OpenDNSSEC-signer
1.3.4
|
00001 /* 00002 * $Id: hsm.c 5380 2011-08-09 21:00:32Z matthijs $ 00003 * 00004 * Copyright (c) 2009 NLNet Labs. All rights reserved. 00005 * 00006 * Redistribution and use in source and binary forms, with or without 00007 * modification, are permitted provided that the following conditions 00008 * are met: 00009 * 1. Redistributions of source code must retain the above copyright 00010 * notice, this list of conditions and the following disclaimer. 00011 * 2. Redistributions in binary form must reproduce the above copyright 00012 * notice, this list of conditions and the following disclaimer in the 00013 * documentation and/or other materials provided with the distribution. 00014 * 00015 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 00016 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 00017 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 00018 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 00019 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 00020 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE 00021 * GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 00022 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER 00023 * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 00024 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN 00025 * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 00026 * 00027 */ 00028 00034 #include "shared/hsm.h" 00035 #include "shared/log.h" 00036 00037 static const char* hsm_str = "hsm"; 00038 00039 00044 ods_status 00045 lhsm_get_key(hsm_ctx_t* ctx, ldns_rdf* owner, key_type* key_id) 00046 { 00047 char *error = NULL; 00048 00049 if (!owner || !key_id) { 00050 ods_log_error("[%s] unable to get key: missing required elements", 00051 hsm_str); 00052 return ODS_STATUS_ASSERT_ERR; 00053 } 00054 ods_log_assert(owner); 00055 ods_log_assert(key_id); 00056 00057 /* set parameters */ 00058 if (!key_id->params) { 00059 key_id->params = hsm_sign_params_new(); 00060 if (key_id->params) { 00061 key_id->params->owner = ldns_rdf_clone(owner); 00062 key_id->params->algorithm = key_id->algorithm; 00063 key_id->params->flags = key_id->flags; 00064 } else { 00065 /* could not create params */ 00066 error = hsm_get_error(ctx); 00067 if (error) { 00068 ods_log_error("[%s] %s", hsm_str, error); 00069 free((void*)error); 00070 } 00071 ods_log_error("[%s] unable to get key: create params for key %s " 00072 "failed", hsm_str, key_id->locator?key_id->locator:"(null)"); 00073 return ODS_STATUS_ERR; 00074 } 00075 } 00076 00077 /* lookup key */ 00078 if (!key_id->hsmkey) { 00079 key_id->hsmkey = hsm_find_key_by_id(ctx, key_id->locator); 00080 } 00081 if (!key_id->hsmkey) { 00082 error = hsm_get_error(ctx); 00083 if (error) { 00084 ods_log_error("[%s] %s", hsm_str, error); 00085 free((void*)error); 00086 } 00087 /* could not find key */ 00088 ods_log_error("[%s] unable to get key: key %s not found", hsm_str, 00089 key_id->locator?key_id->locator:"(null)"); 00090 return ODS_STATUS_ERR; 00091 } 00092 00093 /* get dnskey */ 00094 if (!key_id->dnskey) { 00095 key_id->dnskey = hsm_get_dnskey(ctx, key_id->hsmkey, key_id->params); 00096 } 00097 if (!key_id->dnskey) { 00098 error = hsm_get_error(ctx); 00099 if (error) { 00100 ods_log_error("[%s] %s", hsm_str, error); 00101 free((void*)error); 00102 } 00103 ods_log_error("[%s] unable to get key: hsm failed to create dnskey", 00104 hsm_str); 00105 return ODS_STATUS_ERR; 00106 } 00107 key_id->params->keytag = ldns_calc_keytag(key_id->dnskey); 00108 return ODS_STATUS_OK; 00109 } 00110 00115 ldns_rr* 00116 lhsm_sign(hsm_ctx_t* ctx, ldns_rr_list* rrset, key_type* key_id, 00117 ldns_rdf* owner, time_t inception, time_t expiration) 00118 { 00119 ods_status status = ODS_STATUS_OK; 00120 char* error = NULL; 00121 ldns_rr* result = NULL; 00122 hsm_sign_params_t* params = NULL; 00123 00124 if (!owner || !key_id || !rrset || !inception || !expiration) { 00125 ods_log_error("[%s] unable to sign: missing required elements", 00126 hsm_str); 00127 return NULL; 00128 } 00129 ods_log_assert(owner); 00130 ods_log_assert(key_id); 00131 ods_log_assert(rrset); 00132 ods_log_assert(inception); 00133 ods_log_assert(expiration); 00134 00135 if (!key_id->dnskey) { 00136 status = lhsm_get_key(ctx, owner, key_id); 00137 if (status != ODS_STATUS_OK) { 00138 error = hsm_get_error(ctx); 00139 if (error) { 00140 ods_log_error("[%s] %s", hsm_str, error); 00141 free((void*)error); 00142 } 00143 ods_log_error("[%s] unable to sign: get key failed", hsm_str); 00144 return NULL; 00145 } 00146 } 00147 ods_log_assert(key_id->dnskey); 00148 ods_log_assert(key_id->hsmkey); 00149 ods_log_assert(key_id->params); 00150 00151 params = hsm_sign_params_new(); 00152 params->owner = ldns_rdf_clone(key_id->params->owner); 00153 params->algorithm = key_id->algorithm; 00154 params->flags = key_id->flags; 00155 params->inception = inception; 00156 params->expiration = expiration; 00157 params->keytag = ldns_calc_keytag(key_id->dnskey); 00158 ods_log_debug("[%s] sign RRset[%i] with key %s tag %u", hsm_str, 00159 ldns_rr_get_type(ldns_rr_list_rr(rrset, 0)), 00160 key_id->locator?key_id->locator:"(null)", params->keytag); 00161 result = hsm_sign_rrset(ctx, rrset, key_id->hsmkey, params); 00162 hsm_sign_params_free(params); 00163 00164 if (!result) { 00165 error = hsm_get_error(ctx); 00166 if (error) { 00167 ods_log_error("[%s] %s", hsm_str, error); 00168 free((void*)error); 00169 } 00170 } 00171 return result; 00172 }