35 #include <ldns/ldns.h>
36 #include <ldns/util.h>
54 fprintf(stderr,
"%s (%s) version %s\n",
55 progname, PACKAGE_NAME, PACKAGE_VERSION);
62 "usage: %s [-c config] [-vVfh] [command [options]]\n",
65 fprintf(stderr,
" -h Print this usage information.\n");
66 fprintf(stderr,
" -v Increase verbosity.\n");
67 fprintf(stderr,
" -V Print version and exit.\n");
68 fprintf(stderr,
" -f Force, Assume yes on all questions.\n");
69 fprintf(stderr,
" -c <cfg> Use alternative conf.xml.\n");
71 fprintf(stderr,
"commands\n");
73 fprintf(stderr,
" login\n");
74 fprintf(stderr,
" logout\n");
75 fprintf(stderr,
" list [repository]\n");
76 fprintf(stderr,
" generate <repository> rsa|dsa|gost|ecdsa [keysize]\n");
77 fprintf(stderr,
" remove <id>\n");
78 fprintf(stderr,
" purge <repository>\n");
79 fprintf(stderr,
" dnskey <id> <name> <type> <algo>\n");
80 fprintf(stderr,
" test <repository>\n");
81 fprintf(stderr,
" info\n");
83 fprintf(stderr,
" debug\n");
90 printf(
"The tokens are now logged in.\n");
99 printf(
"Failed to erase the credentials.\n");
104 printf(
"The credentials has been erased.\n");
109 #pragma GCC diagnostic push
110 #pragma GCC diagnostic ignored "-Wformat-nonliteral"
112 cmd_list (
int argc,
char *argv[])
115 char *repository = NULL;
117 size_t key_count = 0;
118 size_t key_count_valid = 0;
121 const char *key_info_format =
"%-20s %-32s %-10s\n";
126 repository = argv[0];
136 fprintf(stdout,
"\nListing keys in repository: %s\n", repository);
139 fprintf(stdout,
"\nListing keys in all repositories.\n");
143 fprintf(stdout,
"%u %s found.\n\n", (
unsigned int) key_count,
144 (key_count > 1 || key_count == 0 ?
"keys" :
"key"));
151 fprintf(stdout, key_info_format,
"Repository",
"ID",
"Type");
152 fprintf(stdout, key_info_format,
"----------",
"--",
"----");
154 for (i = 0; i < key_count; i++) {
158 char const * key_id = NULL;
171 snprintf(key_type,
sizeof(key_type),
"%s/%lu",
173 key_id = key_info->
id;
175 snprintf(key_type,
sizeof(key_type),
"UNKNOWN");
179 printf(key_info_format, key->
modulename, key_id, key_type);
185 if (key_count != key_count_valid) {
187 invalid_keys = key_count - key_count_valid;
189 fprintf(stderr,
"Warning: %u %s not usable by OpenDNSSEC was found.\n",
190 (
unsigned int) invalid_keys, invalid_keys > 1 ?
"keys" :
"key");
195 #pragma GCC diagnostic pop
198 cmd_generate (
int argc,
char *argv[])
200 const char *repository = NULL;
202 unsigned int keysize = 1024;
206 if (argc < 2 || argc > 3) {
211 repository = argv[0];
221 keysize = atoi(argv[2]);
225 printf(
"Generating %d bit RSA key in repository: %s\n",
226 keysize, repository);
229 }
else if (!strcasecmp(
algorithm,
"dsa")) {
230 printf(
"Generating %d bit DSA key in repository: %s\n",
231 keysize, repository);
234 }
else if (!strcasecmp(
algorithm,
"gost")) {
235 printf(
"Generating 512 bit GOST key in repository: %s\n",
239 }
else if (!strcasecmp(
algorithm,
"ecdsa")) {
240 if (keysize == 256) {
241 printf(
"Generating a P-256 ECDSA key in repository: %s\n",
245 }
else if (keysize == 384) {
246 printf(
"Generating a P-384 ECDSA key in repository: %s\n",
251 printf(
"Invalid ECDSA key size: %d\n", keysize);
252 printf(
"Expecting 256 or 384.\n");
256 printf(
"Unknown algorithm: %s\n",
algorithm);
264 printf(
"Key generation successful: %s\n",
265 key_info ? key_info->
id :
"NULL");
270 printf(
"Key generation failed.\n");
278 cmd_remove (
int argc,
char *argv[])
295 printf(
"Key not found: %s\n",
id);
302 printf(
"Key remove successful.\n");
304 printf(
"Key remove failed.\n");
313 cmd_purge (
int argc,
char *argv[],
int force)
316 int final_result = 0;
320 char *repository = NULL;
323 size_t key_count = 0;
331 repository = argv[0];
341 printf(
"Purging all keys from repository: %s\n", repository);
344 printf(
"%u %s found.\n\n", (
unsigned int) key_count,
345 (key_count > 1 || key_count == 0 ?
"keys" :
"key"));
351 if (key_count == 0) {
357 printf(
"Are you sure you want to remove ALL keys from repository %s ? (YES/NO) ", repository);
358 fresult = fgets(confirm,
sizeof(confirm) - 1, stdin);
359 if (fresult == NULL || strncasecmp(confirm,
"yes", 3) != 0) {
360 printf(
"\npurge cancelled.\n");
365 printf(
"\nStarting purge...\n");
367 for (i = 0; i < key_count; i++) {
375 printf(
"Key remove successful: %s\n",
376 key_info ? key_info->
id :
"NULL");
378 printf(
"Key remove failed: %s\n",
379 key_info ? key_info->
id :
"NULL");
387 printf(
"Purge done.\n");
393 cmd_dnskey (
int argc,
char *argv[])
409 id = strdup(argv[0]);
410 name = strdup(argv[1]);
411 type = atoi(argv[2]);
412 algo = atoi(argv[3]);
417 printf(
"Key not found: %s\n",
id);
423 if (type != LDNS_KEY_ZONE_KEY && type != LDNS_KEY_ZONE_KEY + LDNS_KEY_SEP_KEY) {
424 printf(
"Invalid key type: %i\n", type);
425 printf(
"Please use: %i or %i\n", LDNS_KEY_ZONE_KEY, LDNS_KEY_ZONE_KEY + LDNS_KEY_SEP_KEY);
434 case LDNS_SIGN_RSAMD5:
435 case LDNS_SIGN_RSASHA1:
436 case LDNS_SIGN_RSASHA1_NSEC3:
437 case LDNS_SIGN_RSASHA256:
438 case LDNS_SIGN_RSASHA512:
440 printf(
"Not an RSA key, the key is of algorithm %s.\n", key_info->
algorithm_name);
449 case LDNS_SIGN_DSA_NSEC3:
451 printf(
"Not a DSA key, the key is of algorithm %s.\n", key_info->
algorithm_name);
459 case LDNS_SIGN_ECC_GOST:
461 printf(
"Not a GOST key, the key is of algorithm %s.\n", key_info->
algorithm_name);
469 case LDNS_SIGN_ECDSAP256SHA256:
471 printf(
"Not an ECDSA key, the key is of algorithm %s.\n", key_info->
algorithm_name);
478 if (key_info->
keysize != 256) {
479 printf(
"The key is a ECDSA/%lu, expecting ECDSA/256 for this algorithm.\n", key_info->
keysize);
487 case LDNS_SIGN_ECDSAP384SHA384:
489 printf(
"Not an ECDSA key, the key is of algorithm %s.\n", key_info->
algorithm_name);
496 if (key_info->
keysize != 384) {
497 printf(
"The key is a ECDSA/%lu, expecting ECDSA/384 for this algorithm.\n", key_info->
keysize);
505 #if (LDNS_REVISION >= ((1<<16)|(7<<8)|(0)))
506 case LDNS_SIGN_ED25519:
508 printf(
"Not an EDDSA key, the key is of algorithm %s.\n", key_info->
algorithm_name);
515 if (key_info->
keysize != 255) {
516 printf(
"The key is EDDSA/%lu, expecting EDDSA/255 for this algorithm.\n", key_info->
keysize);
524 case LDNS_SIGN_ED448:
526 printf(
"Not an EDDSA key, the key is of algorithm %s.\n", key_info->
algorithm_name);
533 if (key_info->
keysize != 448) {
534 printf(
"The key is EDDSA/%lu, expecting EDDSA/448 for this algorithm.\n", key_info->
keysize);
544 printf(
"Invalid algorithm: %i\n", algo);
555 sign_params->
flags = type;
556 sign_params->
owner = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_DNAME, name);
558 sign_params->
keytag = ldns_calc_keytag(dnskey_rr);
560 ldns_rr_print(stdout, dnskey_rr);
563 ldns_rr_free(dnskey_rr);
574 char *repository = NULL;
577 repository = strdup(argv[0]);
581 printf(
"Testing repository: %s\n\n", repository);
583 if (repository) free(repository);
619 while ((ch = getopt(argc, argv,
"c:vVhf")) != -1) {
652 if (!strcasecmp(argv[0],
"logout")) {
653 if (config) free(config);
661 fprintf(stderr,
"%s\n", error);
668 openlog(
"hsmutil", LOG_PID, LOG_USER);
670 if (!strcasecmp(argv[0],
"login")) {
673 result = cmd_login();
674 }
else if (!strcasecmp(argv[0],
"list")) {
677 result = cmd_list(argc, argv);
678 }
else if (!strcasecmp(argv[0],
"generate")) {
681 result = cmd_generate(argc, argv);
682 }
else if (!strcasecmp(argv[0],
"remove")) {
685 result = cmd_remove(argc, argv);
686 }
else if (!strcasecmp(argv[0],
"purge")) {
689 result = cmd_purge(argc, argv, force);
690 }
else if (!strcasecmp(argv[0],
"dnskey")) {
693 result = cmd_dnskey(argc, argv);
694 }
else if (!strcasecmp(argv[0],
"test")) {
697 result = cmd_test(argc, argv,
ctx);
698 }
else if (!strcasecmp(argv[0],
"info")) {
701 result = cmd_info(
ctx);
702 }
else if (!strcasecmp(argv[0],
"debug")) {
705 result = cmd_debug(
ctx);
713 if (config) free(config);
int hsm_test(const char *repository, hsm_ctx_t *ctx)
int main(int argc, char *argv[])
hsm_repository_t * parse_conf_repositories(const char *cfgfile)
char * hsm_get_error(hsm_ctx_t *gctx)
void libhsm_key_list_free(libhsm_key_t **key_list, size_t count)
libhsm_key_info_t * hsm_get_key_info(hsm_ctx_t *ctx, const libhsm_key_t *key)
libhsm_key_t * hsm_generate_gost_key(hsm_ctx_t *ctx, const char *repository)
void hsm_print_error(hsm_ctx_t *gctx)
hsm_ctx_t * hsm_create_context()
int hsm_token_attached(hsm_ctx_t *ctx, const char *repository)
ldns_rr * hsm_get_dnskey(hsm_ctx_t *ctx, const libhsm_key_t *key, const hsm_sign_params_t *sign_params)
void hsm_print_key(hsm_ctx_t *ctx, libhsm_key_t *key)
void hsm_print_ctx(hsm_ctx_t *ctx)
libhsm_key_t * hsm_generate_rsa_key(hsm_ctx_t *ctx, const char *repository, unsigned long keysize)
libhsm_key_t * hsm_generate_ecdsa_key(hsm_ctx_t *ctx, const char *repository, const char *curve)
void libhsm_key_info_free(libhsm_key_info_t *key_info)
libhsm_key_t ** hsm_list_keys_repository(hsm_ctx_t *ctx, size_t *count, const char *repository)
int hsm_open2(hsm_repository_t *rlist, char *(pin_callback)(unsigned int, const char *, unsigned int))
libhsm_key_t ** hsm_list_keys(hsm_ctx_t *ctx, size_t *count)
libhsm_key_t * hsm_find_key_by_id(hsm_ctx_t *ctx, const char *id)
libhsm_key_t * hsm_generate_dsa_key(hsm_ctx_t *ctx, const char *repository, unsigned long keysize)
int hsm_remove_key(hsm_ctx_t *ctx, libhsm_key_t *key)
void hsm_print_tokeninfo(hsm_ctx_t *ctx)
void hsm_destroy_context(hsm_ctx_t *ctx)
hsm_sign_params_t * hsm_sign_params_new()
void libhsm_key_free(libhsm_key_t *key)
void hsm_sign_params_free(hsm_sign_params_t *params)
char * hsm_prompt_pin(unsigned int id, const char *repository, unsigned int mode)