xref: /netbsd-src/external/mpl/bind/dist/bin/dnssec/dnssec-revoke.c (revision bcda20f65a8566e103791ec395f7f499ef322704) 
1 /*	$NetBSD: dnssec-revoke.c,v 1.11 2025/01/26 16:24:32 christos Exp $	*/
2 
3 /*
4  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
5  *
6  * SPDX-License-Identifier: MPL-2.0
7  *
8  * This Source Code Form is subject to the terms of the Mozilla Public
9  * License, v. 2.0. If a copy of the MPL was not distributed with this
10  * file, you can obtain one at https://mozilla.org/MPL/2.0/.
11  *
12  * See the COPYRIGHT file distributed with this work for additional
13  * information regarding copyright ownership.
14  */
15 
16 /*! \file */
17 
18 #include <inttypes.h>
19 #include <stdbool.h>
20 #include <stdlib.h>
21 #include <unistd.h>
22 
23 #include <isc/attributes.h>
24 #include <isc/buffer.h>
25 #include <isc/commandline.h>
26 #include <isc/file.h>
27 #include <isc/hash.h>
28 #include <isc/mem.h>
29 #include <isc/result.h>
30 #include <isc/string.h>
31 #include <isc/util.h>
32 
33 #include <dns/keyvalues.h>
34 
35 #include <dst/dst.h>
36 
37 #include "dnssectool.h"
38 
39 const char *program = "dnssec-revoke";
40 
41 static isc_mem_t *mctx = NULL;
42 
43 noreturn static void
44 usage(void);
45 
46 static void
47 usage(void) {
48 	fprintf(stderr, "Usage:\n");
49 	fprintf(stderr, "    %s [options] keyfile\n\n", program);
50 	fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
51 	fprintf(stderr, "    -E engine:    specify OpenSSL engine\n");
52 	fprintf(stderr, "    -f:           force overwrite\n");
53 	fprintf(stderr, "    -h:           help\n");
54 	fprintf(stderr, "    -K directory: use directory for key files\n");
55 	fprintf(stderr, "    -r:           remove old keyfiles after "
56 			"creating revoked version\n");
57 	fprintf(stderr, "    -v level:     set level of verbosity\n");
58 	fprintf(stderr, "    -V:           print version information\n");
59 	fprintf(stderr, "Output:\n");
60 	fprintf(stderr, "     K<name>+<alg>+<new id>.key, "
61 			"K<name>+<alg>+<new id>.private\n");
62 
63 	exit(EXIT_FAILURE);
64 }
65 
66 int
67 main(int argc, char **argv) {
68 	isc_result_t result;
69 	const char *engine = NULL;
70 	char const *filename = NULL;
71 	char *dir = NULL;
72 	char newname[1024], oldname[1024];
73 	char keystr[DST_KEY_FORMATSIZE];
74 	char *endp;
75 	int ch;
76 	dst_key_t *key = NULL;
77 	uint32_t flags;
78 	isc_buffer_t buf;
79 	bool force = false;
80 	bool removefile = false;
81 	bool id = false;
82 
83 	if (argc == 1) {
84 		usage();
85 	}
86 
87 	isc_mem_create(&mctx);
88 
89 	isc_commandline_errprint = false;
90 
91 	while ((ch = isc_commandline_parse(argc, argv, "E:fK:rRhv:V")) != -1) {
92 		switch (ch) {
93 		case 'E':
94 			engine = isc_commandline_argument;
95 			break;
96 		case 'f':
97 			force = true;
98 			break;
99 		case 'K':
100 			/*
101 			 * We don't have to copy it here, but do it to
102 			 * simplify cleanup later
103 			 */
104 			dir = isc_mem_strdup(mctx, isc_commandline_argument);
105 			break;
106 		case 'r':
107 			removefile = true;
108 			break;
109 		case 'R':
110 			id = true;
111 			break;
112 		case 'v':
113 			verbose = strtol(isc_commandline_argument, &endp, 0);
114 			if (*endp != '\0') {
115 				fatal("-v must be followed by a number");
116 			}
117 			break;
118 		case '?':
119 			if (isc_commandline_option != '?') {
120 				fprintf(stderr, "%s: invalid argument -%c\n",
121 					program, isc_commandline_option);
122 			}
123 			FALLTHROUGH;
124 		case 'h':
125 			/* Does not return. */
126 			usage();
127 
128 		case 'V':
129 			/* Does not return. */
130 			version(program);
131 
132 		default:
133 			fprintf(stderr, "%s: unhandled option -%c\n", program,
134 				isc_commandline_option);
135 			exit(EXIT_FAILURE);
136 		}
137 	}
138 
139 	if (argc < isc_commandline_index + 1 ||
140 	    argv[isc_commandline_index] == NULL)
141 	{
142 		fatal("The key file name was not specified");
143 	}
144 	if (argc > isc_commandline_index + 1) {
145 		fatal("Extraneous arguments");
146 	}
147 
148 	if (dir != NULL) {
149 		filename = argv[isc_commandline_index];
150 	} else {
151 		result = isc_file_splitpath(mctx, argv[isc_commandline_index],
152 					    &dir, &filename);
153 		if (result != ISC_R_SUCCESS) {
154 			fatal("cannot process filename %s: %s",
155 			      argv[isc_commandline_index],
156 			      isc_result_totext(result));
157 		}
158 		if (strcmp(dir, ".") == 0) {
159 			isc_mem_free(mctx, dir);
160 			dir = NULL;
161 		}
162 	}
163 
164 	result = dst_lib_init(mctx, engine);
165 	if (result != ISC_R_SUCCESS) {
166 		fatal("Could not initialize dst: %s",
167 		      isc_result_totext(result));
168 	}
169 
170 	result = dst_key_fromnamedfile(
171 		filename, dir, DST_TYPE_PUBLIC | DST_TYPE_PRIVATE, mctx, &key);
172 	if (result != ISC_R_SUCCESS) {
173 		fatal("Invalid keyfile name %s: %s", filename,
174 		      isc_result_totext(result));
175 	}
176 
177 	if (id) {
178 		fprintf(stdout, "%u\n", dst_key_rid(key));
179 		goto cleanup;
180 	}
181 	dst_key_format(key, keystr, sizeof(keystr));
182 
183 	if (verbose > 2) {
184 		fprintf(stderr, "%s: %s\n", program, keystr);
185 	}
186 
187 	if (force) {
188 		set_keyversion(key);
189 	} else {
190 		check_keyversion(key, keystr);
191 	}
192 
193 	flags = dst_key_flags(key);
194 	if ((flags & DNS_KEYFLAG_REVOKE) == 0) {
195 		isc_stdtime_t now = isc_stdtime_now();
196 
197 		if ((flags & DNS_KEYFLAG_KSK) == 0) {
198 			fprintf(stderr,
199 				"%s: warning: Key is not flagged "
200 				"as a KSK. Revoking a ZSK is "
201 				"legal, but undefined.\n",
202 				program);
203 		}
204 
205 		dst_key_settime(key, DST_TIME_REVOKE, now);
206 
207 		dst_key_setflags(key, flags | DNS_KEYFLAG_REVOKE);
208 
209 		isc_buffer_init(&buf, newname, sizeof(newname));
210 		dst_key_buildfilename(key, DST_TYPE_PUBLIC, dir, &buf);
211 
212 		if (access(newname, F_OK) == 0 && !force) {
213 			fatal("Key file %s already exists; "
214 			      "use -f to force overwrite",
215 			      newname);
216 		}
217 
218 		result = dst_key_tofile(key, DST_TYPE_PUBLIC | DST_TYPE_PRIVATE,
219 					dir);
220 		if (result != ISC_R_SUCCESS) {
221 			dst_key_format(key, keystr, sizeof(keystr));
222 			fatal("Failed to write key %s: %s", keystr,
223 			      isc_result_totext(result));
224 		}
225 
226 		isc_buffer_clear(&buf);
227 		dst_key_buildfilename(key, 0, dir, &buf);
228 		printf("%s\n", newname);
229 
230 		/*
231 		 * Remove old key file, if told to (and if
232 		 * it isn't the same as the new file)
233 		 */
234 		if (removefile) {
235 			isc_buffer_init(&buf, oldname, sizeof(oldname));
236 			dst_key_setflags(key, flags & ~DNS_KEYFLAG_REVOKE);
237 			dst_key_buildfilename(key, DST_TYPE_PRIVATE, dir, &buf);
238 			if (strcmp(oldname, newname) == 0) {
239 				goto cleanup;
240 			}
241 			(void)unlink(oldname);
242 			isc_buffer_clear(&buf);
243 			dst_key_buildfilename(key, DST_TYPE_PUBLIC, dir, &buf);
244 			(void)unlink(oldname);
245 		}
246 	} else {
247 		dst_key_format(key, keystr, sizeof(keystr));
248 		fatal("Key %s is already revoked", keystr);
249 	}
250 
251 cleanup:
252 	dst_key_free(&key);
253 	dst_lib_destroy();
254 	if (verbose > 10) {
255 		isc_mem_stats(mctx, stdout);
256 	}
257 	if (dir != NULL) {
258 		isc_mem_free(mctx, dir);
259 	}
260 	isc_mem_destroy(&mctx);
261 
262 	return 0;
263 }
264