ldns-signzone.c
Go to the documentation of this file.
00001 /*
00002  * ldns-signzone signs a zone file
00003  * 
00004  * (c) NLnet Labs, 2005 - 2008
00005  * See the file LICENSE for the license
00006  */
00007 
00008 #include "config.h"
00009 #include <stdlib.h>
00010 #include <unistd.h>
00011 
00012 #include <errno.h>
00013 
00014 #include <time.h>
00015 
00016 #include <ldns/ldns.h>
00017 #include <ldns/keys.h>
00018 
00019 #ifdef HAVE_SSL
00020 #include <openssl/conf.h>
00021 #include <openssl/engine.h>
00022 #endif /* HAVE_SSL */
00023 
00024 #define MAX_FILENAME_LEN 250
00025 int verbosity = 1;
00026 
00027 #ifdef HAVE_SSL
00028 #include <openssl/err.h>
00029 
00030 static void
00031 usage(FILE *fp, const char *prog) {
00032         fprintf(fp, "%s [OPTIONS] zonefile key [key [key]]\n", prog);
00033         fprintf(fp, "  signs the zone with the given key(s)\n");
00034         fprintf(fp, "  -b\t\tuse layout in signed zone and print comments DNSSEC records\n");
00035         fprintf(fp, "  -d\t\tused keys are not added to the zone\n");
00036         fprintf(fp, "  -e <date>\texpiration date\n");
00037         fprintf(fp, "  -f <file>\toutput zone to file (default <name>.signed)\n");
00038         fprintf(fp, "  -i <date>\tinception date\n");
00039         fprintf(fp, "  -o <domain>\torigin for the zone\n");
00040         fprintf(fp, "  -v\t\tprint version and exit\n");
00041         fprintf(fp, "  -A\t\tsign DNSKEY with all keys instead of minimal\n");
00042         fprintf(fp, "  -E <name>\tuse <name> as the crypto engine for signing\n");
00043         fprintf(fp, "           \tThis can have a lot of extra options, see the manual page for more info\n");
00044         fprintf(fp, "  -k <id>,<int>\tuse key id with algorithm int from engine\n");
00045         fprintf(fp, "  -K <id>,<int>\tuse key id with algorithm int from engine as KSK\n");
00046         fprintf(fp, "\t\tif no key is given (but an external one is used through the engine support, it might be necessary to provide the right algorithm number.\n");
00047         fprintf(fp, "  -n\t\tuse NSEC3 instead of NSEC.\n");
00048         fprintf(fp, "\t\tIf you use NSEC3, you can specify the following extra options:\n");
00049         fprintf(fp, "\t\t-a [algorithm] hashing algorithm\n");
00050         fprintf(fp, "\t\t-t [number] number of hash iterations\n");
00051         fprintf(fp, "\t\t-s [string] salt\n");
00052         fprintf(fp, "\t\t-p set the opt-out flag on all nsec3 rrs\n");
00053         fprintf(fp, "\n");
00054         fprintf(fp, "  keys must be specified by their base name (usually K<name>+<alg>+<id>),\n");
00055         fprintf(fp, "  i.e. WITHOUT the .private extension.\n");
00056         fprintf(fp, "  If the public part of the key is not present in the zone, the DNSKEY RR\n");
00057         fprintf(fp, "  will be read from the file called <base name>.key. If that does not exist,\n");
00058         fprintf(fp, "  a default DNSKEY will be generated from the private key and added to the zone.\n");
00059         fprintf(fp, "  A date can be a timestamp (seconds since the epoch), or of\n  the form <YYYYMMdd[hhmmss]>\n");
00060 }
00061 
00062 static void check_tm(struct tm tm)
00063 {
00064         if (tm.tm_year < 70) {
00065                 fprintf(stderr, "You cannot specify dates before 1970\n");
00066                 exit(EXIT_FAILURE);
00067         }
00068         if (tm.tm_mon < 0 || tm.tm_mon > 11) {
00069                 fprintf(stderr, "The month must be in the range 1 to 12\n");
00070                 exit(EXIT_FAILURE);
00071         }
00072         if (tm.tm_mday < 1 || tm.tm_mday > 31) {
00073                 fprintf(stderr, "The day must be in the range 1 to 31\n");
00074                 exit(EXIT_FAILURE);
00075         }
00076         
00077         if (tm.tm_hour < 0 || tm.tm_hour > 23) {
00078                 fprintf(stderr, "The hour must be in the range 0-23\n");
00079                 exit(EXIT_FAILURE);
00080         }
00081 
00082         if (tm.tm_min < 0 || tm.tm_min > 59) {
00083                 fprintf(stderr, "The minute must be in the range 0-59\n");
00084                 exit(EXIT_FAILURE);
00085         }
00086 
00087         if (tm.tm_sec < 0 || tm.tm_sec > 59) {
00088                 fprintf(stderr, "The second must be in the range 0-59\n");
00089                 exit(EXIT_FAILURE);
00090         }
00091 
00092 }
00093 
00094 /*
00095  * if the ttls are different, make them equal
00096  * if one of the ttls equals LDNS_DEFAULT_TTL, that one is changed
00097  * otherwise, rr2 will get the ttl of rr1
00098  * 
00099  * prints a warning if a non-default TTL is changed
00100  */
00101 static void
00102 equalize_ttls(ldns_rr *rr1, ldns_rr *rr2, uint32_t default_ttl)
00103 {
00104         uint32_t ttl1, ttl2;
00105         
00106         ttl1 = ldns_rr_ttl(rr1);
00107         ttl2 = ldns_rr_ttl(rr2);
00108         
00109         if (ttl1 != ttl2) {
00110                 if (ttl1 == default_ttl) {
00111                         ldns_rr_set_ttl(rr1, ttl2);
00112                 } else if (ttl2 == default_ttl) {
00113                         ldns_rr_set_ttl(rr2, ttl1);
00114                 } else {
00115                         ldns_rr_set_ttl(rr2, ttl1);
00116                         fprintf(stderr, 
00117                                 "warning: changing non-default TTL %u to %u\n",
00118                                 (unsigned int) ttl2, (unsigned int)  ttl1);
00119                 }
00120         }
00121 }
00122 
00123 static void
00124 equalize_ttls_rr_list(ldns_rr_list *rr_list, ldns_rr *rr, uint32_t default_ttl)
00125 {
00126         size_t i;
00127         ldns_rr *cur_rr;
00128         
00129         for (i = 0; i < ldns_rr_list_rr_count(rr_list); i++) {
00130                 cur_rr = ldns_rr_list_rr(rr_list, i);
00131                 if (ldns_rr_compare_no_rdata(cur_rr, rr) == 0) {
00132                         equalize_ttls(cur_rr, rr, default_ttl);
00133                 }
00134         }
00135 }
00136 
00137 static ldns_rr *
00138 find_key_in_zone(ldns_rr *pubkey_gen, ldns_zone *zone) {
00139         size_t key_i;
00140         ldns_rr *pubkey;
00141         
00142         for (key_i = 0;
00143                 key_i < ldns_rr_list_rr_count(ldns_zone_rrs(zone));
00144                 key_i++) {
00145                 pubkey = ldns_rr_list_rr(ldns_zone_rrs(zone), key_i);
00146                 if (ldns_rr_get_type(pubkey) == LDNS_RR_TYPE_DNSKEY &&
00147                         (ldns_calc_keytag(pubkey)
00148                                 ==
00149                                 ldns_calc_keytag(pubkey_gen) ||
00150                                          /* KSK has gen-keytag + 1 */
00151                                          ldns_calc_keytag(pubkey)
00152                                          ==
00153                                          ldns_calc_keytag(pubkey_gen) + 1) 
00154                            ) {
00155                                 if (verbosity >= 2) {
00156                                         fprintf(stderr, "Found it in the zone!\n");
00157                                 }
00158                                 return pubkey;
00159                 }
00160         }
00161         return NULL;
00162 }
00163 
00164 static ldns_rr *
00165 find_key_in_file(const char *keyfile_name_base, ldns_key* ATTR_UNUSED(key),
00166         uint32_t zone_ttl)
00167 {
00168         char *keyfile_name;
00169         FILE *keyfile;
00170         int line_nr;
00171         uint32_t default_ttl = zone_ttl;
00172 
00173         ldns_rr *pubkey = NULL;
00174         keyfile_name = LDNS_XMALLOC(char,
00175                                     strlen(keyfile_name_base) + 5);
00176         snprintf(keyfile_name,
00177                  strlen(keyfile_name_base) + 5,
00178                  "%s.key",
00179                  keyfile_name_base);
00180         if (verbosity >= 2) {
00181                 fprintf(stderr, "Trying to read %s\n", keyfile_name);
00182         }
00183         keyfile = fopen(keyfile_name, "r");
00184         line_nr = 0;
00185         if (keyfile) {
00186                 if (ldns_rr_new_frm_fp_l(&pubkey,
00187                                          keyfile,
00188                                          &default_ttl,
00189                                          NULL,
00190                                          NULL,
00191                                          &line_nr) ==
00192                     LDNS_STATUS_OK) {
00193                         if (verbosity >= 2) {
00194                                 printf("Key found in file: %s\n", keyfile_name);
00195                         }
00196                 }
00197                 fclose(keyfile);
00198         }
00199         LDNS_FREE(keyfile_name);
00200         return pubkey;
00201 }
00202 
00203 /* this function tries to find the specified keys either in the zone that
00204  * has been read, or in a <basename>.key file. If the key is not found,
00205  * a public key is generated, and it is assumed the key is a ZSK
00206  * 
00207  * if add_keys is true; the DNSKEYs are added to the zone prior to signing
00208  * if it is false, they are not added.
00209  * Even if keys are not added, the function is still needed, to check
00210  * whether keys of which we only have key data are KSKs or ZSKS
00211  */
00212 static void
00213 find_or_create_pubkey(const char *keyfile_name_base, ldns_key *key, ldns_zone *orig_zone, bool add_keys, uint32_t default_ttl) {
00214         ldns_rr *pubkey_gen, *pubkey;
00215         int key_in_zone;
00216         
00217         if (default_ttl == LDNS_DEFAULT_TTL) {
00218                 default_ttl = ldns_rr_ttl(ldns_zone_soa(orig_zone));
00219         }
00220 
00221         if (!ldns_key_pubkey_owner(key)) {
00222                 ldns_key_set_pubkey_owner(key, ldns_rdf_clone(ldns_rr_owner(ldns_zone_soa(orig_zone))));
00223         }
00224 
00225         /* find the public key in the zone, or in a
00226          * separate file
00227          * we 'generate' one anyway, 
00228          * then match that to any present in the zone,
00229          * if it matches, we drop our own. If not,
00230          * we try to see if there is a .key file present.
00231          * If not, we use our own generated one, with
00232          * some default values 
00233          *
00234          * Even if -d (do-not-add-keys) is specified, 
00235          * we still need to do this, because we need
00236          * to have any key flags that are set this way
00237          */
00238         pubkey_gen = ldns_key2rr(key);
00239         ldns_rr_set_ttl(pubkey_gen, default_ttl);
00240 
00241         if (verbosity >= 2) {
00242                 fprintf(stderr,
00243                            "Looking for key with keytag %u or %u\n",
00244                            (unsigned int) ldns_calc_keytag(pubkey_gen),
00245                            (unsigned int) ldns_calc_keytag(pubkey_gen)+1
00246                            );
00247         }
00248 
00249         pubkey = find_key_in_zone(pubkey_gen, orig_zone);
00250         key_in_zone = 1;
00251         if (!pubkey) {
00252                 key_in_zone = 0;
00253                 /* it was not in the zone, try to read a .key file */
00254                 pubkey = find_key_in_file(keyfile_name_base, key, default_ttl);
00255                 if (!pubkey && !(ldns_key_flags(key) & LDNS_KEY_SEP_KEY)) {
00256                         /* maybe it is a ksk? */
00257                         ldns_key_set_keytag(key, ldns_key_keytag(key) + 1);
00258                         pubkey = find_key_in_file(keyfile_name_base, key, default_ttl);
00259                         if (!pubkey) {
00260                                 /* ok, no file, set back to ZSK */
00261                                 ldns_key_set_keytag(key, ldns_key_keytag(key) - 1);
00262                         }
00263                 }
00264                 if(pubkey && ldns_dname_compare(ldns_rr_owner(pubkey), ldns_rr_owner(ldns_zone_soa(orig_zone))) != 0) {
00265                         fprintf(stderr, "Error %s.key has wrong name: %s\n",
00266                                 keyfile_name_base, ldns_rdf2str(ldns_rr_owner(pubkey)));
00267                         exit(EXIT_FAILURE); /* leak rdf2str, but we exit */
00268                 }
00269         }
00270         
00271         if (!pubkey) {
00272                 /* okay, no public key found,
00273                    just use our generated one */
00274                 pubkey = pubkey_gen;
00275                 if (verbosity >= 2) {
00276                         fprintf(stderr, "Not in zone, no .key file, generating ZSK DNSKEY from private key data\n");
00277                 }
00278         } else {
00279                 ldns_rr_free(pubkey_gen);
00280         }
00281         ldns_key_set_flags(key, ldns_rdf2native_int16(ldns_rr_rdf(pubkey, 0)));
00282         ldns_key_set_keytag(key, ldns_calc_keytag(pubkey));
00283         
00284         if (add_keys && !key_in_zone) {
00285                 equalize_ttls_rr_list(ldns_zone_rrs(orig_zone), pubkey, default_ttl);
00286                 ldns_zone_push_rr(orig_zone, pubkey);
00287         }
00288 }
00289 
00290 void
00291 strip_dnssec_records(ldns_zone *zone)
00292 {
00293         ldns_rr_list *new_list;
00294         ldns_rr *cur_rr;
00295         
00296         new_list = ldns_rr_list_new();
00297         
00298         while ((cur_rr = ldns_rr_list_pop_rr(ldns_zone_rrs(zone)))) {
00299                 if (ldns_rr_get_type(cur_rr) == LDNS_RR_TYPE_RRSIG ||
00300                     ldns_rr_get_type(cur_rr) == LDNS_RR_TYPE_NSEC ||
00301                     ldns_rr_get_type(cur_rr) == LDNS_RR_TYPE_NSEC3
00302                    ) {
00303                         
00304                         ldns_rr_free(cur_rr);
00305                 } else {
00306                         ldns_rr_list_push_rr(new_list, cur_rr);
00307                 }
00308         }
00309         ldns_rr_list_free(ldns_zone_rrs(zone));
00310         ldns_zone_set_rrs(zone, new_list);
00311 }
00312 
00313 int
00314 main(int argc, char *argv[])
00315 {
00316         const char *zonefile_name;
00317         FILE *zonefile = NULL;
00318         int line_nr = 0;
00319         int c;
00320         int argi;
00321         ENGINE *engine = NULL;
00322 
00323         ldns_zone *orig_zone;
00324         ldns_rr_list *orig_rrs = NULL;
00325         ldns_rr *orig_soa = NULL;
00326         ldns_dnssec_zone *signed_zone;
00327 
00328         char *keyfile_name_base;
00329         char *keyfile_name = NULL;
00330         FILE *keyfile = NULL;
00331         ldns_key *key = NULL;
00332         ldns_key_list *keys;
00333         ldns_status s;
00334         size_t i;
00335         ldns_rr_list *added_rrs;
00336 
00337         char *outputfile_name = NULL;
00338         FILE *outputfile;
00339         
00340         /* tmp vars for engine keys */
00341         char *eng_key_l;
00342         size_t eng_key_id_len;
00343         char *eng_key_id;
00344         int eng_key_algo;
00345         
00346         bool use_nsec3 = false;
00347         int signflags = 0;
00348 
00349         /* Add the given keys to the zone if they are not yet present */
00350         bool add_keys = true;
00351         uint8_t nsec3_algorithm = 1;
00352         uint8_t nsec3_flags = 0;
00353         size_t nsec3_iterations_cmd = 1;
00354         uint16_t nsec3_iterations = 1;
00355         uint8_t nsec3_salt_length = 0;
00356         uint8_t *nsec3_salt = NULL;
00357         
00358         /* we need to know the origin before reading ksk's,
00359          * so keep an array of filenames until we know it
00360          */
00361         struct tm tm;
00362         uint32_t inception;
00363         uint32_t expiration;
00364         ldns_rdf *origin = NULL;
00365         uint32_t ttl = LDNS_DEFAULT_TTL;
00366         ldns_rr_class class = LDNS_RR_CLASS_IN; 
00367         
00368         char *prog = strdup(argv[0]);
00369         ldns_status result;
00370 
00371         ldns_output_format_storage fmt_st;
00372         ldns_output_format* fmt = ldns_output_format_init(&fmt_st);
00373         
00374         inception = 0;
00375         expiration = 0;
00376         
00377         keys = ldns_key_list_new();
00378 
00379         OPENSSL_config(NULL);
00380 
00381         while ((c = getopt(argc, argv, "a:bde:f:i:k:no:ps:t:vAE:K:")) != -1) {
00382                 switch (c) {
00383                 case 'a':
00384                         nsec3_algorithm = (uint8_t) atoi(optarg);
00385                         if (nsec3_algorithm != 1) {
00386                                 fprintf(stderr, "Bad NSEC3 algorithm, only RSASHA1 allowed\n");
00387                                 exit(EXIT_FAILURE);
00388                         }
00389                         break;
00390                 case 'b':
00391                         ldns_output_format_set(fmt, LDNS_COMMENT_FLAGS
00392                                                   | LDNS_COMMENT_LAYOUT      
00393                                                   | LDNS_COMMENT_NSEC3_CHAIN
00394                                                   | LDNS_COMMENT_BUBBLEBABBLE);
00395                         break;
00396                 case 'd':
00397                         add_keys = false;
00398                         break;
00399                 case 'e':
00400                         /* try to parse YYYYMMDD first,
00401                          * if that doesn't work, it
00402                          * should be a timestamp (seconds since epoch)
00403                          */
00404                         memset(&tm, 0, sizeof(tm));
00405 
00406                         if (strlen(optarg) == 8 &&
00407                             sscanf(optarg, "%4d%2d%2d", &tm.tm_year, &tm.tm_mon, &tm.tm_mday)
00408                             ) {
00409                                 tm.tm_year -= 1900;
00410                                 tm.tm_mon--;
00411                                 check_tm(tm);
00412                                 expiration = 
00413                                         (uint32_t) ldns_mktime_from_utc(&tm);
00414                         } else if (strlen(optarg) == 14 &&
00415                                          sscanf(optarg, "%4d%2d%2d%2d%2d%2d", &tm.tm_year, &tm.tm_mon, &tm.tm_mday, &tm.tm_hour, &tm.tm_min, &tm.tm_sec)
00416                                          ) {
00417                                 tm.tm_year -= 1900;
00418                                 tm.tm_mon--;
00419                                 check_tm(tm);
00420                                 expiration = 
00421                                         (uint32_t) ldns_mktime_from_utc(&tm);
00422                         } else {
00423                                 expiration = (uint32_t) atol(optarg);
00424                         }
00425                         break;
00426                 case 'f':
00427                         outputfile_name = LDNS_XMALLOC(char, MAX_FILENAME_LEN);
00428                         strncpy(outputfile_name, optarg, MAX_FILENAME_LEN);
00429                         break;
00430                 case 'i':
00431                         memset(&tm, 0, sizeof(tm));
00432 
00433                         if (strlen(optarg) == 8 &&
00434                             sscanf(optarg, "%4d%2d%2d", &tm.tm_year, &tm.tm_mon, &tm.tm_mday)
00435                             ) {
00436                                 tm.tm_year -= 1900;
00437                                 tm.tm_mon--;
00438                                 check_tm(tm);
00439                                 inception = 
00440                                         (uint32_t) ldns_mktime_from_utc(&tm);
00441                         } else if (strlen(optarg) == 14 &&
00442                                          sscanf(optarg, "%4d%2d%2d%2d%2d%2d", &tm.tm_year, &tm.tm_mon, &tm.tm_mday, &tm.tm_hour, &tm.tm_min, &tm.tm_sec)
00443                                          ) {
00444                                 tm.tm_year -= 1900;
00445                                 tm.tm_mon--;
00446                                 check_tm(tm);
00447                                 inception = 
00448                                         (uint32_t) ldns_mktime_from_utc(&tm);
00449                         } else {
00450                                 inception = (uint32_t) atol(optarg);
00451                         }
00452                         break;
00453                 case 'n':
00454                         use_nsec3 = true;
00455                         break;
00456                 case 'o':
00457                         if (ldns_str2rdf_dname(&origin, optarg) != LDNS_STATUS_OK) {
00458                                 fprintf(stderr, "Bad origin, not a correct domain name\n");
00459                                 usage(stderr, prog);
00460                                 exit(EXIT_FAILURE);
00461                         }
00462                         break;
00463                 case 'p':
00464                         nsec3_flags = nsec3_flags | LDNS_NSEC3_VARS_OPTOUT_MASK;
00465                         break;
00466                 case 'v':
00467                         printf("zone signer version %s (ldns version %s)\n", LDNS_VERSION, ldns_version());
00468                         exit(EXIT_SUCCESS);
00469                         break;
00470                 case 'A':
00471                         signflags |= LDNS_SIGN_DNSKEY_WITH_ZSK;
00472                         break;
00473                 case 'E':
00474                         ENGINE_load_builtin_engines();
00475                         ENGINE_load_dynamic();
00476                         ENGINE_load_cryptodev();
00477                         engine = ENGINE_by_id(optarg);
00478                         if (!engine) {
00479                                 printf("No such engine: %s\n", optarg);
00480                                 engine = ENGINE_get_first();
00481                                 printf("Available engines:\n");
00482                                 while (engine) {
00483                                         printf("%s\n", ENGINE_get_id(engine));
00484                                         engine = ENGINE_get_next(engine);
00485                                 }
00486                                 exit(EXIT_FAILURE);
00487                         } else {
00488                                 if (!ENGINE_init(engine)) {
00489                                         printf("The engine couldn't initialize\n");
00490                                         exit(EXIT_FAILURE);
00491                                 }
00492                                 ENGINE_set_default_RSA(engine);
00493                                 ENGINE_set_default_DSA(engine);
00494                                 ENGINE_set_default(engine, 0);
00495                         }
00496                         break;
00497                 case 'k':
00498                         eng_key_l = strchr(optarg, ',');
00499                         if (eng_key_l && strlen(eng_key_l) > 1) {
00500                                 if (eng_key_l > optarg) {
00501                                         eng_key_id_len = (size_t) (eng_key_l - optarg);
00502                                         eng_key_id = malloc(eng_key_id_len + 1);
00503                                         memcpy(eng_key_id, optarg, eng_key_id_len);
00504                                         eng_key_id[eng_key_id_len] = '\0';
00505                                 } else {
00506                                         /* no id given, use default from engine */
00507                                         eng_key_id = NULL;
00508                                 }
00509 
00510                                 eng_key_algo = atoi(eng_key_l + 1);
00511 
00512                                 printf("Engine key id: %s, algo %d\n", eng_key_id, eng_key_algo);
00513 
00514                                 s = ldns_key_new_frm_engine(&key, engine, eng_key_id, eng_key_algo);
00515                                 if (s == LDNS_STATUS_OK) {
00516                                         /* must be dnssec key */
00517                                         switch (ldns_key_algorithm(key)) {
00518                                         case LDNS_SIGN_RSAMD5:
00519                                         case LDNS_SIGN_RSASHA1:
00520                                         case LDNS_SIGN_RSASHA1_NSEC3:
00521                                         case LDNS_SIGN_RSASHA256:
00522                                         case LDNS_SIGN_RSASHA512:
00523                                         case LDNS_SIGN_DSA:
00524                                         case LDNS_SIGN_DSA_NSEC3:
00525                                         case LDNS_SIGN_ECC_GOST:
00526 #ifdef USE_ECDSA
00527                                         case LDNS_SIGN_ECDSAP256SHA256:
00528                                         case LDNS_SIGN_ECDSAP384SHA384:
00529 #endif
00530                                                 ldns_key_list_push_key(keys, key);
00531                                                 /*printf("Added key at %p:\n", key);*/
00532                                                 /*ldns_key_print(stdout, key);*/
00533                                                 break;
00534                                         default:
00535                                                 fprintf(stderr, "Warning, key not suitable for signing, ignoring key with algorithm %u\n", ldns_key_algorithm(key));
00536                                                 break;
00537                                         }
00538                                         if (expiration != 0) {
00539                                                 ldns_key_set_expiration(key,
00540                                                                 expiration);
00541                                         }
00542                                         if (inception != 0) {
00543                                                 ldns_key_set_inception(key,
00544                                                                 inception);
00545                                         }
00546                                 } else {
00547                                         printf("Error reading key '%s' from engine: %s\n", eng_key_id, ldns_get_errorstr_by_id(s));
00548                                         #ifdef HAVE_SSL
00549                                                         if (ERR_peek_error()) {
00550                                                                 ERR_load_crypto_strings();
00551                                                                 ERR_print_errors_fp(stderr);
00552                                                                 ERR_free_strings();
00553                                                         }
00554                                         #endif
00555                                         exit(EXIT_FAILURE);
00556                                 }
00557 
00558                                 if (eng_key_id) {
00559                                         free(eng_key_id);
00560                                 }
00561                         } else {
00562                                 printf("Error: bad engine key specification (should be: -k <id>,<algorithm>)).\n");
00563                                 exit(EXIT_FAILURE);
00564                         }
00565                         break;
00566                 case 'K':
00567                         printf("Not implemented yet\n");
00568                         exit(EXIT_FAILURE);
00569                         break;
00570                 case 's':
00571                         if (strlen(optarg) % 2 != 0) {
00572                                 fprintf(stderr, "Salt value is not valid hex data, not a multiple of 2 characters\n");
00573                                 exit(EXIT_FAILURE);
00574                         }
00575                         nsec3_salt_length = (uint8_t) strlen(optarg) / 2;
00576                         nsec3_salt = LDNS_XMALLOC(uint8_t, nsec3_salt_length);
00577                         for (c = 0; c < (int) strlen(optarg); c += 2) {
00578                                 if (isxdigit((int) optarg[c]) && isxdigit((int) optarg[c+1])) {
00579                                         nsec3_salt[c/2] = (uint8_t) ldns_hexdigit_to_int(optarg[c]) * 16 +
00580                                                 ldns_hexdigit_to_int(optarg[c+1]);
00581                                 } else {
00582                                         fprintf(stderr, "Salt value is not valid hex data.\n");
00583                                         exit(EXIT_FAILURE);
00584                                 }
00585                         }
00586 
00587                         break;
00588                 case 't':
00589                         nsec3_iterations_cmd = (size_t) atol(optarg);
00590                         if (nsec3_iterations_cmd > LDNS_NSEC3_MAX_ITERATIONS) {
00591                                 fprintf(stderr, "Iterations count can not exceed %u, quitting\n", LDNS_NSEC3_MAX_ITERATIONS);
00592                                 exit(EXIT_FAILURE);
00593                         }
00594                         nsec3_iterations = (uint16_t) nsec3_iterations_cmd;
00595                         break;
00596                 default:
00597                         usage(stderr, prog);
00598                         exit(EXIT_SUCCESS);
00599                 }
00600         }
00601         
00602         argc -= optind;
00603         argv += optind;
00604 
00605         if (argc < 1) {
00606                 printf("Error: not enough arguments\n");
00607                 usage(stdout, prog);
00608                 exit(EXIT_FAILURE);
00609         } else {
00610                 zonefile_name = argv[0];
00611         }
00612 
00613         /* read zonefile first to find origin if not specified */
00614         
00615         if (strncmp(zonefile_name, "-", 2) == 0) {
00616                 s = ldns_zone_new_frm_fp_l(&orig_zone,
00617                                            stdin,
00618                                            origin,
00619                                            ttl,
00620                                            class,
00621                                            &line_nr);
00622                         if (s != LDNS_STATUS_OK) {
00623                                 fprintf(stderr, "Zone not read, error: %s at stdin line %d\n", 
00624                                            ldns_get_errorstr_by_id(s),
00625                                            line_nr);
00626                                 exit(EXIT_FAILURE);
00627                         } else {
00628                                 orig_soa = ldns_zone_soa(orig_zone);
00629                                 if (!orig_soa) {
00630                                         fprintf(stderr,
00631                                                    "Error reading zonefile: missing SOA record\n");
00632                                         exit(EXIT_FAILURE);
00633                                 }
00634                                 orig_rrs = ldns_zone_rrs(orig_zone);
00635                                 if (!orig_rrs) {
00636                                         fprintf(stderr,
00637                                                    "Error reading zonefile: no resource records\n");
00638                                         exit(EXIT_FAILURE);
00639                                 }
00640                         }
00641         } else {
00642                 zonefile = fopen(zonefile_name, "r");
00643                 
00644                 if (!zonefile) {
00645                         fprintf(stderr,
00646                                    "Error: unable to read %s (%s)\n",
00647                                    zonefile_name,
00648                                    strerror(errno));
00649                         exit(EXIT_FAILURE);
00650                 } else {
00651                         s = ldns_zone_new_frm_fp_l(&orig_zone,
00652                                                    zonefile,
00653                                                    origin,
00654                                                    ttl,
00655                                                    class,
00656                                                    &line_nr);
00657                         if (s != LDNS_STATUS_OK) {
00658                                 fprintf(stderr, "Zone not read, error: %s at %s line %d\n", 
00659                                            ldns_get_errorstr_by_id(s), 
00660                                            zonefile_name, line_nr);
00661                                 exit(EXIT_FAILURE);
00662                         } else {
00663                                 orig_soa = ldns_zone_soa(orig_zone);
00664                                 if (!orig_soa) {
00665                                         fprintf(stderr,
00666                                                    "Error reading zonefile: missing SOA record\n");
00667                                         exit(EXIT_FAILURE);
00668                                 }
00669                                 orig_rrs = ldns_zone_rrs(orig_zone);
00670                                 if (!orig_rrs) {
00671                                         fprintf(stderr,
00672                                                    "Error reading zonefile: no resource records\n");
00673                                         exit(EXIT_FAILURE);
00674                                 }
00675                         }
00676                         fclose(zonefile);
00677                 }
00678         }
00679 
00680         /* read the ZSKs */
00681         argi = 1;
00682         while (argi < argc) {
00683                 keyfile_name_base = argv[argi];
00684                 keyfile_name = LDNS_XMALLOC(char, strlen(keyfile_name_base) + 9);
00685                 snprintf(keyfile_name,
00686                             strlen(keyfile_name_base) + 9,
00687                             "%s.private",
00688                             keyfile_name_base);
00689                 keyfile = fopen(keyfile_name, "r");
00690                 line_nr = 0;
00691                 if (!keyfile) {
00692                         fprintf(stderr,
00693                                    "Error: unable to read %s: %s\n",
00694                                    keyfile_name,
00695                                    strerror(errno));
00696                 } else {
00697                         s = ldns_key_new_frm_fp_l(&key, keyfile, &line_nr);
00698                         fclose(keyfile);
00699                         if (s == LDNS_STATUS_OK) {
00700                                 /* set times in key? they will end up
00701                                    in the rrsigs
00702                                 */
00703                                 if (expiration != 0) {
00704                                         ldns_key_set_expiration(key, expiration);
00705                                 }
00706                                 if (inception != 0) {
00707                                         ldns_key_set_inception(key, inception);
00708                                 }
00709 
00710                                 LDNS_FREE(keyfile_name);
00711                                 
00712                                 ldns_key_list_push_key(keys, key);
00713                         } else {
00714                                 fprintf(stderr, "Error reading key from %s at line %d: %s\n", argv[argi], line_nr, ldns_get_errorstr_by_id(s));
00715                         }
00716                 }
00717                 /* and, if not unset by -p, find or create the corresponding DNSKEY record */
00718                 if (key) {
00719                         find_or_create_pubkey(keyfile_name_base, key,
00720                                               orig_zone, add_keys, ttl);
00721                 }
00722                 argi++;
00723         }
00724         
00725         if (ldns_key_list_key_count(keys) < 1) {
00726                 fprintf(stderr, "Error: no keys to sign with. Aborting.\n\n");
00727                 usage(stderr, prog);
00728                 exit(EXIT_FAILURE);
00729         }
00730 
00731         signed_zone = ldns_dnssec_zone_new();
00732         if (ldns_dnssec_zone_add_rr(signed_zone, ldns_zone_soa(orig_zone)) !=
00733             LDNS_STATUS_OK) {
00734                 fprintf(stderr,
00735                   "Error adding SOA to dnssec zone, skipping record\n");
00736         }
00737         
00738         for (i = 0;
00739              i < ldns_rr_list_rr_count(ldns_zone_rrs(orig_zone));
00740              i++) {
00741                 if (ldns_dnssec_zone_add_rr(signed_zone, 
00742                          ldns_rr_list_rr(ldns_zone_rrs(orig_zone), 
00743                          i)) !=
00744                     LDNS_STATUS_OK) {
00745                         fprintf(stderr,
00746                                 "Error adding RR to dnssec zone");
00747                         fprintf(stderr, ", skipping record:\n");
00748                         ldns_rr_print(stderr, 
00749                           ldns_rr_list_rr(ldns_zone_rrs(orig_zone), i));
00750                 }
00751         }
00752 
00753         /* list to store newly created rrs, so we can free them later */
00754         added_rrs = ldns_rr_list_new();
00755 
00756         if (use_nsec3) {
00757                 result = ldns_dnssec_zone_sign_nsec3_flg_mkmap(signed_zone,
00758                         added_rrs,
00759                         keys,
00760                         ldns_dnssec_default_replace_signatures,
00761                         NULL,
00762                         nsec3_algorithm,
00763                         nsec3_flags,
00764                         nsec3_iterations,
00765                         nsec3_salt_length,
00766                         nsec3_salt,
00767                         signflags,
00768                         &fmt_st.hashmap);
00769         } else {
00770                 result = ldns_dnssec_zone_sign_flg(signed_zone,
00771                                 added_rrs,
00772                                 keys,
00773                                 ldns_dnssec_default_replace_signatures,
00774                                 NULL,
00775                                 signflags);
00776         }
00777         if (result != LDNS_STATUS_OK) {
00778                 fprintf(stderr, "Error signing zone: %s\n",
00779                            ldns_get_errorstr_by_id(result));
00780         }
00781 
00782         if (!outputfile_name) {
00783                 outputfile_name = LDNS_XMALLOC(char, MAX_FILENAME_LEN);
00784                 snprintf(outputfile_name, MAX_FILENAME_LEN, "%s.signed", zonefile_name);
00785         }
00786 
00787         if (signed_zone) {
00788                 if (strncmp(outputfile_name, "-", 2) == 0) {
00789                         ldns_dnssec_zone_print(stdout, signed_zone);
00790                 } else {
00791                         outputfile = fopen(outputfile_name, "w");
00792                         if (!outputfile) {
00793                                 fprintf(stderr, "Unable to open %s for writing: %s\n",
00794                                            outputfile_name, strerror(errno));
00795                         } else {
00796                                 ldns_dnssec_zone_print_fmt(
00797                                                 outputfile, fmt, signed_zone);
00798                                 fclose(outputfile);
00799                         }
00800                 }
00801         } else {
00802                 fprintf(stderr, "Error signing zone.\n");
00803 
00804 #ifdef HAVE_SSL
00805                 if (ERR_peek_error()) {
00806                         ERR_load_crypto_strings();
00807                         ERR_print_errors_fp(stderr);
00808                         ERR_free_strings();
00809                 }
00810 #endif
00811                 exit(EXIT_FAILURE);
00812         }
00813         
00814         ldns_key_list_free(keys);
00815         /* since the ldns_rr records are pointed to in both the ldns_zone
00816          * and the ldns_dnssec_zone, we can either deep_free the
00817          * dnssec_zone and 'shallow' free the original zone and added
00818          * records, or the other way around
00819          */
00820         ldns_dnssec_zone_free(signed_zone);
00821         ldns_zone_deep_free(orig_zone);
00822         ldns_rr_list_deep_free(added_rrs);
00823         
00824         LDNS_FREE(outputfile_name);
00825         
00826         CRYPTO_cleanup_all_ex_data();
00827 
00828         free(prog);
00829         exit(EXIT_SUCCESS);
00830 }
00831 #else
00832 int
00833 main(int argc, char **argv)
00834 {
00835         fprintf(stderr, "ldns-signzone needs OpenSSL support, which has not been compiled in\n");
00836         return 1;
00837 }
00838 #endif /* HAVE_SSL */