys, keys_needed, keys_in_queue, keys_pending_retirement);
1343 log_msg(NULL, LOG_WARNING,
"Tried to allocate %d keys, failed on allocating key number %d", new_keys, i+1);
1344 log_msg(NULL, LOG_ERR,
"please use \"ods-ksmutil key generate\" to create some more keys.");
1348 else if (status != 0) {
1349 log_msg(NULL, LOG_ERR,
"Could not get an unallocated zsk for zone: %s", zone_name);
1353 if(key_pair_id > 0) {
1358 log_msg(NULL, LOG_ERR,
"KsmKeyGetUnallocated returned bad key_id %d for zone: %s; exiting...", key_pair_id, zone_name);
1363 log_msg(NULL, LOG_DEBUG,
"%s key allocation for zone %s: %d key(s) allocated\n", key_type ==
KSM_TYPE_KSK ?
"KSK" :
"ZSK", zone_name, new_keys);
1373 xmlTextReaderPtr reader = NULL;
1374 xmlDocPtr doc = NULL;
1375 xmlXPathContextPtr xpathCtx = NULL;
1376 xmlXPathObjectPtr xpathObj = NULL;
1378 char* temp_char = NULL;
1379 char* tag_name = NULL;
1381 xmlChar *zonelist_expr = (
unsigned char*)
"//Common/ZoneListFile";
1384 reader = xmlNewTextReaderFilename(filename);
1385 if (reader != NULL) {
1386 ret = xmlTextReaderRead(reader);
1388 tag_name = (
char*) xmlTextReaderLocalName(reader);
1390 if (strncmp(tag_name,
"Common", 6) == 0
1391 && xmlTextReaderNodeType(reader) == 1) {
1394 xmlTextReaderExpand(reader);
1395 doc = xmlTextReaderCurrentDoc(reader);
1397 log_msg(NULL, LOG_ERR,
"Error: can not read Common section of %s", filename);
1399 ret = xmlTextReaderRead(reader);
1403 xpathCtx = xmlXPathNewContext(doc);
1404 if(xpathCtx == NULL) {
1405 log_msg(NULL, LOG_ERR,
"Error: can not create XPath context for Common section");
1407 ret = xmlTextReaderRead(reader);
1412 xpathObj = xmlXPathEvalExpression(zonelist_expr, xpathCtx);
1413 if(xpathObj == NULL) {
1414 log_msg(NULL, LOG_ERR,
"Error: unable to evaluate xpath expression: %s", zonelist_expr);
1416 ret = xmlTextReaderRead(reader);
1419 *zone_list_filename = NULL;
1420 temp_char = (
char *)xmlXPathCastToString(xpathObj);
1421 StrAppend(zone_list_filename, temp_char);
1423 xmlXPathFreeObject(xpathObj);
1424 log_msg(NULL, LOG_INFO,
"zonelist filename set to %s.", *zone_list_filename);
1427 ret = xmlTextReaderRead(reader);
1430 xmlFreeTextReader(reader);
1432 log_msg(NULL, LOG_ERR,
"%s : failed to parse", filename);
1436 log_msg(NULL, LOG_ERR,
"Unable to open %s", filename);
1440 xmlXPathFreeContext(xpathCtx);
1481 char* temp_loc = NULL;
1487 hsm_key_t *key = NULL;
1489 log_msg(NULL, LOG_DEBUG,
"Purging keys...");
1494 if (rightnow == NULL) {
1495 log_msg(NULL, LOG_ERR,
"Couldn't turn \"now\" into a date, quitting...");
1500 StrAppend(&sql,
"select distinct id, location from KEYDATA_VIEW where state = 6 ");
1502 if (policy_id != -1) {
1514 while (status == 0) {
1516 DbInt(row, 0, &temp_id);
1525 log_msg(NULL, LOG_ERR,
"DbDateDiff failed\n");
1534 StrAppend(&sql1,
" or state = 6 and DEAD > ");
1589 key = hsm_find_key_by_id(NULL, temp_loc);
1592 log_msg(NULL, LOG_ERR,
"Key not found: %s\n", temp_loc);
1600 status = hsm_remove_key(NULL, key);
1605 log_msg(NULL, LOG_INFO,
"Key remove successful: %s\n", temp_loc);
1607 log_msg(NULL, LOG_ERR,
"Key remove failed: %s\n", temp_loc);
1638 int NewDSSet(
int zone_id,
const char* zone_name,
const char* DSSubmitCmd,
int DSSubCKA_ID) {
1652 char* count_clause = NULL;
1653 char* where_clause = NULL;
1655 int active_count = -1;
1660 char* ds_buffer = NULL;
1661 char* ds_seen_buffer = NULL;
1662 char* temp_char = NULL;
1670 hsm_key_t *key = NULL;
1671 ldns_rr *dnskey_rr = NULL;
1672 hsm_sign_params_t *sign_params = NULL;
1675 int bytes_written = -1;
1677 struct stat stat_ret;
1679 nchar = snprintf(buffer,
sizeof(buffer),
"(%d, %d, %d, %d, %d, %d, %d, %d)",
1683 if (nchar >=
sizeof(buffer)) {
1694 if (zone_id != -1) {
1702 log_msg(NULL, LOG_ERR,
"Error: failed to find ID of key to retire\n");
1706 if (active_count > 0) {
1709 StrAppend(&where_clause,
"select id from KEYDATA_VIEW where state = 4 and keytype = 257 and zone_id = ");
1711 StrAppend(&where_clause,
" and retire = (select min(retire) from KEYDATA_VIEW where state = 4 and keytype = 257 and zone_id = ");
1720 log_msg(NULL, LOG_ERR,
"Error: failed to find ID of key to retire\n");
1730 if (zone_id != -1) {
1752 keyids =
MemMalloc(count *
sizeof(
int));
1760 if (zone_id != -1) {
1772 while (status == 0) {
1773 status =
KsmKey(result, &data);
1804 for (j = 0; j < i; ++j) {
1808 snprintf(buffer,
sizeof(buffer),
"%d", keyids[j]);
1821 log_msg(NULL, LOG_INFO,
"DS Record set has changed, the current set looks like:");
1826 status =
KsmKey(result3, &data3);
1827 while (status == 0) {
1830 key = hsm_find_key_by_id(NULL, data3.
location);
1833 log_msg(NULL, LOG_ERR,
"Key %s in DB but not repository.", data3.
location);
1841 sign_params = hsm_sign_params_new();
1842 sign_params->owner = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, zone_name);
1843 sign_params->algorithm = data3.
algorithm;
1844 sign_params->flags = LDNS_KEY_ZONE_KEY;
1845 sign_params->flags += LDNS_KEY_SEP_KEY;
1846 dnskey_rr = hsm_get_dnskey(NULL, key, sign_params);
1856 ldns_rr_set_ttl(dnskey_rr, rrttl);
1860 temp_char = ldns_rr2str(dnskey_rr);
1861 ldns_rr_free(dnskey_rr);
1864 for (i = 0; temp_char[i]; ++i) {
1865 if (temp_char[i] ==
'\t') {
1869 log_msg(NULL, LOG_INFO,
"%s", temp_char);
1873 for (i = 0; temp_char[i]; ++i) {
1874 if (temp_char[i] ==
';') {
1875 temp_char[i] =
'\n';
1876 temp_char[i+1] =
'\0';
1904 hsm_sign_params_free(sign_params);
1906 status =
KsmKey(result3, &data3);
1916 if (DSSubmitCmd[0] !=
'\0') {
1918 if (stat(DSSubmitCmd, &stat_ret) != 0) {
1919 log_msg(NULL, LOG_WARNING,
"Cannot stat file %s: %s", DSSubmitCmd, strerror(errno));
1922 else if (S_ISREG(stat_ret.st_mode) && !(stat_ret.st_mode & S_IXUSR || stat_ret.st_mode & S_IXGRP || stat_ret.st_mode & S_IXOTH)) {
1923 log_msg(NULL, LOG_WARNING,
"File %s is not executable", DSSubmitCmd);
1928 fp = popen(DSSubmitCmd,
"w");
1930 log_msg(NULL, LOG_ERR,
"Failed to run command: %s: %s", DSSubmitCmd, strerror(errno));
1934 bytes_written = fprintf(fp,
"%s", ds_buffer);
1935 if (bytes_written < 0) {
1936 log_msg(NULL, LOG_ERR,
"Failed to write to %s: %s", DSSubmitCmd, strerror(errno));
1940 if (pclose(fp) == -1) {
1941 log_msg(NULL, LOG_ERR,
"Failed to close %s: %s", DSSubmitCmd, strerror(errno));
1952 log_msg(NULL, LOG_INFO,
"Once the new DS records are seen in DNS please issue the ds-seen command for zone %s with the following cka_ids%s", zone_name, ds_seen_buffer);
1964 char *hsm_error_message = NULL;
1966 result = hsm_check_context(*ctx);
1969 if (result != HSM_OK) {
1972 hsm_destroy_context(*ctx);
1975 result = hsm_close();
1978 result = hsm_open(config->
configfile, hsm_check_pin);
1980 result = hsm_open(OPENDNSSEC_CONFIG_FILE, hsm_check_pin);
1983 hsm_error_message = hsm_get_error(*ctx);
1984 if (hsm_error_message) {
1985 log_msg(config, LOG_ERR, hsm_error_message);
1986 free(hsm_error_message);
1993 log_msg(config, LOG_ERR,
"hsm_open() result: HSM error");
1995 case HSM_PIN_INCORRECT:
1996 log_msg(config, LOG_ERR,
"hsm_open() result: incorrect PIN");
1998 case HSM_CONFIG_FILE_ERROR:
1999 log_msg(config, LOG_ERR,
"hsm_open() result: config file error");
2001 case HSM_REPOSITORY_NOT_FOUND:
2002 log_msg(config, LOG_ERR,
"hsm_open() result: repository not found");
2004 case HSM_NO_REPOSITORIES:
2005 log_msg(config, LOG_ERR,
"hsm_open() result: no repositories");
2008 log_msg(config, LOG_ERR,
"hsm_open() result: %d", result);
2014 log_msg(config, LOG_INFO,
"HSM reopened successfully.");
2015 *ctx = hsm_create_context();
2017 log_msg(config, LOG_INFO,
"HSM connection open.");