From: Bert Hubert <bert.hubert@netherlabs.nl>
Date: Sat, 1 Jan 2011 21:22:17 +0000 (+0000)
Subject: bye bye directory based dnssec key repo
X-Git-Tag: auth-3.0~463
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=49683fb56b44d0e35afc3b55b8f4f3037971d944;p=pdns

bye bye directory based dnssec key repo


git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@1784 d19b8d6e-7fed-0310-83ef-9ca221ded41b
---

diff --git a/pdns/fsdnsseckeeper.cc b/pdns/fsdnsseckeeper.cc
deleted file mode 100644
index 4d1a87313..000000000
--- a/pdns/fsdnsseckeeper.cc
+++ /dev/null
@@ -1,263 +0,0 @@
-#include "dnsseckeeper.hh"
-#include "dnssecinfra.hh"
-#include "statbag.hh"
-#include <iostream>
-#include <boost/filesystem/operations.hpp>
-#include <boost/filesystem/path.hpp>
-#include <polarssl/havege.h>
-#include <polarssl/base64.h>
-#include <boost/foreach.hpp>
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <fstream>
-#include <boost/algorithm/string.hpp>
-#include <boost/format.hpp>
-#include <boost/assign/std/vector.hpp> // for 'operator+=()'
-#include <boost/assign/list_inserter.hpp>
-using namespace boost::assign;
-namespace fs = boost::filesystem;
-
-using namespace std;
-using namespace boost;
-
-bool DNSSECKeeper::haveActiveKSKFor(const std::string& zone, DNSSECPrivateKey* dpk)
-{
-  keyset_t keys = getKeys(zone, true);
-  // need to get an *active* one!
-  if(dpk && !keys.empty()) {
-    *dpk = keys.begin()->first;
-  }
-  return !keys.empty();
-}
-
-unsigned int DNSSECKeeper::getNextKeyIDFromDir(const std::string& dirname)
-{
-  fs::path full_path = fs::system_complete( fs::path(dirname));
-
-  if ( !fs::exists( full_path ) )
-    unixDie("Unable to get next free key id from '"+dirname+"'");
-
-  fs::directory_iterator end_iter;
-  unsigned int maxID=0;
-  for ( fs::directory_iterator dir_itr( full_path );
-	dir_itr != end_iter;
-	++dir_itr )
-  {
-	  if(ends_with(dir_itr->leaf(),".private")) {
-		  maxID = max(maxID, (unsigned int)atoi(dir_itr->leaf().c_str()));
-	  }
-  }
-  return maxID+1;
-}
-
-std::string DNSSECKeeper::getKeyFilenameById(const std::string& dirname, unsigned int id)
-{
-  fs::path full_path = fs::system_complete( fs::path(dirname));
-
-  if ( !fs::exists( full_path ) )
-    unixDie("Unable to get filname key id from '"+dirname+"'");
-
-  fs::directory_iterator end_iter;
-  pair<string, string> parts;
-  for ( fs::directory_iterator dir_itr( full_path );
-    dir_itr != end_iter;
-    ++dir_itr )
-  {
-    if(!ends_with(dir_itr->leaf(), ".private"))
-      continue;
-    parts = splitField(dir_itr->leaf(), '-');
-	  if(atoi(parts.first.c_str()) == (signed int)id) 
-      return dirname+"/"+dir_itr->leaf();
-  }
-  throw runtime_error("Could not get filename for key id '"+lexical_cast<string>(id)+"'");
-}
-
-
-void DNSSECKeeper::addKey(const std::string& name, bool keyOrZone, int algorithm, int bits, bool active)
-{
-  if(!bits)
-    bits = keyOrZone ? 2048 : 1024;
-  DNSSECPrivateKey dpk;
-  dpk.d_key.create(bits); // for testing, 1024
-
-  string isc = dpk.d_key.convertToISC(algorithm);
-  DNSKEYRecordContent drc = dpk.getDNSKEY();
-  drc.d_flags = 256 + keyOrZone; // KSK
-  drc.d_algorithm = algorithm; // 5 = RSA, we'll add '2' later on for NSEC3 if needed
-  string iscName=d_dirname+"/"+name+"/keys/";
-  unsigned int id = getNextKeyIDFromDir(iscName);
-  time_t inception=time(0);
-
-  struct tm ts;
-  gmtime_r(&inception, &ts);
-
-  iscName += (boost::format("%06d-%04d%02d%02d%02d%02d") % id
-	      % (1900+ts.tm_year) % (ts.tm_mon + 1)
-	      % ts.tm_mday % ts.tm_hour % ts.tm_min).str();
-
-  iscName += keyOrZone ? ".ksk" : ".zsk";
-  iscName += active ? ".active" : ".passive";
-  
-  {  
-    ofstream iscFile((iscName+".private").c_str());
-    iscFile << isc;
-  }
-#if 0
-  {  
-    ofstream dnskeyFile((iscName+".key").c_str());
-    dnskeyFile << toCanonic("", name) << " IN DNSKEY " << drc.getZoneRepresentation()<<endl;
-  }
-#endif
-}
-
-
-static bool keyCompareByKindAndID(const DNSSECKeeper::keyset_t::value_type& a, const DNSSECKeeper::keyset_t::value_type& b)
-{
-  return make_pair(!a.second.keyOrZone, a.second.id) <
-         make_pair(!b.second.keyOrZone, b.second.id);
-}
-
-DNSSECPrivateKey DNSSECKeeper::getKeyById(const std::string& zname, unsigned int id)
-{
-  string fname = getKeyFilenameById(d_dirname+"/"+zname+"/keys", id);
-  DNSSECPrivateKey dpk;
-  getRSAKeyFromISC(&dpk.d_key.getContext(), fname.c_str());
-  dpk.d_algorithm = 5 + 2 * getNSEC3PARAM(zname);
-  dpk.d_flags = 256 + (fname.find(".ksk.") != string::npos); // this falls over on zones with .ksk. in the name!
-  return dpk;
-  
-}
-
-
-void DNSSECKeeper::removeKey(const std::string& zname, unsigned int id)
-{
-  string fname = getKeyFilenameById(d_dirname+"/"+zname+"/keys", id);
-  if(unlink(fname.c_str()) < 0)
-    unixDie("removing key file '"+fname+"'");
-}
-
-void DNSSECKeeper::deactivateKey(const std::string& zname, unsigned int id)
-{
-  string fname = getKeyFilenameById(d_dirname+"/"+zname+"/keys/", id);
-  string newname = boost::replace_last_copy(fname, ".active", ".passive");
-  if(rename(fname.c_str(), newname.c_str()) < 0)
-    unixDie("renaming file to deactivate key, from: '"+fname+"' to '"+newname+"'");
-}
-
-void DNSSECKeeper::activateKey(const std::string& zname, unsigned int id)
-{
-  string fname = getKeyFilenameById(d_dirname+"/"+zname+"/keys/", id);
-  string newname = boost::replace_last_copy(fname, ".passive", ".active");
-  if(rename(fname.c_str(), newname.c_str()) < 0)
-    unixDie("renaming file to deactivate key, from: '"+fname+"' to '"+newname+"'");
-}
-
-bool DNSSECKeeper::getNSEC3PARAM(const std::string& zname, NSEC3PARAMRecordContent* ns3p)
-{
-  fs::path full_path = fs::system_complete( fs::path(d_dirname + "/" + zname + "/nsec3param" ) );
-  ifstream ifs(full_path.external_directory_string().c_str());
-  // cerr<<"called for nsec3param..."<<endl;
-  if(!ifs)
-    return false;
-    
-  if(ns3p) {
-    string descr;
-    getline(ifs, descr);
-    reportAllTypes();
-    NSEC3PARAMRecordContent* tmp=dynamic_cast<NSEC3PARAMRecordContent*>(DNSRecordContent::mastermake(QType::NSEC3PARAM, 1, descr));
-    if(!tmp) {
-      cerr<<"Could not parse "<< full_path.external_directory_string() <<endl;
-      cerr<<"descr: '"<<descr<<"'\n";
-      return false;
-    }
-    *ns3p = *tmp;
-    delete tmp;
-  }
-  return true;
-}
-
-void DNSSECKeeper::setNSEC3PARAM(const std::string& zname, const NSEC3PARAMRecordContent& ns3p)
-{
-  fs::path full_path = fs::system_complete( fs::path(d_dirname + "/" + zname + "/nsec3param" ) );
-  string descr = ns3p.getZoneRepresentation();
-  ofstream of(full_path.external_directory_string().c_str());
-  of << descr;
-}
-
-void DNSSECKeeper::unsetNSEC3PARAM(const std::string& zname)
-{
-  fs::path full_path = fs::system_complete( fs::path(d_dirname + "/" + zname + "/nsec3param" ) );
-  unlink(full_path.external_directory_string().c_str());
-}
-
-
-DNSSECKeeper::keyset_t DNSSECKeeper::getKeys(const std::string& zone, boost::tribool allOrKeyOrZone)
-{
-  keyset_t keyset;
-
-  fs::path full_path = fs::system_complete( fs::path(d_dirname + "/" + zone + "/keys/" ) );
-
-  if ( !fs::exists( full_path ) )
-    return keyset;
-
-  fs::directory_iterator end_iter;
-  for ( fs::directory_iterator dir_itr( full_path );
-	dir_itr != end_iter;
-	++dir_itr )
-  {
-    //cerr<<"Entry: '"<< dir_itr->leaf() <<"'"<<endl;
-    if(ends_with(dir_itr->leaf(),".private")) {
-      DNSSECPrivateKey dpk;
-      getRSAKeyFromISC(&dpk.d_key.getContext(), dir_itr->path().file_string().c_str());
-
-      if(getNSEC3PARAM(zone)) {
-        dpk.d_algorithm = 7;
-      }
-      else {
-        dpk.d_algorithm = 5;
-      }
-      struct tm ts1, ts2;
-      
-      memset(&ts1, 0, sizeof(ts1));
-      memset(&ts2, 0, sizeof(ts2));
-      
-      unsigned int id;
-      sscanf(dir_itr->leaf().c_str(), "%06u-%04d%02d%02d%02d%02d",
-        &id,
-        &ts1.tm_year, 
-        &ts1.tm_mon, &ts1.tm_mday, &ts1.tm_hour, &ts1.tm_min);
-	     
-      ts1.tm_year -= 1900;
-      ts1.tm_mon--;
-      
-      KeyMetaData kmd;
-      
-      kmd.id = id;
-      kmd.fname = dir_itr->leaf();
-      kmd.active = kmd.fname.find(".active") != string::npos;
-      kmd.keyOrZone = kmd.fname.find(".ksk") != string::npos;
-      
-      dpk.d_flags = 256 + kmd.keyOrZone;  // this is a clear sign we've got our abstractions wrong! FIXME XXX
-      
-      if(boost::indeterminate(allOrKeyOrZone) || allOrKeyOrZone == kmd.keyOrZone)
-        keyset.push_back(make_pair(dpk, kmd));
-    }
-    sort(keyset.begin(), keyset.end(), keyCompareByKindAndID);
-  }
-
-  return keyset;
-}
-
-
-
-void DNSSECKeeper::secureZone(const std::string& name, int algorithm)
-{
-  mkdir((d_dirname+"/"+name).c_str(), 0700);
-  if(mkdir((d_dirname+"/"+name+"/keys").c_str(), 0700) < 0)
-    unixDie("Making directory for keys in '"+d_dirname+"'");
-
-  // now add the KSK
-  addKey(name, true, algorithm);
-}
- 
-