1 /* $NetBSD: dnssec-keyfromlabel.c,v 1.14 2015/07/08 17:28:55 christos Exp $ */
4 * Copyright (C) 2007-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
6 * Permission to use, copy, modify, and/or distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
10 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
11 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
12 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
13 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
14 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
15 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
16 * PERFORMANCE OF THIS SOFTWARE.
26 #include <isc/buffer.h>
27 #include <isc/commandline.h>
28 #include <isc/entropy.h>
30 #include <isc/region.h>
31 #include <isc/print.h>
32 #include <isc/string.h>
35 #include <dns/dnssec.h>
36 #include <dns/fixedname.h>
37 #include <dns/keyvalues.h>
40 #include <dns/rdataclass.h>
41 #include <dns/result.h>
42 #include <dns/secalg.h>
47 #include <pk11/result.h>
50 #include "dnssectool.h"
52 #define MAX_RSA 4096 /* should be long enough... */
54 const char *program
= "dnssec-keyfromlabel";
57 #define DEFAULT_ALGORITHM "RSASHA1"
58 #define DEFAULT_NSEC3_ALGORITHM "NSEC3RSASHA1"
60 static const char *algs
= "RSA | RSAMD5 | DH | DSA | RSASHA1 |"
61 " NSEC3DSA | NSEC3RSASHA1 |"
62 " RSASHA256 | RSASHA512 | ECCGOST |"
63 " ECDSAP256SHA256 | ECDSAP384SHA384";
65 ISC_PLATFORM_NORETURN_PRE
static void
66 usage(void) ISC_PLATFORM_NORETURN_POST
;
70 fprintf(stderr
, "Usage:\n");
71 fprintf(stderr
, " %s -l label [options] name\n\n",
73 fprintf(stderr
, "Version: %s\n", VERSION
);
74 fprintf(stderr
, "Required options:\n");
75 fprintf(stderr
, " -l label: label of the key pair\n");
76 fprintf(stderr
, " name: owner of the key\n");
77 fprintf(stderr
, "Other options:\n");
78 fprintf(stderr
, " -a algorithm: %s\n", algs
);
79 fprintf(stderr
, " (default: RSASHA1, or "
80 "NSEC3RSASHA1 if using -3)\n");
81 fprintf(stderr
, " -3: use NSEC3-capable algorithm\n");
82 fprintf(stderr
, " -c class (default: IN)\n");
83 fprintf(stderr
, " -E <engine>:\n");
84 #if defined(PKCS11CRYPTO)
85 fprintf(stderr
, " path to PKCS#11 provider library "
86 "(default is %s)\n", PK11_LIB_LOCATION
);
87 #elif defined(USE_PKCS11)
88 fprintf(stderr
, " name of an OpenSSL engine to use "
89 "(default is \"pkcs11\")\n");
91 fprintf(stderr
, " name of an OpenSSL engine to use\n");
93 fprintf(stderr
, " -f keyflag: KSK | REVOKE\n");
94 fprintf(stderr
, " -K directory: directory in which to place "
96 fprintf(stderr
, " -k: generate a TYPE=KEY key\n");
97 fprintf(stderr
, " -L ttl: default key TTL\n");
98 fprintf(stderr
, " -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n");
99 fprintf(stderr
, " (DNSKEY generation defaults to ZONE\n");
100 fprintf(stderr
, " -p protocol: default: 3 [dnssec]\n");
101 fprintf(stderr
, " -t type: "
102 "AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
103 "(default: AUTHCONF)\n");
104 fprintf(stderr
, " -y: permit keys that might collide\n");
105 fprintf(stderr
, " -v verbose level\n");
106 fprintf(stderr
, " -V: print version information\n");
107 fprintf(stderr
, "Date options:\n");
108 fprintf(stderr
, " -P date/[+-]offset: set key publication date\n");
109 fprintf(stderr
, " -A date/[+-]offset: set key activation date\n");
110 fprintf(stderr
, " -R date/[+-]offset: set key revocation date\n");
111 fprintf(stderr
, " -I date/[+-]offset: set key inactivation date\n");
112 fprintf(stderr
, " -D date/[+-]offset: set key deletion date\n");
113 fprintf(stderr
, " -G: generate key only; do not set -P or -A\n");
114 fprintf(stderr
, " -C: generate a backward-compatible key, omitting"
116 fprintf(stderr
, " -S <key>: generate a successor to an existing "
118 fprintf(stderr
, " -i <interval>: prepublication interval for "
120 "(default: 30 days)\n");
121 fprintf(stderr
, "Output:\n");
122 fprintf(stderr
, " K<name>+<alg>+<id>.key, "
123 "K<name>+<alg>+<id>.private\n");
129 main(int argc
, char **argv
) {
130 char *algname
= NULL
, *freeit
= NULL
;
131 char *nametype
= NULL
, *type
= NULL
;
132 const char *directory
= NULL
;
133 const char *predecessor
= NULL
;
134 dst_key_t
*prevkey
= NULL
;
136 const char *engine
= PKCS11_ENGINE
;
138 const char *engine
= NULL
;
140 char *classname
= NULL
;
142 dst_key_t
*key
= NULL
;
143 dns_fixedname_t fname
;
145 isc_uint16_t flags
= 0, kskflag
= 0, revflag
= 0;
147 isc_boolean_t oldstyle
= ISC_FALSE
;
148 isc_mem_t
*mctx
= NULL
;
150 int protocol
= -1, signatory
= 0;
155 isc_log_t
*log
= NULL
;
156 isc_entropy_t
*ectx
= NULL
;
157 dns_rdataclass_t rdclass
;
158 int options
= DST_TYPE_PRIVATE
| DST_TYPE_PUBLIC
;
161 isc_stdtime_t publish
= 0, activate
= 0, revoke
= 0;
162 isc_stdtime_t inactive
= 0, delete = 0;
165 isc_boolean_t setpub
= ISC_FALSE
, setact
= ISC_FALSE
;
166 isc_boolean_t setrev
= ISC_FALSE
, setinact
= ISC_FALSE
;
167 isc_boolean_t setdel
= ISC_FALSE
, setttl
= ISC_FALSE
;
168 isc_boolean_t unsetpub
= ISC_FALSE
, unsetact
= ISC_FALSE
;
169 isc_boolean_t unsetrev
= ISC_FALSE
, unsetinact
= ISC_FALSE
;
170 isc_boolean_t unsetdel
= ISC_FALSE
;
171 isc_boolean_t genonly
= ISC_FALSE
;
172 isc_boolean_t use_nsec3
= ISC_FALSE
;
173 isc_boolean_t avoid_collisions
= ISC_TRUE
;
180 RUNTIME_CHECK(isc_mem_create(0, 0, &mctx
) == ISC_R_SUCCESS
);
183 pk11_result_register();
185 dns_result_register();
187 isc_commandline_errprint
= ISC_FALSE
;
189 isc_stdtime_get(&now
);
191 #define CMDLINE_FLAGS "3A:a:Cc:D:E:Ff:GhI:i:kK:L:l:n:P:p:R:S:t:v:Vy"
192 while ((ch
= isc_commandline_parse(argc
, argv
, CMDLINE_FLAGS
)) != -1) {
195 use_nsec3
= ISC_TRUE
;
198 algname
= isc_commandline_argument
;
204 classname
= isc_commandline_argument
;
207 engine
= isc_commandline_argument
;
210 c
= (unsigned char)(isc_commandline_argument
[0]);
211 if (toupper(c
) == 'K')
212 kskflag
= DNS_KEYFLAG_KSK
;
213 else if (toupper(c
) == 'R')
214 revflag
= DNS_KEYFLAG_REVOKE
;
216 fatal("unknown flag '%s'",
217 isc_commandline_argument
);
220 directory
= isc_commandline_argument
;
221 ret
= try_dir(directory
);
222 if (ret
!= ISC_R_SUCCESS
)
223 fatal("cannot open directory %s: %s",
224 directory
, isc_result_totext(ret
));
227 options
|= DST_TYPE_KEY
;
230 ttl
= strtottl(isc_commandline_argument
);
234 label
= isc_mem_strdup(mctx
, isc_commandline_argument
);
237 nametype
= isc_commandline_argument
;
240 protocol
= strtol(isc_commandline_argument
, &endp
, 10);
241 if (*endp
!= '\0' || protocol
< 0 || protocol
> 255)
242 fatal("-p must be followed by a number "
246 type
= isc_commandline_argument
;
249 verbose
= strtol(isc_commandline_argument
, &endp
, 0);
251 fatal("-v must be followed by a number");
254 avoid_collisions
= ISC_FALSE
;
260 if (setpub
|| unsetpub
)
261 fatal("-P specified more than once");
263 publish
= strtotime(isc_commandline_argument
,
268 if (setact
|| unsetact
)
269 fatal("-A specified more than once");
271 activate
= strtotime(isc_commandline_argument
,
276 if (setrev
|| unsetrev
)
277 fatal("-R specified more than once");
279 revoke
= strtotime(isc_commandline_argument
,
284 if (setinact
|| unsetinact
)
285 fatal("-I specified more than once");
287 inactive
= strtotime(isc_commandline_argument
,
288 now
, now
, &setinact
);
289 unsetinact
= !setinact
;
292 if (setdel
|| unsetdel
)
293 fatal("-D specified more than once");
295 delete = strtotime(isc_commandline_argument
,
300 predecessor
= isc_commandline_argument
;
303 prepub
= strtottl(isc_commandline_argument
);
306 /* Reserved for FIPS mode */
309 if (isc_commandline_option
!= '?')
310 fprintf(stderr
, "%s: invalid argument -%c\n",
311 program
, isc_commandline_option
);
314 /* Does not return. */
318 /* Does not return. */
322 fprintf(stderr
, "%s: unhandled option -%c\n",
323 program
, isc_commandline_option
);
329 setup_entropy(mctx
, NULL
, &ectx
);
330 ret
= dst_lib_init2(mctx
, ectx
, engine
,
331 ISC_ENTROPY_BLOCKING
| ISC_ENTROPY_GOODONLY
);
332 if (ret
!= ISC_R_SUCCESS
)
333 fatal("could not initialize dst: %s",
334 isc_result_totext(ret
));
336 setup_logging(mctx
, &log
);
338 if (predecessor
== NULL
) {
340 fatal("the key label was not specified");
341 if (argc
< isc_commandline_index
+ 1)
342 fatal("the key name was not specified");
343 if (argc
> isc_commandline_index
+ 1)
344 fatal("extraneous arguments");
346 dns_fixedname_init(&fname
);
347 name
= dns_fixedname_name(&fname
);
348 isc_buffer_init(&buf
, argv
[isc_commandline_index
],
349 strlen(argv
[isc_commandline_index
]));
350 isc_buffer_add(&buf
, strlen(argv
[isc_commandline_index
]));
351 ret
= dns_name_fromtext(name
, &buf
, dns_rootname
, 0, NULL
);
352 if (ret
!= ISC_R_SUCCESS
)
353 fatal("invalid key name %s: %s",
354 argv
[isc_commandline_index
],
355 isc_result_totext(ret
));
357 if (strchr(label
, ':') == NULL
) {
361 len
= strlen(label
) + 8;
362 l
= isc_mem_allocate(mctx
, len
);
364 fatal("cannot allocate memory");
365 snprintf(l
, len
, "pkcs11:%s", label
);
366 isc_mem_free(mctx
, label
);
370 if (algname
== NULL
) {
372 algname
= strdup(DEFAULT_NSEC3_ALGORITHM
);
374 algname
= strdup(DEFAULT_ALGORITHM
);
376 fatal("strdup failed");
379 fprintf(stderr
, "no algorithm specified; "
380 "defaulting to %s\n", algname
);
383 if (strcasecmp(algname
, "RSA") == 0) {
384 fprintf(stderr
, "The use of RSA (RSAMD5) is not "
385 "recommended.\nIf you still wish to "
386 "use RSA (RSAMD5) please specify "
393 r
.length
= strlen(algname
);
394 ret
= dns_secalg_fromtext(&alg
, &r
);
395 if (ret
!= ISC_R_SUCCESS
)
396 fatal("unknown algorithm %s", algname
);
397 if (alg
== DST_ALG_DH
)
398 options
|= DST_TYPE_KEY
;
402 alg
!= DST_ALG_NSEC3DSA
&& alg
!= DST_ALG_NSEC3RSASHA1
&&
403 alg
!= DST_ALG_RSASHA256
&& alg
!= DST_ALG_RSASHA512
&&
404 alg
!= DST_ALG_ECCGOST
&&
405 alg
!= DST_ALG_ECDSA256
&& alg
!= DST_ALG_ECDSA384
) {
406 fatal("%s is incompatible with NSEC3; "
407 "do not use the -3 option", algname
);
410 if (type
!= NULL
&& (options
& DST_TYPE_KEY
) != 0) {
411 if (strcasecmp(type
, "NOAUTH") == 0)
412 flags
|= DNS_KEYTYPE_NOAUTH
;
413 else if (strcasecmp(type
, "NOCONF") == 0)
414 flags
|= DNS_KEYTYPE_NOCONF
;
415 else if (strcasecmp(type
, "NOAUTHCONF") == 0)
416 flags
|= (DNS_KEYTYPE_NOAUTH
|
418 else if (strcasecmp(type
, "AUTHCONF") == 0)
421 fatal("invalid type %s", type
);
424 if (!oldstyle
&& prepub
> 0) {
425 if (setpub
&& setact
&& (activate
- prepub
) < publish
)
426 fatal("Activation and publication dates "
427 "are closer together than the\n\t"
428 "prepublication interval.");
430 if (!setpub
&& !setact
) {
431 setpub
= setact
= ISC_TRUE
;
433 activate
= now
+ prepub
;
434 } else if (setpub
&& !setact
) {
436 activate
= publish
+ prepub
;
437 } else if (setact
&& !setpub
) {
439 publish
= activate
- prepub
;
442 if ((activate
- prepub
) < now
)
443 fatal("Time until activation is shorter "
444 "than the\n\tprepublication interval.");
447 char keystr
[DST_KEY_FORMATSIZE
];
452 prepub
= (30 * 86400);
455 fatal("-S and -a cannot be used together");
456 if (nametype
!= NULL
)
457 fatal("-S and -n cannot be used together");
459 fatal("-S and -t cannot be used together");
460 if (setpub
|| unsetpub
)
461 fatal("-S and -P cannot be used together");
462 if (setact
|| unsetact
)
463 fatal("-S and -A cannot be used together");
465 fatal("-S and -3 cannot be used together");
467 fatal("-S and -C cannot be used together");
469 fatal("-S and -G cannot be used together");
471 ret
= dst_key_fromnamedfile(predecessor
, directory
,
472 DST_TYPE_PUBLIC
| DST_TYPE_PRIVATE
,
474 if (ret
!= ISC_R_SUCCESS
)
475 fatal("Invalid keyfile %s: %s",
476 predecessor
, isc_result_totext(ret
));
477 if (!dst_key_isprivate(prevkey
))
478 fatal("%s is not a private key", predecessor
);
480 name
= dst_key_name(prevkey
);
481 alg
= dst_key_alg(prevkey
);
482 flags
= dst_key_flags(prevkey
);
484 dst_key_format(prevkey
, keystr
, sizeof(keystr
));
485 dst_key_getprivateformat(prevkey
, &major
, &minor
);
486 if (major
!= DST_MAJOR_VERSION
|| minor
< DST_MINOR_VERSION
)
487 fatal("Key %s has incompatible format version %d.%d\n\t"
488 "It is not possible to generate a successor key.",
489 keystr
, major
, minor
);
491 ret
= dst_key_gettime(prevkey
, DST_TIME_ACTIVATE
, &when
);
492 if (ret
!= ISC_R_SUCCESS
)
493 fatal("Key %s has no activation date.\n\t"
494 "You must use dnssec-settime -A to set one "
495 "before generating a successor.", keystr
);
497 ret
= dst_key_gettime(prevkey
, DST_TIME_INACTIVE
, &activate
);
498 if (ret
!= ISC_R_SUCCESS
)
499 fatal("Key %s has no inactivation date.\n\t"
500 "You must use dnssec-settime -I to set one "
501 "before generating a successor.", keystr
);
503 publish
= activate
- prepub
;
505 fatal("Key %s becomes inactive\n\t"
506 "sooner than the prepublication period "
507 "for the new key ends.\n\t"
508 "Either change the inactivation date with "
509 "dnssec-settime -I,\n\t"
510 "or use the -i option to set a shorter "
511 "prepublication interval.", keystr
);
513 ret
= dst_key_gettime(prevkey
, DST_TIME_DELETE
, &when
);
514 if (ret
!= ISC_R_SUCCESS
)
515 fprintf(stderr
, "%s: WARNING: Key %s has no removal "
516 "date;\n\t it will remain in the zone "
517 "indefinitely after rollover.\n\t "
518 "You can use dnssec-settime -D to "
519 "change this.\n", program
, keystr
);
521 setpub
= setact
= ISC_TRUE
;
524 if (nametype
== NULL
) {
525 if ((options
& DST_TYPE_KEY
) != 0) /* KEY */
526 fatal("no nametype specified");
527 flags
|= DNS_KEYOWNER_ZONE
; /* DNSKEY */
528 } else if (strcasecmp(nametype
, "zone") == 0)
529 flags
|= DNS_KEYOWNER_ZONE
;
530 else if ((options
& DST_TYPE_KEY
) != 0) { /* KEY */
531 if (strcasecmp(nametype
, "host") == 0 ||
532 strcasecmp(nametype
, "entity") == 0)
533 flags
|= DNS_KEYOWNER_ENTITY
;
534 else if (strcasecmp(nametype
, "user") == 0)
535 flags
|= DNS_KEYOWNER_USER
;
537 fatal("invalid KEY nametype %s", nametype
);
538 } else if (strcasecmp(nametype
, "other") != 0) /* DNSKEY */
539 fatal("invalid DNSKEY nametype %s", nametype
);
541 rdclass
= strtoclass(classname
);
543 if (directory
== NULL
)
546 if ((options
& DST_TYPE_KEY
) != 0) /* KEY */
548 else if ((flags
& DNS_KEYOWNER_ZONE
) != 0) { /* DNSKEY */
554 protocol
= DNS_KEYPROTO_DNSSEC
;
555 else if ((options
& DST_TYPE_KEY
) == 0 &&
556 protocol
!= DNS_KEYPROTO_DNSSEC
)
557 fatal("invalid DNSKEY protocol: %d", protocol
);
559 if ((flags
& DNS_KEYFLAG_TYPEMASK
) == DNS_KEYTYPE_NOKEY
) {
560 if ((flags
& DNS_KEYFLAG_SIGNATORYMASK
) != 0)
561 fatal("specified null key with signing authority");
564 if ((flags
& DNS_KEYFLAG_OWNERMASK
) == DNS_KEYOWNER_ZONE
&&
565 alg
== DNS_KEYALG_DH
)
566 fatal("a key with algorithm '%s' cannot be a zone key",
569 isc_buffer_init(&buf
, filename
, sizeof(filename
) - 1);
571 /* associate the key */
572 ret
= dst_key_fromlabel(name
, alg
, flags
, protocol
,
573 rdclass
, "pkcs11", label
, NULL
, mctx
, &key
);
574 isc_entropy_stopcallbacksources(ectx
);
576 if (ret
!= ISC_R_SUCCESS
) {
577 char namestr
[DNS_NAME_FORMATSIZE
];
578 char algstr
[DNS_SECALG_FORMATSIZE
];
579 dns_name_format(name
, namestr
, sizeof(namestr
));
580 dns_secalg_format(alg
, algstr
, sizeof(algstr
));
581 fatal("failed to get key %s/%s: %s",
582 namestr
, algstr
, isc_result_totext(ret
));
588 * Set key timing metadata (unless using -C)
590 * Publish and activation dates are set to "now" by default, but
591 * can be overridden. Creation date is always set to "now".
594 dst_key_settime(key
, DST_TIME_CREATED
, now
);
596 if (genonly
&& (setpub
|| setact
))
597 fatal("cannot use -G together with -P or -A options");
600 dst_key_settime(key
, DST_TIME_PUBLISH
, publish
);
602 dst_key_settime(key
, DST_TIME_PUBLISH
, activate
);
603 else if (!genonly
&& !unsetpub
)
604 dst_key_settime(key
, DST_TIME_PUBLISH
, now
);
607 dst_key_settime(key
, DST_TIME_ACTIVATE
, activate
);
608 else if (!genonly
&& !unsetact
)
609 dst_key_settime(key
, DST_TIME_ACTIVATE
, now
);
613 fprintf(stderr
, "%s: warning: Key is "
614 "not flagged as a KSK, but -R "
615 "was used. Revoking a ZSK is "
616 "legal, but undefined.\n",
618 dst_key_settime(key
, DST_TIME_REVOKE
, revoke
);
622 dst_key_settime(key
, DST_TIME_INACTIVE
, inactive
);
625 dst_key_settime(key
, DST_TIME_DELETE
, delete);
627 if (setpub
|| setact
|| setrev
|| setinact
||
628 setdel
|| unsetpub
|| unsetact
||
629 unsetrev
|| unsetinact
|| unsetdel
|| genonly
)
630 fatal("cannot use -C together with "
631 "-P, -A, -R, -I, -D, or -G options");
633 * Compatibility mode: Private-key-format
634 * should be set to 1.2.
636 dst_key_setprivateformat(key
, 1, 2);
639 /* Set default key TTL */
641 dst_key_setttl(key
, ttl
);
644 * Do not overwrite an existing key. Warn LOUDLY if there
645 * is a risk of ID collision due to this key or another key
648 if (key_collision(key
, name
, directory
, mctx
, &exact
)) {
649 isc_buffer_clear(&buf
);
650 ret
= dst_key_buildfilename(key
, 0, directory
, &buf
);
651 if (ret
!= ISC_R_SUCCESS
)
652 fatal("dst_key_buildfilename returned: %s\n",
653 isc_result_totext(ret
));
655 fatal("%s: %s already exists\n", program
, filename
);
657 if (avoid_collisions
)
658 fatal("%s: %s could collide with another key upon "
659 "revokation\n", program
, filename
);
661 fprintf(stderr
, "%s: WARNING: Key %s could collide with "
662 "another key upon revokation. If you plan "
663 "to revoke keys, destroy this key and "
664 "generate a different one.\n",
668 ret
= dst_key_tofile(key
, options
, directory
);
669 if (ret
!= ISC_R_SUCCESS
) {
670 char keystr
[DST_KEY_FORMATSIZE
];
671 dst_key_format(key
, keystr
, sizeof(keystr
));
672 fatal("failed to write key %s: %s\n", keystr
,
673 isc_result_totext(ret
));
676 isc_buffer_clear(&buf
);
677 ret
= dst_key_buildfilename(key
, 0, NULL
, &buf
);
678 if (ret
!= ISC_R_SUCCESS
)
679 fatal("dst_key_buildfilename returned: %s\n",
680 isc_result_totext(ret
));
681 printf("%s\n", filename
);
684 dst_key_free(&prevkey
);
686 cleanup_logging(&log
);
687 cleanup_entropy(&ectx
);
691 isc_mem_stats(mctx
, stdout
);
692 isc_mem_free(mctx
, label
);
693 isc_mem_destroy(&mctx
);