Update repub branch u/fanf2/patch to rebasing branch u/fanf2/rebasing revision v9_15_...
[ipreg/bind9.git] / bin / dnssec / dnssec-revoke.c
1 /*
2 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
3 *
4 * This Source Code Form is subject to the terms of the Mozilla Public
5 * License, v. 2.0. If a copy of the MPL was not distributed with this
6 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
7 *
8 * See the COPYRIGHT file distributed with this work for additional
9 * information regarding copyright ownership.
10 */
11
12 /*! \file */
13
14 #include <inttypes.h>
15 #include <stdbool.h>
16 #include <stdlib.h>
17 #include <unistd.h>
18
19 #include <isc/buffer.h>
20 #include <isc/commandline.h>
21 #include <isc/file.h>
22 #include <isc/hash.h>
23 #include <isc/mem.h>
24 #include <isc/print.h>
25 #include <isc/string.h>
26 #include <isc/util.h>
27
28 #include <dns/keyvalues.h>
29 #include <dns/result.h>
30
31 #include <dst/dst.h>
32
33 #if USE_PKCS11
34 #include <pk11/result.h>
35 #endif
36
37 #include "dnssectool.h"
38
39 const char *program = "dnssec-revoke";
40
41 static isc_mem_t *mctx = NULL;
42
43 ISC_PLATFORM_NORETURN_PRE static void
44 usage(void) ISC_PLATFORM_NORETURN_POST;
45
46 static void
47 usage(void) {
48 fprintf(stderr, "Usage:\n");
49 fprintf(stderr, " %s [options] keyfile\n\n", program);
50 fprintf(stderr, "Version: %s\n", VERSION);
51 #if USE_PKCS11
52 fprintf(stderr, " -E engine: specify PKCS#11 provider "
53 "(default: %s)\n", PK11_LIB_LOCATION);
54 #else
55 fprintf(stderr, " -E engine: specify OpenSSL engine\n");
56 #endif
57 fprintf(stderr, " -f: force overwrite\n");
58 fprintf(stderr, " -h: help\n");
59 fprintf(stderr, " -K directory: use directory for key files\n");
60 fprintf(stderr, " -r: remove old keyfiles after "
61 "creating revoked version\n");
62 fprintf(stderr, " -v level: set level of verbosity\n");
63 fprintf(stderr, " -V: print version information\n");
64 fprintf(stderr, "Output:\n");
65 fprintf(stderr, " K<name>+<alg>+<new id>.key, "
66 "K<name>+<alg>+<new id>.private\n");
67
68 exit (-1);
69 }
70
71 int
72 main(int argc, char **argv) {
73 isc_result_t result;
74 const char *engine = NULL;
75 char const *filename = NULL;
76 char *dir = NULL;
77 char newname[1024], oldname[1024];
78 char keystr[DST_KEY_FORMATSIZE];
79 char *endp;
80 int ch;
81 dst_key_t *key = NULL;
82 uint32_t flags;
83 isc_buffer_t buf;
84 bool force = false;
85 bool removefile = false;
86 bool id = false;
87
88 if (argc == 1)
89 usage();
90
91 result = isc_mem_create(0, 0, &mctx);
92 if (result != ISC_R_SUCCESS)
93 fatal("Out of memory");
94
95 #if HAVE_PKCS11
96 pk11_result_register();
97 #endif
98 dns_result_register();
99
100 isc_commandline_errprint = false;
101
102 while ((ch = isc_commandline_parse(argc, argv, "E:fK:rRhv:V")) != -1) {
103 switch (ch) {
104 case 'E':
105 engine = isc_commandline_argument;
106 break;
107 case 'f':
108 force = true;
109 break;
110 case 'K':
111 /*
112 * We don't have to copy it here, but do it to
113 * simplify cleanup later
114 */
115 dir = isc_mem_strdup(mctx, isc_commandline_argument);
116 if (dir == NULL) {
117 fatal("Failed to allocate memory for "
118 "directory");
119 }
120 break;
121 case 'r':
122 removefile = true;
123 break;
124 case 'R':
125 id = true;
126 break;
127 case 'v':
128 verbose = strtol(isc_commandline_argument, &endp, 0);
129 if (*endp != '\0')
130 fatal("-v must be followed by a number");
131 break;
132 case '?':
133 if (isc_commandline_option != '?')
134 fprintf(stderr, "%s: invalid argument -%c\n",
135 program, isc_commandline_option);
136 /* FALLTHROUGH */
137 case 'h':
138 /* Does not return. */
139 usage();
140
141 case 'V':
142 /* Does not return. */
143 version(program);
144
145 default:
146 fprintf(stderr, "%s: unhandled option -%c\n",
147 program, isc_commandline_option);
148 exit(1);
149 }
150 }
151
152 if (argc < isc_commandline_index + 1 ||
153 argv[isc_commandline_index] == NULL)
154 fatal("The key file name was not specified");
155 if (argc > isc_commandline_index + 1)
156 fatal("Extraneous arguments");
157
158 if (dir != NULL) {
159 filename = argv[isc_commandline_index];
160 } else {
161 result = isc_file_splitpath(mctx, argv[isc_commandline_index],
162 &dir, &filename);
163 if (result != ISC_R_SUCCESS)
164 fatal("cannot process filename %s: %s",
165 argv[isc_commandline_index],
166 isc_result_totext(result));
167 if (strcmp(dir, ".") == 0) {
168 isc_mem_free(mctx, dir);
169 dir = NULL;
170 }
171 }
172
173 result = dst_lib_init(mctx, engine);
174 if (result != ISC_R_SUCCESS)
175 fatal("Could not initialize dst: %s",
176 isc_result_totext(result));
177
178 result = dst_key_fromnamedfile(filename, dir,
179 DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
180 mctx, &key);
181 if (result != ISC_R_SUCCESS)
182 fatal("Invalid keyfile name %s: %s",
183 filename, isc_result_totext(result));
184
185 if (id) {
186 fprintf(stdout, "%u\n", dst_key_rid(key));
187 goto cleanup;
188 }
189 dst_key_format(key, keystr, sizeof(keystr));
190
191 if (verbose > 2)
192 fprintf(stderr, "%s: %s\n", program, keystr);
193
194 if (force)
195 set_keyversion(key);
196 else
197 check_keyversion(key, keystr);
198
199
200 flags = dst_key_flags(key);
201 if ((flags & DNS_KEYFLAG_REVOKE) == 0) {
202 isc_stdtime_t now;
203
204 if ((flags & DNS_KEYFLAG_KSK) == 0)
205 fprintf(stderr, "%s: warning: Key is not flagged "
206 "as a KSK. Revoking a ZSK is "
207 "legal, but undefined.\n",
208 program);
209
210 isc_stdtime_get(&now);
211 dst_key_settime(key, DST_TIME_REVOKE, now);
212
213 dst_key_setflags(key, flags | DNS_KEYFLAG_REVOKE);
214
215 isc_buffer_init(&buf, newname, sizeof(newname));
216 dst_key_buildfilename(key, DST_TYPE_PUBLIC, dir, &buf);
217
218 if (access(newname, F_OK) == 0 && !force) {
219 fatal("Key file %s already exists; "
220 "use -f to force overwrite", newname);
221 }
222
223 result = dst_key_tofile(key, DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
224 dir);
225 if (result != ISC_R_SUCCESS) {
226 dst_key_format(key, keystr, sizeof(keystr));
227 fatal("Failed to write key %s: %s", keystr,
228 isc_result_totext(result));
229 }
230
231 isc_buffer_clear(&buf);
232 dst_key_buildfilename(key, 0, dir, &buf);
233 printf("%s\n", newname);
234
235 /*
236 * Remove old key file, if told to (and if
237 * it isn't the same as the new file)
238 */
239 if (removefile) {
240 isc_buffer_init(&buf, oldname, sizeof(oldname));
241 dst_key_setflags(key, flags & ~DNS_KEYFLAG_REVOKE);
242 dst_key_buildfilename(key, DST_TYPE_PRIVATE, dir, &buf);
243 if (strcmp(oldname, newname) == 0)
244 goto cleanup;
245 (void)unlink(oldname);
246 isc_buffer_clear(&buf);
247 dst_key_buildfilename(key, DST_TYPE_PUBLIC, dir, &buf);
248 (void)unlink(oldname);
249 }
250 } else {
251 dst_key_format(key, keystr, sizeof(keystr));
252 fatal("Key %s is already revoked", keystr);
253 }
254
255 cleanup:
256 dst_key_free(&key);
257 dst_lib_destroy();
258 if (verbose > 10)
259 isc_mem_stats(mctx, stdout);
260 if (dir != NULL)
261 isc_mem_free(mctx, dir);
262 isc_mem_destroy(&mctx);
263
264 return (0);
265 }