Update repub branch u/fanf2/patch to rebasing branch u/fanf2/rebasing revision v9_13_...
[ipreg/bind9.git] / bin / dnssec / dnssec-dsfromkey.c
CommitLineData
582f8b9a 1/*
843d3896 2 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
582f8b9a 3 *
0c27b3fe
MA
4 * This Source Code Form is subject to the terms of the Mozilla Public
5 * License, v. 2.0. If a copy of the MPL was not distributed with this
6 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
843d3896
OS
7 *
8 * See the COPYRIGHT file distributed with this work for additional
9 * information regarding copyright ownership.
582f8b9a
MA
10 */
11
582f8b9a
MA
12/*! \file */
13
cb6a185c 14#include <inttypes.h>
994e6569 15#include <stdbool.h>
582f8b9a
MA
16#include <stdlib.h>
17
18#include <isc/buffer.h>
19#include <isc/commandline.h>
582f8b9a
MA
20#include <isc/hash.h>
21#include <isc/mem.h>
22#include <isc/print.h>
23#include <isc/string.h>
24#include <isc/util.h>
25
0a824926 26#include <dns/callbacks.h>
582f8b9a
MA
27#include <dns/db.h>
28#include <dns/dbiterator.h>
29#include <dns/ds.h>
30#include <dns/fixedname.h>
553ead32 31#include <dns/keyvalues.h>
0a824926 32#include <dns/log.h>
553ead32 33#include <dns/master.h>
582f8b9a
MA
34#include <dns/name.h>
35#include <dns/rdata.h>
36#include <dns/rdataclass.h>
37#include <dns/rdataset.h>
38#include <dns/rdatasetiter.h>
39#include <dns/rdatatype.h>
40#include <dns/result.h>
41
42#include <dst/dst.h>
43
c3b8130f 44#if USE_PKCS11
acbb301e
EH
45#include <pk11/result.h>
46#endif
47
582f8b9a
MA
48#include "dnssectool.h"
49
553ead32 50#ifndef PATH_MAX
f0f71420 51#define PATH_MAX 1024 /* WIN32, and others don't define this. */
553ead32
EH
52#endif
53
582f8b9a
MA
54const char *program = "dnssec-dsfromkey";
55int verbose;
56
57static dns_rdataclass_t rdclass;
b272d38c
EH
58static dns_fixedname_t fixed;
59static dns_name_t *name = NULL;
b272d38c 60static isc_mem_t *mctx = NULL;
cb6a185c 61static uint32_t ttl;
994e6569 62static bool emitttl = false;
582f8b9a 63
553ead32
EH
64static isc_result_t
65initname(char *setname) {
66 isc_result_t result;
67 isc_buffer_t buf;
582f8b9a 68
4df4a8e7 69 name = dns_fixedname_initname(&fixed);
26d8ffe7
AU
70
71 isc_buffer_init(&buf, setname, strlen(setname));
72 isc_buffer_add(&buf, strlen(setname));
307d2084 73 result = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
553ead32
EH
74 return (result);
75}
582f8b9a 76
0a824926
MA
77static void
78db_load_from_stream(dns_db_t *db, FILE *fp) {
79 isc_result_t result;
80 dns_rdatacallbacks_t callbacks;
81
82 dns_rdatacallbacks_init(&callbacks);
7829fad4 83 result = dns_db_beginload(db, &callbacks);
0a824926
MA
84 if (result != ISC_R_SUCCESS)
85 fatal("dns_db_beginload failed: %s", isc_result_totext(result));
86
87 result = dns_master_loadstream(fp, name, name, rdclass, 0,
88 &callbacks, mctx);
89 if (result != ISC_R_SUCCESS)
90 fatal("can't load from input: %s", isc_result_totext(result));
06140f73 91
7829fad4 92 result = dns_db_endload(db, &callbacks);
0a824926
MA
93 if (result != ISC_R_SUCCESS)
94 fatal("dns_db_endload failed: %s", isc_result_totext(result));
95}
96
553ead32 97static isc_result_t
0a824926 98loadset(const char *filename, dns_rdataset_t *rdataset) {
553ead32
EH
99 isc_result_t result;
100 dns_db_t *db = NULL;
101 dns_dbnode_t *node = NULL;
102 char setname[DNS_NAME_FORMATSIZE];
b272d38c 103
553ead32 104 dns_name_format(name, setname, sizeof(setname));
582f8b9a
MA
105
106 result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone,
107 rdclass, 0, NULL, &db);
108 if (result != ISC_R_SUCCESS)
109 fatal("can't create database");
110
0a824926
MA
111 if (strcmp(filename, "-") == 0) {
112 db_load_from_stream(db, stdin);
113 filename = "input";
114 } else {
275a6a3b 115 result = dns_db_load(db, filename, dns_masterformat_text, 0);
0a824926
MA
116 if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE)
117 fatal("can't load %s: %s", filename,
118 isc_result_totext(result));
119 }
582f8b9a 120
994e6569 121 result = dns_db_findnode(db, name, false, &node);
582f8b9a
MA
122 if (result != ISC_R_SUCCESS)
123 fatal("can't find %s node in %s", setname, filename);
124
125 result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_dnskey,
553ead32
EH
126 0, 0, rdataset, NULL);
127
582f8b9a
MA
128 if (result == ISC_R_NOTFOUND)
129 fatal("no DNSKEY RR for %s in %s", setname, filename);
130 else if (result != ISC_R_SUCCESS)
131 fatal("dns_db_findrdataset");
553ead32
EH
132
133 if (node != NULL)
134 dns_db_detachnode(db, &node);
135 if (db != NULL)
136 dns_db_detach(&db);
137 return (result);
138}
139
140static isc_result_t
141loadkeyset(char *dirname, dns_rdataset_t *rdataset) {
142 isc_result_t result;
143 char filename[PATH_MAX + 1];
144 isc_buffer_t buf;
145
146 dns_rdataset_init(rdataset);
147
148 isc_buffer_init(&buf, filename, sizeof(filename));
149 if (dirname != NULL) {
150 /* allow room for a trailing slash */
151 if (strlen(dirname) >= isc_buffer_availablelength(&buf))
152 return (ISC_R_NOSPACE);
153 isc_buffer_putstr(&buf, dirname);
154 if (dirname[strlen(dirname) - 1] != '/')
155 isc_buffer_putstr(&buf, "/");
156 }
157
158 if (isc_buffer_availablelength(&buf) < 7)
159 return (ISC_R_NOSPACE);
160 isc_buffer_putstr(&buf, "keyset-");
161
994e6569 162 result = dns_name_tofilenametext(name, false, &buf);
553ead32
EH
163 check_result(result, "dns_name_tofilenametext()");
164 if (isc_buffer_availablelength(&buf) == 0)
165 return (ISC_R_NOSPACE);
166 isc_buffer_putuint8(&buf, 0);
167
0a824926 168 return (loadset(filename, rdataset));
582f8b9a
MA
169}
170
171static void
52dec699
MA
172loadkey(char *filename, unsigned char *key_buf, unsigned int key_buf_size,
173 dns_rdata_t *rdata)
582f8b9a
MA
174{
175 isc_result_t result;
176 dst_key_t *key = NULL;
582f8b9a
MA
177 isc_buffer_t keyb;
178 isc_region_t r;
179
582f8b9a
MA
180 dns_rdata_init(rdata);
181
52dec699 182 isc_buffer_init(&keyb, key_buf, key_buf_size);
582f8b9a 183
553ead32
EH
184 result = dst_key_fromnamedfile(filename, NULL, DST_TYPE_PUBLIC,
185 mctx, &key);
582f8b9a 186 if (result != ISC_R_SUCCESS)
c150f686 187 fatal("can't load %s.key: %s",
582f8b9a
MA
188 filename, isc_result_totext(result));
189
190 if (verbose > 2) {
77b8f88f 191 char keystr[DST_KEY_FORMATSIZE];
582f8b9a 192
77b8f88f 193 dst_key_format(key, keystr, sizeof(keystr));
582f8b9a
MA
194 fprintf(stderr, "%s: %s\n", program, keystr);
195 }
196
197 result = dst_key_todns(key, &keyb);
198 if (result != ISC_R_SUCCESS)
199 fatal("can't decode key");
200
201 isc_buffer_usedregion(&keyb, &r);
202 dns_rdata_fromregion(rdata, dst_key_class(key),
203 dns_rdatatype_dnskey, &r);
204
205 rdclass = dst_key_class(key);
206
4df4a8e7 207 name = dns_fixedname_initname(&fixed);
582f8b9a
MA
208 result = dns_name_copy(dst_key_name(key), name, NULL);
209 if (result != ISC_R_SUCCESS)
210 fatal("can't copy name");
211
212 dst_key_free(&key);
213}
214
215static void
216logkey(dns_rdata_t *rdata)
217{
218 isc_result_t result;
219 dst_key_t *key = NULL;
220 isc_buffer_t buf;
77b8f88f 221 char keystr[DST_KEY_FORMATSIZE];
582f8b9a
MA
222
223 isc_buffer_init(&buf, rdata->data, rdata->length);
224 isc_buffer_add(&buf, rdata->length);
225 result = dst_key_fromdns(name, rdclass, &buf, mctx, &key);
226 if (result != ISC_R_SUCCESS)
227 return;
228
77b8f88f 229 dst_key_format(key, keystr, sizeof(keystr));
582f8b9a
MA
230 fprintf(stderr, "%s: %s\n", program, keystr);
231
232 dst_key_free(&key);
233}
234
235static void
0f219714 236emit(dns_dsdigest_t dtype, bool showall, char *lookaside,
994e6569 237 bool cds, dns_rdata_t *rdata)
582f8b9a 238{
553ead32
EH
239 isc_result_t result;
240 unsigned char buf[DNS_DS_BUFFERSIZE];
241 char text_buf[DST_KEY_MAXTEXTSIZE];
242 char name_buf[DNS_NAME_MAXWIRE];
243 char class_buf[10];
244 isc_buffer_t textb, nameb, classb;
245 isc_region_t r;
246 dns_rdata_t ds;
247 dns_rdata_dnskey_t dnskey;
582f8b9a
MA
248
249 isc_buffer_init(&textb, text_buf, sizeof(text_buf));
b272d38c 250 isc_buffer_init(&nameb, name_buf, sizeof(name_buf));
582f8b9a
MA
251 isc_buffer_init(&classb, class_buf, sizeof(class_buf));
252
253 dns_rdata_init(&ds);
254
553ead32
EH
255 result = dns_rdata_tostruct(rdata, &dnskey, NULL);
256 if (result != ISC_R_SUCCESS)
257 fatal("can't convert DNSKEY");
258
259 if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 && !showall)
260 return;
261
582f8b9a
MA
262 result = dns_ds_buildrdata(name, rdata, dtype, buf, &ds);
263 if (result != ISC_R_SUCCESS)
b272d38c
EH
264 fatal("can't build record");
265
994e6569 266 result = dns_name_totext(name, false, &nameb);
b272d38c
EH
267 if (result != ISC_R_SUCCESS)
268 fatal("can't print name");
269
270 /* Add lookaside origin, if set */
271 if (lookaside != NULL) {
272 if (isc_buffer_availablelength(&nameb) < strlen(lookaside))
273 fatal("DLV origin '%s' is too long", lookaside);
274 isc_buffer_putstr(&nameb, lookaside);
275 if (lookaside[strlen(lookaside) - 1] != '.') {
276 if (isc_buffer_availablelength(&nameb) < 1)
277 fatal("DLV origin '%s' is too long", lookaside);
278 isc_buffer_putstr(&nameb, ".");
279 }
280 }
582f8b9a 281
b13b4520
MA
282 result = dns_rdata_tofmttext(&ds, (dns_name_t *) NULL, 0, 0, 0, "",
283 &textb);
284
582f8b9a 285 if (result != ISC_R_SUCCESS)
b272d38c 286 fatal("can't print rdata");
582f8b9a
MA
287
288 result = dns_rdataclass_totext(rdclass, &classb);
289 if (result != ISC_R_SUCCESS)
b272d38c 290 fatal("can't print class");
582f8b9a 291
b272d38c 292 isc_buffer_usedregion(&nameb, &r);
ab6c20f9 293 printf("%.*s ", (int)r.length, r.base);
582f8b9a 294
e785f9c1 295 if (emitttl)
b1c6de54
MA
296 printf("%u ", ttl);
297
582f8b9a 298 isc_buffer_usedregion(&classb, &r);
ab6c20f9 299 printf("%.*s", (int)r.length, r.base);
582f8b9a 300
598b5026
MA
301 if (lookaside == NULL) {
302 if (cds)
303 printf(" CDS ");
304 else
305 printf(" DS ");
306 } else
b272d38c 307 printf(" DLV ");
582f8b9a
MA
308
309 isc_buffer_usedregion(&textb, &r);
ab6c20f9 310 printf("%.*s\n", (int)r.length, r.base);
582f8b9a
MA
311}
312
debd489a
FD
313ISC_PLATFORM_NORETURN_PRE static void
314usage(void) ISC_PLATFORM_NORETURN_POST;
315
582f8b9a
MA
316static void
317usage(void) {
318 fprintf(stderr, "Usage:\n");
6ca8e130
TF
319 fprintf(stderr, " %s [options] keyfile\n\n", program);
320 fprintf(stderr, " %s [options] -f zonefile [zonename]\n\n", program);
321 fprintf(stderr, " %s [options] -s dnsname\n\n", program);
322 fprintf(stderr, " %s [-h|-V]\n\n", program);
582f8b9a 323 fprintf(stderr, "Version: %s\n", VERSION);
6ca8e130
TF
324 fprintf(stderr, "Options:\n"
325" -1: digest algorithm SHA-1\n"
326" -2: digest algorithm SHA-256\n"
327" -a algorithm: digest algorithm (SHA-1, SHA-256 or SHA-384)\n"
328" -A: include all keys in DS set, not just KSKs (-f only)\n"
329" -c class: rdata class for DS set (default IN) (-f or -s only)\n"
330" -C: print CDS records\n"
331" -f zonefile: read keys from a zone file\n"
332" -h: print help information\n"
333" -K directory: where to find key or keyset files\n"
334" -l zone: print DLV records in the given lookaside zone\n"
335" -s: read keys from keyset-<dnsname> file\n"
336" -T: TTL of output records (omitted by default)\n"
337" -v level: verbosity\n"
338" -V: print version information\n");
339 fprintf(stderr, "Output: DS, DLV, or CDS RRs\n");
582f8b9a
MA
340
341 exit (-1);
342}
343
344int
345main(int argc, char **argv) {
ba37674d 346 char *classname = NULL;
553ead32 347 char *filename = NULL, *dir = NULL, *namestr;
b272d38c
EH
348 char *lookaside = NULL;
349 char *endp;
350 int ch;
0f219714 351 dns_dsdigest_t dtype = DNS_DSDIGEST_SHA1;
994e6569
OS
352 bool cds = false;
353 bool both = true;
354 bool usekeyset = false;
355 bool showall = false;
b272d38c 356 isc_result_t result;
553ead32 357 isc_log_t *log = NULL;
553ead32 358 dns_rdataset_t rdataset;
b272d38c 359 dns_rdata_t rdata;
582f8b9a
MA
360
361 dns_rdata_init(&rdata);
362
363 if (argc == 1)
364 usage();
365
366 result = isc_mem_create(0, 0, &mctx);
367 if (result != ISC_R_SUCCESS)
368 fatal("out of memory");
369
c3b8130f 370#if USE_PKCS11
acbb301e
EH
371 pk11_result_register();
372#endif
582f8b9a
MA
373 dns_result_register();
374
994e6569 375 isc_commandline_errprint = false;
582f8b9a 376
598b5026
MA
377#define OPTIONS "12Aa:Cc:d:Ff:K:l:sT:v:hV"
378 while ((ch = isc_commandline_parse(argc, argv, OPTIONS)) != -1) {
582f8b9a
MA
379 switch (ch) {
380 case '1':
381 dtype = DNS_DSDIGEST_SHA1;
994e6569 382 both = false;
582f8b9a
MA
383 break;
384 case '2':
385 dtype = DNS_DSDIGEST_SHA256;
994e6569 386 both = false;
582f8b9a 387 break;
553ead32 388 case 'A':
994e6569 389 showall = true;
553ead32 390 break;
582f8b9a 391 case 'a':
ba37674d 392 dtype = strtodsdigest(isc_commandline_argument);
994e6569 393 both = false;
582f8b9a 394 break;
598b5026
MA
395 case 'C':
396 if (lookaside != NULL)
397 fatal("lookaside and CDS are mutually"
398 " exclusive");
994e6569 399 cds = true;
598b5026 400 break;
582f8b9a
MA
401 case 'c':
402 classname = isc_commandline_argument;
403 break;
404 case 'd':
553ead32
EH
405 fprintf(stderr, "%s: the -d option is deprecated; "
406 "use -K\n", program);
407 /* fall through */
408 case 'K':
409 dir = isc_commandline_argument;
50eab6c2 410 if (strlen(dir) == 0U)
553ead32
EH
411 fatal("directory must be non-empty string");
412 break;
413 case 'f':
414 filename = isc_commandline_argument;
b272d38c
EH
415 break;
416 case 'l':
598b5026
MA
417 if (cds)
418 fatal("lookaside and CDS are mutually"
419 " exclusive");
b272d38c 420 lookaside = isc_commandline_argument;
50eab6c2 421 if (strlen(lookaside) == 0U)
b272d38c 422 fatal("lookaside must be a non-empty string");
582f8b9a
MA
423 break;
424 case 's':
994e6569 425 usekeyset = true;
582f8b9a 426 break;
b1c6de54 427 case 'T':
994e6569 428 emitttl = true;
ba37674d 429 ttl = strtottl(isc_commandline_argument);
b1c6de54 430 break;
582f8b9a
MA
431 case 'v':
432 verbose = strtol(isc_commandline_argument, &endp, 0);
433 if (*endp != '\0')
434 fatal("-v must be followed by a number");
435 break;
ddac1a2b
FD
436 case 'F':
437 /* Reserved for FIPS mode */
438 /* FALLTHROUGH */
582f8b9a
MA
439 case '?':
440 if (isc_commandline_option != '?')
441 fprintf(stderr, "%s: invalid argument -%c\n",
442 program, isc_commandline_option);
ddac1a2b 443 /* FALLTHROUGH */
582f8b9a 444 case 'h':
42782931 445 /* Does not return. */
582f8b9a
MA
446 usage();
447
42782931
MS
448 case 'V':
449 /* Does not return. */
450 version(program);
451
582f8b9a
MA
452 default:
453 fprintf(stderr, "%s: unhandled option -%c\n",
454 program, isc_commandline_option);
455 exit(1);
456 }
457 }
458
582f8b9a
MA
459 rdclass = strtoclass(classname);
460
553ead32
EH
461 if (usekeyset && filename != NULL)
462 fatal("cannot use both -s and -f");
463
464 /* When not using -f, -A is implicit */
465 if (filename == NULL)
994e6569 466 showall = true;
553ead32 467
26d8ffe7 468 if (argc < isc_commandline_index + 1 && filename == NULL)
582f8b9a
MA
469 fatal("the key file name was not specified");
470 if (argc > isc_commandline_index + 1)
471 fatal("extraneous arguments");
472
3a4f820d 473 result = dst_lib_init(mctx, NULL);
582f8b9a 474 if (result != ISC_R_SUCCESS)
8b78c993
FD
475 fatal("could not initialize dst: %s",
476 isc_result_totext(result));
582f8b9a 477
11463c0a 478 setup_logging(mctx, &log);
582f8b9a 479
553ead32
EH
480 dns_rdataset_init(&rdataset);
481
482 if (usekeyset || filename != NULL) {
483 if (argc < isc_commandline_index + 1 && filename != NULL) {
484 /* using zone name as the zone file name */
485 namestr = filename;
486 } else
487 namestr = argv[isc_commandline_index];
582f8b9a 488
553ead32
EH
489 result = initname(namestr);
490 if (result != ISC_R_SUCCESS)
491 fatal("could not initialize name %s", namestr);
492
493 if (usekeyset)
494 result = loadkeyset(dir, &rdataset);
495 else
0a824926 496 result = loadset(filename, &rdataset);
553ead32
EH
497
498 if (result != ISC_R_SUCCESS)
499 fatal("could not load DNSKEY set: %s\n",
500 isc_result_totext(result));
501
502 for (result = dns_rdataset_first(&rdataset);
582f8b9a 503 result == ISC_R_SUCCESS;
553ead32 504 result = dns_rdataset_next(&rdataset)) {
582f8b9a 505 dns_rdata_init(&rdata);
553ead32 506 dns_rdataset_current(&rdataset, &rdata);
582f8b9a
MA
507
508 if (verbose > 2)
509 logkey(&rdata);
510
511 if (both) {
553ead32 512 emit(DNS_DSDIGEST_SHA1, showall, lookaside,
598b5026 513 cds, &rdata);
553ead32 514 emit(DNS_DSDIGEST_SHA256, showall, lookaside,
598b5026 515 cds, &rdata);
582f8b9a 516 } else
598b5026 517 emit(dtype, showall, lookaside, cds, &rdata);
582f8b9a
MA
518 }
519 } else {
52dec699
MA
520 unsigned char key_buf[DST_KEY_MAXSIZE];
521
522 loadkey(argv[isc_commandline_index], key_buf,
523 DST_KEY_MAXSIZE, &rdata);
582f8b9a
MA
524
525 if (both) {
598b5026
MA
526 emit(DNS_DSDIGEST_SHA1, showall, lookaside, cds,
527 &rdata);
528 emit(DNS_DSDIGEST_SHA256, showall, lookaside, cds,
529 &rdata);
582f8b9a 530 } else
598b5026 531 emit(dtype, showall, lookaside, cds, &rdata);
582f8b9a
MA
532 }
533
553ead32
EH
534 if (dns_rdataset_isassociated(&rdataset))
535 dns_rdataset_disassociate(&rdataset);
582f8b9a 536 cleanup_logging(&log);
586e65ea 537 dst_lib_destroy();
582f8b9a
MA
538 dns_name_destroy();
539 if (verbose > 10)
540 isc_mem_stats(mctx, stdout);
541 isc_mem_destroy(&mctx);
542
98b2be76
MA
543 fflush(stdout);
544 if (ferror(stdout)) {
545 fprintf(stderr, "write error\n");
546 return (1);
547 } else
548 return (0);
582f8b9a 549}