2 * Copyright (C) 2008-2012 Internet Systems Consortium, Inc. ("ISC")
4 * Permission to use, copy, modify, and/or distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
9 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
10 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
11 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
12 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
13 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
14 * PERFORMANCE OF THIS SOFTWARE.
17 /* $Id: dnssec-dsfromkey.c,v 1.24 2011/10/25 01:54:18 marka Exp $ */
25 #include <isc/buffer.h>
26 #include <isc/commandline.h>
27 #include <isc/entropy.h>
30 #include <isc/print.h>
31 #include <isc/string.h>
34 #include <dns/callbacks.h>
36 #include <dns/dbiterator.h>
38 #include <dns/fixedname.h>
39 #include <dns/keyvalues.h>
41 #include <dns/master.h>
43 #include <dns/rdata.h>
44 #include <dns/rdataclass.h>
45 #include <dns/rdataset.h>
46 #include <dns/rdatasetiter.h>
47 #include <dns/rdatatype.h>
48 #include <dns/result.h>
52 #include "dnssectool.h"
55 #define PATH_MAX 1024 /* AIX, WIN32, and others don't define this. */
58 const char *program = "dnssec-dsfromkey";
61 static dns_rdataclass_t rdclass;
62 static dns_fixedname_t fixed;
63 static dns_name_t *name = NULL;
64 static isc_mem_t *mctx = NULL;
65 static isc_uint32_t ttl;
68 initname(char *setname) {
72 dns_fixedname_init(&fixed);
73 name = dns_fixedname_name(&fixed);
75 isc_buffer_init(&buf, setname, strlen(setname));
76 isc_buffer_add(&buf, strlen(setname));
77 result = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
82 db_load_from_stream(dns_db_t *db, FILE *fp) {
84 dns_rdatacallbacks_t callbacks;
86 dns_rdatacallbacks_init(&callbacks);
87 result = dns_db_beginload(db, &callbacks.add, &callbacks.add_private);
88 if (result != ISC_R_SUCCESS)
89 fatal("dns_db_beginload failed: %s", isc_result_totext(result));
91 result = dns_master_loadstream(fp, name, name, rdclass, 0,
93 if (result != ISC_R_SUCCESS)
94 fatal("can't load from input: %s", isc_result_totext(result));
96 result = dns_db_endload(db, &callbacks.add_private);
97 if (result != ISC_R_SUCCESS)
98 fatal("dns_db_endload failed: %s", isc_result_totext(result));
102 loadset(const char *filename, dns_rdataset_t *rdataset) {
105 dns_dbnode_t *node = NULL;
106 char setname[DNS_NAME_FORMATSIZE];
108 dns_name_format(name, setname, sizeof(setname));
110 result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone,
111 rdclass, 0, NULL, &db);
112 if (result != ISC_R_SUCCESS)
113 fatal("can't create database");
115 if (strcmp(filename, "-") == 0) {
116 db_load_from_stream(db, stdin);
119 result = dns_db_load(db, filename);
120 if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE)
121 fatal("can't load %s: %s", filename,
122 isc_result_totext(result));
125 result = dns_db_findnode(db, name, ISC_FALSE, &node);
126 if (result != ISC_R_SUCCESS)
127 fatal("can't find %s node in %s", setname, filename);
129 result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_dnskey,
130 0, 0, rdataset, NULL);
132 if (result == ISC_R_NOTFOUND)
133 fatal("no DNSKEY RR for %s in %s", setname, filename);
134 else if (result != ISC_R_SUCCESS)
135 fatal("dns_db_findrdataset");
138 dns_db_detachnode(db, &node);
145 loadkeyset(char *dirname, dns_rdataset_t *rdataset) {
147 char filename[PATH_MAX + 1];
150 dns_rdataset_init(rdataset);
152 isc_buffer_init(&buf, filename, sizeof(filename));
153 if (dirname != NULL) {
154 /* allow room for a trailing slash */
155 if (strlen(dirname) >= isc_buffer_availablelength(&buf))
156 return (ISC_R_NOSPACE);
157 isc_buffer_putstr(&buf, dirname);
158 if (dirname[strlen(dirname) - 1] != '/')
159 isc_buffer_putstr(&buf, "/");
162 if (isc_buffer_availablelength(&buf) < 7)
163 return (ISC_R_NOSPACE);
164 isc_buffer_putstr(&buf, "keyset-");
166 result = dns_name_tofilenametext(name, ISC_FALSE, &buf);
167 check_result(result, "dns_name_tofilenametext()");
168 if (isc_buffer_availablelength(&buf) == 0)
169 return (ISC_R_NOSPACE);
170 isc_buffer_putuint8(&buf, 0);
172 return (loadset(filename, rdataset));
176 loadkey(char *filename, unsigned char *key_buf, unsigned int key_buf_size,
180 dst_key_t *key = NULL;
184 dns_rdata_init(rdata);
186 isc_buffer_init(&keyb, key_buf, key_buf_size);
188 result = dst_key_fromnamedfile(filename, NULL, DST_TYPE_PUBLIC,
190 if (result != ISC_R_SUCCESS)
191 fatal("invalid keyfile name %s: %s",
192 filename, isc_result_totext(result));
195 char keystr[DST_KEY_FORMATSIZE];
197 dst_key_format(key, keystr, sizeof(keystr));
198 fprintf(stderr, "%s: %s\n", program, keystr);
201 result = dst_key_todns(key, &keyb);
202 if (result != ISC_R_SUCCESS)
203 fatal("can't decode key");
205 isc_buffer_usedregion(&keyb, &r);
206 dns_rdata_fromregion(rdata, dst_key_class(key),
207 dns_rdatatype_dnskey, &r);
209 rdclass = dst_key_class(key);
211 dns_fixedname_init(&fixed);
212 name = dns_fixedname_name(&fixed);
213 result = dns_name_copy(dst_key_name(key), name, NULL);
214 if (result != ISC_R_SUCCESS)
215 fatal("can't copy name");
221 logkey(dns_rdata_t *rdata)
224 dst_key_t *key = NULL;
226 char keystr[DST_KEY_FORMATSIZE];
228 isc_buffer_init(&buf, rdata->data, rdata->length);
229 isc_buffer_add(&buf, rdata->length);
230 result = dst_key_fromdns(name, rdclass, &buf, mctx, &key);
231 if (result != ISC_R_SUCCESS)
234 dst_key_format(key, keystr, sizeof(keystr));
235 fprintf(stderr, "%s: %s\n", program, keystr);
241 emit(unsigned int dtype, isc_boolean_t showall, char *lookaside,
245 unsigned char buf[DNS_DS_BUFFERSIZE];
246 char text_buf[DST_KEY_MAXTEXTSIZE];
247 char name_buf[DNS_NAME_MAXWIRE];
249 isc_buffer_t textb, nameb, classb;
252 dns_rdata_dnskey_t dnskey;
254 isc_buffer_init(&textb, text_buf, sizeof(text_buf));
255 isc_buffer_init(&nameb, name_buf, sizeof(name_buf));
256 isc_buffer_init(&classb, class_buf, sizeof(class_buf));
260 result = dns_rdata_tostruct(rdata, &dnskey, NULL);
261 if (result != ISC_R_SUCCESS)
262 fatal("can't convert DNSKEY");
264 if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 && !showall)
267 result = dns_ds_buildrdata(name, rdata, dtype, buf, &ds);
268 if (result != ISC_R_SUCCESS)
269 fatal("can't build record");
271 result = dns_name_totext(name, ISC_FALSE, &nameb);
272 if (result != ISC_R_SUCCESS)
273 fatal("can't print name");
275 /* Add lookaside origin, if set */
276 if (lookaside != NULL) {
277 if (isc_buffer_availablelength(&nameb) < strlen(lookaside))
278 fatal("DLV origin '%s' is too long", lookaside);
279 isc_buffer_putstr(&nameb, lookaside);
280 if (lookaside[strlen(lookaside) - 1] != '.') {
281 if (isc_buffer_availablelength(&nameb) < 1)
282 fatal("DLV origin '%s' is too long", lookaside);
283 isc_buffer_putstr(&nameb, ".");
287 result = dns_rdata_tofmttext(&ds, (dns_name_t *) NULL, 0, 0, 0, "",
290 if (result != ISC_R_SUCCESS)
291 fatal("can't print rdata");
293 result = dns_rdataclass_totext(rdclass, &classb);
294 if (result != ISC_R_SUCCESS)
295 fatal("can't print class");
297 isc_buffer_usedregion(&nameb, &r);
298 printf("%.*s ", (int)r.length, r.base);
303 isc_buffer_usedregion(&classb, &r);
304 printf("%.*s", (int)r.length, r.base);
306 if (lookaside == NULL)
311 isc_buffer_usedregion(&textb, &r);
312 printf("%.*s\n", (int)r.length, r.base);
315 ISC_PLATFORM_NORETURN_PRE static void
316 usage(void) ISC_PLATFORM_NORETURN_POST;
320 fprintf(stderr, "Usage:\n");
321 fprintf(stderr, " %s options [-K dir] keyfile\n\n", program);
322 fprintf(stderr, " %s options [-K dir] [-c class] -s dnsname\n\n",
324 fprintf(stderr, " %s options -f zonefile (as zone name)\n\n", program);
325 fprintf(stderr, " %s options -f zonefile zonename\n\n", program);
326 fprintf(stderr, "Version: %s\n", VERSION);
327 fprintf(stderr, "Options:\n");
328 fprintf(stderr, " -v <verbose level>\n");
329 fprintf(stderr, " -K <directory>: directory in which to find "
330 "key file or keyset file\n");
331 fprintf(stderr, " -a algorithm: digest algorithm "
332 "(SHA-1, SHA-256, GOST or SHA-384)\n");
333 fprintf(stderr, " -1: use SHA-1\n");
334 fprintf(stderr, " -2: use SHA-256\n");
335 fprintf(stderr, " -l: add lookaside zone and print DLV records\n");
336 fprintf(stderr, " -s: read keyset from keyset-<dnsname> file\n");
337 fprintf(stderr, " -c class: rdata class for DS set (default: IN)\n");
338 fprintf(stderr, " -T TTL\n");
339 fprintf(stderr, " -f file: read keyset from zone file\n");
340 fprintf(stderr, " -A: when used with -f, "
341 "include all keys in DS set, not just KSKs\n");
342 fprintf(stderr, "Output: DS or DLV RRs\n");
348 main(int argc, char **argv) {
349 char *algname = NULL, *classname = NULL;
350 char *filename = NULL, *dir = NULL, *namestr;
351 char *lookaside = NULL;
354 unsigned int dtype = DNS_DSDIGEST_SHA1;
355 isc_boolean_t both = ISC_TRUE;
356 isc_boolean_t usekeyset = ISC_FALSE;
357 isc_boolean_t showall = ISC_FALSE;
359 isc_log_t *log = NULL;
360 isc_entropy_t *ectx = NULL;
361 dns_rdataset_t rdataset;
364 dns_rdata_init(&rdata);
369 result = isc_mem_create(0, 0, &mctx);
370 if (result != ISC_R_SUCCESS)
371 fatal("out of memory");
373 dns_result_register();
375 isc_commandline_errprint = ISC_FALSE;
377 while ((ch = isc_commandline_parse(argc, argv,
378 "12Aa:c:d:Ff:K:l:sT:v:h")) != -1) {
381 dtype = DNS_DSDIGEST_SHA1;
385 dtype = DNS_DSDIGEST_SHA256;
392 algname = isc_commandline_argument;
396 classname = isc_commandline_argument;
399 fprintf(stderr, "%s: the -d option is deprecated; "
400 "use -K\n", program);
403 dir = isc_commandline_argument;
404 if (strlen(dir) == 0U)
405 fatal("directory must be non-empty string");
408 filename = isc_commandline_argument;
411 lookaside = isc_commandline_argument;
412 if (strlen(lookaside) == 0U)
413 fatal("lookaside must be a non-empty string");
416 usekeyset = ISC_TRUE;
419 ttl = atol(isc_commandline_argument);
422 verbose = strtol(isc_commandline_argument, &endp, 0);
424 fatal("-v must be followed by a number");
427 /* Reserved for FIPS mode */
430 if (isc_commandline_option != '?')
431 fprintf(stderr, "%s: invalid argument -%c\n",
432 program, isc_commandline_option);
438 fprintf(stderr, "%s: unhandled option -%c\n",
439 program, isc_commandline_option);
444 if (algname != NULL) {
445 if (strcasecmp(algname, "SHA1") == 0 ||
446 strcasecmp(algname, "SHA-1") == 0)
447 dtype = DNS_DSDIGEST_SHA1;
448 else if (strcasecmp(algname, "SHA256") == 0 ||
449 strcasecmp(algname, "SHA-256") == 0)
450 dtype = DNS_DSDIGEST_SHA256;
451 #ifdef HAVE_OPENSSL_GOST
452 else if (strcasecmp(algname, "GOST") == 0)
453 dtype = DNS_DSDIGEST_GOST;
455 else if (strcasecmp(algname, "SHA384") == 0 ||
456 strcasecmp(algname, "SHA-384") == 0)
457 dtype = DNS_DSDIGEST_SHA384;
459 fatal("unknown algorithm %s", algname);
462 rdclass = strtoclass(classname);
464 if (usekeyset && filename != NULL)
465 fatal("cannot use both -s and -f");
467 /* When not using -f, -A is implicit */
468 if (filename == NULL)
471 if (argc < isc_commandline_index + 1 && filename == NULL)
472 fatal("the key file name was not specified");
473 if (argc > isc_commandline_index + 1)
474 fatal("extraneous arguments");
477 setup_entropy(mctx, NULL, &ectx);
478 result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
479 if (result != ISC_R_SUCCESS)
480 fatal("could not initialize hash");
481 result = dst_lib_init(mctx, ectx,
482 ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
483 if (result != ISC_R_SUCCESS)
484 fatal("could not initialize dst: %s",
485 isc_result_totext(result));
486 isc_entropy_stopcallbacksources(ectx);
488 setup_logging(verbose, mctx, &log);
490 dns_rdataset_init(&rdataset);
492 if (usekeyset || filename != NULL) {
493 if (argc < isc_commandline_index + 1 && filename != NULL) {
494 /* using zone name as the zone file name */
497 namestr = argv[isc_commandline_index];
499 result = initname(namestr);
500 if (result != ISC_R_SUCCESS)
501 fatal("could not initialize name %s", namestr);
504 result = loadkeyset(dir, &rdataset);
506 result = loadset(filename, &rdataset);
508 if (result != ISC_R_SUCCESS)
509 fatal("could not load DNSKEY set: %s\n",
510 isc_result_totext(result));
512 for (result = dns_rdataset_first(&rdataset);
513 result == ISC_R_SUCCESS;
514 result = dns_rdataset_next(&rdataset)) {
515 dns_rdata_init(&rdata);
516 dns_rdataset_current(&rdataset, &rdata);
522 emit(DNS_DSDIGEST_SHA1, showall, lookaside,
524 emit(DNS_DSDIGEST_SHA256, showall, lookaside,
527 emit(dtype, showall, lookaside, &rdata);
530 unsigned char key_buf[DST_KEY_MAXSIZE];
532 loadkey(argv[isc_commandline_index], key_buf,
533 DST_KEY_MAXSIZE, &rdata);
536 emit(DNS_DSDIGEST_SHA1, showall, lookaside, &rdata);
537 emit(DNS_DSDIGEST_SHA256, showall, lookaside, &rdata);
539 emit(dtype, showall, lookaside, &rdata);
542 if (dns_rdataset_isassociated(&rdataset))
543 dns_rdataset_disassociate(&rdataset);
544 cleanup_logging(&log);
547 cleanup_entropy(&ectx);
550 isc_mem_stats(mctx, stdout);
551 isc_mem_destroy(&mctx);
554 if (ferror(stdout)) {
555 fprintf(stderr, "write error\n");