1 /*
2 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
3 *
4 * This Source Code Form is subject to the terms of the Mozilla Public
5 * License, v. 2.0. If a copy of the MPL was not distributed with this
6 * file, you can obtain one at https://mozilla.org/MPL/2.0/.
7 *
8 * See the COPYRIGHT file distributed with this work for additional
9 * information regarding copyright ownership.
10 */
11
12 /*! \file */
13
14 #include <config.h>
15
16 #include <inttypes.h>
17 #include <stdbool.h>
18 #include <stdlib.h>
19
20 #include <isc/buffer.h>
21 #include <isc/commandline.h>
22 #include <isc/entropy.h>
23 #include <isc/hash.h>
24 #include <isc/mem.h>
25 #include <isc/platform.h>
26 #include <isc/print.h>
27 #include <isc/string.h>
28 #include <isc/util.h>
29
30 #include <dns/callbacks.h>
31 #include <dns/db.h>
32 #include <dns/dbiterator.h>
33 #include <dns/ds.h>
34 #include <dns/fixedname.h>
35 #include <dns/keyvalues.h>
36 #include <dns/log.h>
37 #include <dns/master.h>
38 #include <dns/name.h>
39 #include <dns/rdata.h>
40 #include <dns/rdataclass.h>
41 #include <dns/rdataset.h>
42 #include <dns/rdatasetiter.h>
43 #include <dns/rdatatype.h>
44 #include <dns/result.h>
45
46 #include <dst/dst.h>
47
48 #ifdef PKCS11CRYPTO
49 #include <pk11/result.h>
50 #endif
51
52 #include "dnssectool.h"
53
54 const char *program = "dnssec-dsfromkey";
55 int verbose;
56
57 static dns_rdataclass_t rdclass;
58 static dns_fixedname_t fixed;
59 static dns_name_t *name = NULL;
60 static isc_mem_t *mctx = NULL;
61 static uint32_t ttl;
62 static bool emitttl = false;
63
64 static isc_result_t
initname(char * setname)65 initname(char *setname) {
66 isc_result_t result;
67 isc_buffer_t buf;
68
69 name = dns_fixedname_initname(&fixed);
70
71 isc_buffer_init(&buf, setname, strlen(setname));
72 isc_buffer_add(&buf, strlen(setname));
73 result = dns_name_fromtext(name, &buf, dns_rootname, 0, NULL);
74 return (result);
75 }
76
77 static void
db_load_from_stream(dns_db_t * db,FILE * fp)78 db_load_from_stream(dns_db_t *db, FILE *fp) {
79 isc_result_t result;
80 dns_rdatacallbacks_t callbacks;
81
82 dns_rdatacallbacks_init(&callbacks);
83 result = dns_db_beginload(db, &callbacks);
84 if (result != ISC_R_SUCCESS)
85 fatal("dns_db_beginload failed: %s", isc_result_totext(result));
86
87 result = dns_master_loadstream(fp, name, name, rdclass, 0,
88 &callbacks, mctx);
89 if (result != ISC_R_SUCCESS)
90 fatal("can't load from input: %s", isc_result_totext(result));
91
92 result = dns_db_endload(db, &callbacks);
93 if (result != ISC_R_SUCCESS)
94 fatal("dns_db_endload failed: %s", isc_result_totext(result));
95 }
96
97 static isc_result_t
loadset(const char * filename,dns_rdataset_t * rdataset)98 loadset(const char *filename, dns_rdataset_t *rdataset) {
99 isc_result_t result;
100 dns_db_t *db = NULL;
101 dns_dbnode_t *node = NULL;
102 char setname[DNS_NAME_FORMATSIZE];
103
104 dns_name_format(name, setname, sizeof(setname));
105
106 result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone,
107 rdclass, 0, NULL, &db);
108 if (result != ISC_R_SUCCESS)
109 fatal("can't create database");
110
111 if (strcmp(filename, "-") == 0) {
112 db_load_from_stream(db, stdin);
113 filename = "input";
114 } else {
115 result = dns_db_load(db, filename);
116 if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE)
117 fatal("can't load %s: %s", filename,
118 isc_result_totext(result));
119 }
120
121 result = dns_db_findnode(db, name, false, &node);
122 if (result != ISC_R_SUCCESS)
123 fatal("can't find %s node in %s", setname, filename);
124
125 result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_dnskey,
126 0, 0, rdataset, NULL);
127
128 if (result == ISC_R_NOTFOUND)
129 fatal("no DNSKEY RR for %s in %s", setname, filename);
130 else if (result != ISC_R_SUCCESS)
131 fatal("dns_db_findrdataset");
132
133 if (node != NULL)
134 dns_db_detachnode(db, &node);
135 if (db != NULL)
136 dns_db_detach(&db);
137 return (result);
138 }
139
140 static isc_result_t
loadkeyset(char * dirname,dns_rdataset_t * rdataset)141 loadkeyset(char *dirname, dns_rdataset_t *rdataset) {
142 isc_result_t result;
143 char filename[PATH_MAX + 1];
144 isc_buffer_t buf;
145
146 dns_rdataset_init(rdataset);
147
148 isc_buffer_init(&buf, filename, sizeof(filename));
149 if (dirname != NULL) {
150 /* allow room for a trailing slash */
151 if (strlen(dirname) >= isc_buffer_availablelength(&buf))
152 return (ISC_R_NOSPACE);
153 isc_buffer_putstr(&buf, dirname);
154 if (dirname[strlen(dirname) - 1] != '/')
155 isc_buffer_putstr(&buf, "/");
156 }
157
158 if (isc_buffer_availablelength(&buf) < 7)
159 return (ISC_R_NOSPACE);
160 isc_buffer_putstr(&buf, "keyset-");
161
162 result = dns_name_tofilenametext(name, false, &buf);
163 check_result(result, "dns_name_tofilenametext()");
164 if (isc_buffer_availablelength(&buf) == 0)
165 return (ISC_R_NOSPACE);
166 isc_buffer_putuint8(&buf, 0);
167
168 return (loadset(filename, rdataset));
169 }
170
171 static void
loadkey(char * filename,unsigned char * key_buf,unsigned int key_buf_size,dns_rdata_t * rdata)172 loadkey(char *filename, unsigned char *key_buf, unsigned int key_buf_size,
173 dns_rdata_t *rdata)
174 {
175 isc_result_t result;
176 dst_key_t *key = NULL;
177 isc_buffer_t keyb;
178 isc_region_t r;
179
180 dns_rdata_init(rdata);
181
182 isc_buffer_init(&keyb, key_buf, key_buf_size);
183
184 result = dst_key_fromnamedfile(filename, NULL, DST_TYPE_PUBLIC,
185 mctx, &key);
186 if (result != ISC_R_SUCCESS)
187 fatal("can't load %s.key: %s",
188 filename, isc_result_totext(result));
189
190 if (verbose > 2) {
191 char keystr[DST_KEY_FORMATSIZE];
192
193 dst_key_format(key, keystr, sizeof(keystr));
194 fprintf(stderr, "%s: %s\n", program, keystr);
195 }
196
197 result = dst_key_todns(key, &keyb);
198 if (result != ISC_R_SUCCESS)
199 fatal("can't decode key");
200
201 isc_buffer_usedregion(&keyb, &r);
202 dns_rdata_fromregion(rdata, dst_key_class(key),
203 dns_rdatatype_dnskey, &r);
204
205 rdclass = dst_key_class(key);
206
207 name = dns_fixedname_initname(&fixed);
208 result = dns_name_copy(dst_key_name(key), name, NULL);
209 if (result != ISC_R_SUCCESS)
210 fatal("can't copy name");
211
212 dst_key_free(&key);
213 }
214
215 static void
logkey(dns_rdata_t * rdata)216 logkey(dns_rdata_t *rdata)
217 {
218 isc_result_t result;
219 dst_key_t *key = NULL;
220 isc_buffer_t buf;
221 char keystr[DST_KEY_FORMATSIZE];
222
223 isc_buffer_init(&buf, rdata->data, rdata->length);
224 isc_buffer_add(&buf, rdata->length);
225 result = dst_key_fromdns(name, rdclass, &buf, mctx, &key);
226 if (result != ISC_R_SUCCESS)
227 return;
228
229 dst_key_format(key, keystr, sizeof(keystr));
230 fprintf(stderr, "%s: %s\n", program, keystr);
231
232 dst_key_free(&key);
233 }
234
235 static void
emit(dns_dsdigest_t dtype,bool showall,char * lookaside,bool cds,dns_rdata_t * rdata)236 emit(dns_dsdigest_t dtype, bool showall, char *lookaside,
237 bool cds, dns_rdata_t *rdata)
238 {
239 isc_result_t result;
240 unsigned char buf[DNS_DS_BUFFERSIZE];
241 char text_buf[DST_KEY_MAXTEXTSIZE];
242 char name_buf[DNS_NAME_MAXWIRE];
243 char class_buf[10];
244 isc_buffer_t textb, nameb, classb;
245 isc_region_t r;
246 dns_rdata_t ds;
247 dns_rdata_dnskey_t dnskey;
248
249 isc_buffer_init(&textb, text_buf, sizeof(text_buf));
250 isc_buffer_init(&nameb, name_buf, sizeof(name_buf));
251 isc_buffer_init(&classb, class_buf, sizeof(class_buf));
252
253 dns_rdata_init(&ds);
254
255 result = dns_rdata_tostruct(rdata, &dnskey, NULL);
256 if (result != ISC_R_SUCCESS)
257 fatal("can't convert DNSKEY");
258
259 if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0 && !showall)
260 return;
261
262 result = dns_ds_buildrdata(name, rdata, dtype, buf, &ds);
263 if (result != ISC_R_SUCCESS)
264 fatal("can't build record");
265
266 result = dns_name_totext(name, false, &nameb);
267 if (result != ISC_R_SUCCESS)
268 fatal("can't print name");
269
270 /* Add lookaside origin, if set */
271 if (lookaside != NULL) {
272 if (isc_buffer_availablelength(&nameb) < strlen(lookaside))
273 fatal("DLV origin '%s' is too long", lookaside);
274 isc_buffer_putstr(&nameb, lookaside);
275 if (lookaside[strlen(lookaside) - 1] != '.') {
276 if (isc_buffer_availablelength(&nameb) < 1)
277 fatal("DLV origin '%s' is too long", lookaside);
278 isc_buffer_putstr(&nameb, ".");
279 }
280 }
281
282 result = dns_rdata_tofmttext(&ds, (dns_name_t *) NULL, 0, 0, 0, "",
283 &textb);
284
285 if (result != ISC_R_SUCCESS)
286 fatal("can't print rdata");
287
288 result = dns_rdataclass_totext(rdclass, &classb);
289 if (result != ISC_R_SUCCESS)
290 fatal("can't print class");
291
292 isc_buffer_usedregion(&nameb, &r);
293 printf("%.*s ", (int)r.length, r.base);
294
295 if (emitttl)
296 printf("%u ", ttl);
297
298 isc_buffer_usedregion(&classb, &r);
299 printf("%.*s", (int)r.length, r.base);
300
301 if (lookaside == NULL) {
302 if (cds)
303 printf(" CDS ");
304 else
305 printf(" DS ");
306 } else
307 printf(" DLV ");
308
309 isc_buffer_usedregion(&textb, &r);
310 printf("%.*s\n", (int)r.length, r.base);
311 }
312
313 ISC_PLATFORM_NORETURN_PRE static void
314 usage(void) ISC_PLATFORM_NORETURN_POST;
315
316 static void
usage(void)317 usage(void) {
318 fprintf(stderr, "Usage:\n");
319 fprintf(stderr, " %s [options] keyfile\n\n", program);
320 fprintf(stderr, " %s [options] -f zonefile [zonename]\n\n", program);
321 fprintf(stderr, " %s [options] -s dnsname\n\n", program);
322 fprintf(stderr, " %s [-h|-V]\n\n", program);
323 fprintf(stderr, "Version: %s\n", VERSION);
324 fprintf(stderr, "Options:\n"
325 " -1: digest algorithm SHA-1\n"
326 " -2: digest algorithm SHA-256\n"
327 " -a algorithm: digest algorithm (SHA-1, SHA-256, SHA-384 or GOST)\n"
328 " -A: include all keys in DS set, not just KSKs (-f only)\n"
329 " -c class: rdata class for DS set (default IN) (-f or -s only)\n"
330 " -C: print CDS records\n"
331 " -f zonefile: read keys from a zone file\n"
332 " -h: print help information\n"
333 " -K directory: where to find key or keyset files\n"
334 " -l zone: print DLV records in the given lookaside zone\n"
335 " -s: read keys from keyset-<dnsname> file\n"
336 " -T: TTL of output records (omitted by default)\n"
337 " -v level: verbosity\n"
338 " -V: print version information\n");
339 fprintf(stderr, "Output: DS, DLV, or CDS RRs\n");
340
341 exit (-1);
342 }
343
344 int
main(int argc,char ** argv)345 main(int argc, char **argv) {
346 char *algname = NULL, *classname = NULL;
347 char *filename = NULL, *dir = NULL, *namestr;
348 char *lookaside = NULL;
349 char *endp, *arg1;
350 int ch;
351 dns_dsdigest_t dtype = DNS_DSDIGEST_SHA1;
352 bool cds = false;
353 bool both = true;
354 bool usekeyset = false;
355 bool showall = false;
356 isc_result_t result;
357 isc_log_t *log = NULL;
358 isc_entropy_t *ectx = NULL;
359 dns_rdataset_t rdataset;
360 dns_rdata_t rdata;
361
362 dns_rdata_init(&rdata);
363
364 if (argc == 1)
365 usage();
366
367 result = isc_mem_create(0, 0, &mctx);
368 if (result != ISC_R_SUCCESS)
369 fatal("out of memory");
370
371 #ifdef PKCS11CRYPTO
372 pk11_result_register();
373 #endif
374 dns_result_register();
375
376 isc_commandline_errprint = false;
377
378 #define OPTIONS "12Aa:Cc:d:Ff:K:l:sT:v:hV"
379 while ((ch = isc_commandline_parse(argc, argv, OPTIONS)) != -1) {
380 switch (ch) {
381 case '1':
382 dtype = DNS_DSDIGEST_SHA1;
383 both = false;
384 break;
385 case '2':
386 dtype = DNS_DSDIGEST_SHA256;
387 both = false;
388 break;
389 case 'A':
390 showall = true;
391 break;
392 case 'a':
393 algname = isc_commandline_argument;
394 both = false;
395 break;
396 case 'C':
397 if (lookaside != NULL)
398 fatal("lookaside and CDS are mutually"
399 " exclusive");
400 cds = true;
401 break;
402 case 'c':
403 classname = isc_commandline_argument;
404 break;
405 case 'd':
406 fprintf(stderr, "%s: the -d option is deprecated; "
407 "use -K\n", program);
408 /* fall through */
409 case 'K':
410 dir = isc_commandline_argument;
411 if (strlen(dir) == 0U)
412 fatal("directory must be non-empty string");
413 break;
414 case 'f':
415 filename = isc_commandline_argument;
416 break;
417 case 'l':
418 if (cds)
419 fatal("lookaside and CDS are mutually"
420 " exclusive");
421 lookaside = isc_commandline_argument;
422 if (strlen(lookaside) == 0U)
423 fatal("lookaside must be a non-empty string");
424 break;
425 case 's':
426 usekeyset = true;
427 break;
428 case 'T':
429 emitttl = true;
430 ttl = atol(isc_commandline_argument);
431 break;
432 case 'v':
433 verbose = strtol(isc_commandline_argument, &endp, 0);
434 if (*endp != '\0')
435 fatal("-v must be followed by a number");
436 break;
437 case 'F':
438 /* Reserved for FIPS mode */
439 /* FALLTHROUGH */
440 case '?':
441 if (isc_commandline_option != '?')
442 fprintf(stderr, "%s: invalid argument -%c\n",
443 program, isc_commandline_option);
444 /* FALLTHROUGH */
445 case 'h':
446 /* Does not return. */
447 usage();
448
449 case 'V':
450 /* Does not return. */
451 version(program);
452
453 default:
454 fprintf(stderr, "%s: unhandled option -%c\n",
455 program, isc_commandline_option);
456 exit(1);
457 }
458 }
459
460 if (algname != NULL) {
461 if (strcasecmp(algname, "SHA1") == 0 ||
462 strcasecmp(algname, "SHA-1") == 0)
463 dtype = DNS_DSDIGEST_SHA1;
464 else if (strcasecmp(algname, "SHA256") == 0 ||
465 strcasecmp(algname, "SHA-256") == 0)
466 dtype = DNS_DSDIGEST_SHA256;
467 #if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
468 else if (strcasecmp(algname, "GOST") == 0)
469 dtype = DNS_DSDIGEST_GOST;
470 #endif
471 else if (strcasecmp(algname, "SHA384") == 0 ||
472 strcasecmp(algname, "SHA-384") == 0)
473 dtype = DNS_DSDIGEST_SHA384;
474 else
475 fatal("unknown algorithm %s", algname);
476 }
477
478 rdclass = strtoclass(classname);
479
480 if (usekeyset && filename != NULL)
481 fatal("cannot use both -s and -f");
482
483 /* When not using -f, -A is implicit */
484 if (filename == NULL)
485 showall = true;
486
487 /*
488 * Use local variable arg1 so that clang can correctly analyse
489 * reachable paths rather than 'argc < isc_commandline_index + 1'.
490 */
491 arg1 = argv[isc_commandline_index];
492 if (arg1 == NULL && filename == NULL) {
493 fatal("the key file name was not specified");
494 }
495 if (arg1 != NULL && argv[isc_commandline_index + 1] != NULL) {
496 fatal("extraneous arguments");
497 }
498
499 if (ectx == NULL)
500 setup_entropy(mctx, NULL, &ectx);
501 result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
502 if (result != ISC_R_SUCCESS)
503 fatal("could not initialize hash");
504 result = dst_lib_init(mctx, ectx,
505 ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
506 if (result != ISC_R_SUCCESS)
507 fatal("could not initialize dst: %s",
508 isc_result_totext(result));
509 isc_entropy_stopcallbacksources(ectx);
510
511 setup_logging(mctx, &log);
512
513 dns_rdataset_init(&rdataset);
514
515 if (usekeyset || filename != NULL) {
516 if (arg1 == NULL) {
517 /* using file name as the zone name */
518 namestr = filename;
519 } else {
520 namestr = arg1;
521 }
522
523 result = initname(namestr);
524 if (result != ISC_R_SUCCESS) {
525 fatal("could not initialize name %s", namestr);
526 }
527
528 if (usekeyset) {
529 result = loadkeyset(dir, &rdataset);
530 } else {
531 INSIST(filename != NULL);
532 result = loadset(filename, &rdataset);
533 }
534
535 if (result != ISC_R_SUCCESS) {
536 fatal("could not load DNSKEY set: %s\n",
537 isc_result_totext(result));
538 }
539
540 for (result = dns_rdataset_first(&rdataset);
541 result == ISC_R_SUCCESS;
542 result = dns_rdataset_next(&rdataset)) {
543 dns_rdata_init(&rdata);
544 dns_rdataset_current(&rdataset, &rdata);
545
546 if (verbose > 2) {
547 logkey(&rdata);
548 }
549
550 if (both) {
551 emit(DNS_DSDIGEST_SHA1, showall, lookaside,
552 cds, &rdata);
553 emit(DNS_DSDIGEST_SHA256, showall, lookaside,
554 cds, &rdata);
555 } else {
556 emit(dtype, showall, lookaside, cds, &rdata);
557 }
558 }
559 } else {
560 unsigned char key_buf[DST_KEY_MAXSIZE];
561
562 loadkey(arg1, key_buf, DST_KEY_MAXSIZE, &rdata);
563
564 if (both) {
565 emit(DNS_DSDIGEST_SHA1, showall, lookaside, cds,
566 &rdata);
567 emit(DNS_DSDIGEST_SHA256, showall, lookaside, cds,
568 &rdata);
569 } else {
570 emit(dtype, showall, lookaside, cds, &rdata);
571 }
572 }
573
574 if (dns_rdataset_isassociated(&rdataset))
575 dns_rdataset_disassociate(&rdataset);
576 cleanup_logging(&log);
577 dst_lib_destroy();
578 isc_hash_destroy();
579 cleanup_entropy(&ectx);
580 dns_name_destroy();
581 if (verbose > 10)
582 isc_mem_stats(mctx, stdout);
583 isc_mem_destroy(&mctx);
584
585 fflush(stdout);
586 if (ferror(stdout)) {
587 fprintf(stderr, "write error\n");
588 return (1);
589 } else
590 return (0);
591 }
592