[Opendnssec-commits] [svn.opendnssec.org/svn/dnssec] r6028 - branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey

rene at xpt.nl rene at xpt.nl
Thu Jan 5 11:04:52 CET 2012


Author: rene
Date: 2012-01-05 11:04:52 +0100 (Thu, 05 Jan 2012)
New Revision: 6028

Modified:
   branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/hsmkey.proto
   branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/hsmkey_gen_cmd.cpp
   branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/hsmkey_gen_task.cpp
   branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/hsmkey_list_cmd.cpp
   branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/hsmkey_list_task.cpp
   branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/update_hsmkeys_cmd.cpp
   branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/update_hsmkeys_task.cpp
   branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/update_hsmkeys_task.h
Log:
Change hsm key handling code so it now uses the database instead of serializing protocol buffers to file.

Modified: branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/hsmkey.proto
===================================================================
--- branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/hsmkey.proto	2012-01-05 10:04:50 UTC (rev 6027)
+++ branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/hsmkey.proto	2012-01-05 10:04:52 UTC (rev 6028)
@@ -4,10 +4,13 @@
 package ods.hsmkey;
 
 import "xmlext.proto";
+import "orm.proto";
 
-message HsmKeyDocument {
-    repeated HsmKey keys = 1;
-}
+// hsm key info from libhsm is used to initialize some of the values
+//  in a HsmKey object.
+// locator is hsm key info 'id'
+// bits is hsm key info 'keysize'ss
+// key_type is hsm key info 'algorithm_name'
 
 message HsmKey {
     required string locator = 1;
@@ -18,8 +21,8 @@
     optional keyrole role = 6 [default = ZSK]; // from kasp
     repeated string used_by_zones = 7; // maintainted by enforcer
     optional uint32 inception = 8; // 'now' assigned on first use of key in any zone
-    optional bool revoke = 9 [default = false];
-    optional string key_type = 10; // matches numeric value from PKCS#11 spec e.g. CKK_RSA
+    optional bool revoke = 9 [default = false, (orm.column).name = "isrevoked"];
+    optional string key_type = 10; // key type name derived from name in PKCS#11 spec e.g. CKK_RSA becomes "RSA"
     optional string repository = 11; // repository in which the key was found e.g. SoftHSM
 } 
 

Modified: branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/hsmkey_gen_cmd.cpp
===================================================================
--- branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/hsmkey_gen_cmd.cpp	2012-01-05 10:04:50 UTC (rev 6027)
+++ branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/hsmkey_gen_cmd.cpp	2012-01-05 10:04:52 UTC (rev 6028)
@@ -17,20 +17,15 @@
  */
 void help_hsmkey_gen_cmd(int sockfd)
 {
-    char buf[ODS_SE_MAXLINE];
-    (void) snprintf(buf, ODS_SE_MAXLINE,
+    ods_printf(sockfd,
         "hsm key gen     pre-generate a collection of cryptographic keys\n"
         "                before they are actually needed by the enforcer\n"
         );
-    ods_writen(sockfd, buf, strlen(buf));
 }
 
 int handled_hsmkey_gen_cmd(int sockfd, engine_type* engine, const char *cmd,
-                              ssize_t n)
+						   ssize_t n)
 {
-    char buf[ODS_SE_MAXLINE];
-    task_type *task;
-    ods_status status;
     const char *scmd = "hsm key gen";
     
     cmd = ods_check_command(cmd,n,scmd);
@@ -39,12 +34,10 @@
 
     ods_log_debug("[%s] %s command", module_str, scmd);
 
-    /* perform task immediately */
     time_t tstart = time(NULL);
+
     perform_hsmkey_gen(sockfd,engine->config,1);
-    (void)snprintf(buf, ODS_SE_MAXLINE, "%s completed in %ld seconds.\n",
-                   scmd,time(NULL)-tstart);
-    ods_writen(sockfd, buf, strlen(buf));
     
+	ods_printf(sockfd,"%s completed in %ld seconds.\n",scmd,time(NULL)-tstart);
     return 1;
 }

Modified: branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/hsmkey_gen_task.cpp
===================================================================
--- branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/hsmkey_gen_task.cpp	2012-01-05 10:04:50 UTC (rev 6027)
+++ branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/hsmkey_gen_task.cpp	2012-01-05 10:04:52 UTC (rev 6028)
@@ -8,6 +8,7 @@
 
 #include "hsmkey/hsmkey.pb.h"
 #include "policy/kasp.pb.h"
+#include "keystate/keystate.pb.h"
 #include "xmlext-pb/xmlext-rd.h"
 
 
@@ -15,20 +16,21 @@
 #include <string.h>
 #include <memory>
 
-static const char *module_str = "keypregen_task";
+#include "protobuf-orm/pb-orm.h"
+#include "daemon/orm.h"
 
-bool generate_keypair(int sockfd,
-                      const char *repository,
-                      unsigned int keysize,
-                      std::string &locator)
+static const char *module_str = "hsmkey_gen_task";
+
+static bool
+generate_keypair(int sockfd,
+				 const char *repository,
+				 unsigned int keysize,
+				 std::string &locator)
 {
-    char buf[ODS_SE_MAXLINE];
     hsm_key_t *key = NULL;
     hsm_ctx_t *ctx = hsm_create_context();
     if (!ctx) {
-        ods_log_error("[%s] Could not connect to HSM", module_str);
-        (void)snprintf(buf,ODS_SE_MAXLINE, "Could not connect to HSM\n");
-        ods_writen(sockfd, buf, strlen(buf));
+		ods_log_error_and_printf(sockfd,module_str,"could not connect to HSM");
         return false;
     }
     
@@ -41,22 +43,18 @@
     
     ods_log_debug("[%s] Generating %d bit RSA key in repository: %s",
                   module_str,keysize,repository);
-    (void)snprintf(buf, ODS_SE_MAXLINE,
-                   "generating %d bit RSA key in repository: %s\n",
-                   keysize,repository);
-    ods_writen(sockfd, buf, strlen(buf));
-    
+    ods_printf(sockfd,"generating %d bit RSA key in repository: %s\n",
+			   keysize, repository);
+
     key = hsm_generate_rsa_key(ctx, repository, keysize);
     if (key) {
         hsm_key_info_t *key_info;
         key_info = hsm_get_key_info(ctx, key);
         locator.assign(key_info ? key_info->id : "NULL");
+
         ods_log_debug("[%s] Key generation successful: %s",
-                      module_str,locator.c_str());
-        (void)snprintf(buf, ODS_SE_MAXLINE,
-                       "key generation successful: %s\n",
-                       locator.c_str());
-        ods_writen(sockfd, buf, strlen(buf));
+					  module_str,locator.c_str());
+        ods_printf(sockfd,"key generation successful: %s\n",locator.c_str());
         
         hsm_key_info_free(key_info);
 #if 0
@@ -64,9 +62,7 @@
 #endif
         hsm_key_free(key);
     } else {
-        ods_log_error("[%s] Key generation failed.", module_str);
-        (void)snprintf(buf, ODS_SE_MAXLINE, "key generation failed.\n");
-        ods_writen(sockfd, buf, strlen(buf));
+        ods_log_error_and_printf(sockfd, module_str, "key generation failed");
         hsm_destroy_context(ctx);
         return false;
     }
@@ -74,247 +70,364 @@
     return true;
 }
 
-bool generate_keypairs(int sockfd, ::ods::hsmkey::HsmKeyDocument *hsmkeyDoc,
-                       int ngen, int nbits, const char *repository,
-                       const char *policy_name,
-                       ::google::protobuf::uint32 algorithm,
-                       ::ods::hsmkey::keyrole role)
+static bool
+generate_keypairs(int sockfd,
+				  OrmConn conn,
+				  int ngen,
+				  int nbits,
+				  const char *repository,
+				  const char *policy_name,
+				  ::google::protobuf::uint32 algorithm,
+				  ::ods::hsmkey::keyrole role)
 {
-    bool bkeysgenerated = false;
+	// nothing todo !
+	if (ngen<=0) {
+		ods_printf(sockfd,
+				   "no %s keys of %d bits needed.\n",
+				   ::ods::hsmkey::keyrole_Name(role).c_str(),
+				   nbits);
+		return true;
+	}
+	
+    bool bkeysgenerated_and_stored = false;
     
-    char buf[ODS_SE_MAXLINE];
-    (void)snprintf(buf, ODS_SE_MAXLINE, 
-                   "generating %d keys of %d bits.\n",
-                   ngen,nbits);
-    ods_writen(sockfd, buf, strlen(buf));
+    ods_printf(sockfd,
+			   "generating %d %ss of %d bits.\n",
+			   ngen,
+			   ::ods::hsmkey::keyrole_Name(role).c_str(),
+			   nbits);
     
     // Generate additional keys until certain minimum number is 
     // available.
-    for ( ;ngen; --ngen) {
+    for ( ;ngen>0; --ngen) {
         std::string locator;
-        if (generate_keypair(sockfd,repository,nbits,locator))
-        {
-            bkeysgenerated = true;
-            ::ods::hsmkey::HsmKey* key = hsmkeyDoc->add_keys();
-            key->set_locator(locator);
-            key->set_bits(nbits);
-            key->set_repository(repository);
-            key->set_policy(policy_name);
-            key->set_algorithm(algorithm);
-            key->set_role(role);
-            key->set_key_type("RSA");
-        } else {
+        if (!generate_keypair(sockfd,repository,nbits,locator)) {
             // perhaps this HSM can't generate keys of this size.
-            ods_log_error("[%s] Error during key generation",
-                          module_str);
-            (void)snprintf(buf, ODS_SE_MAXLINE,
-                           "unable to generate a key of %d bits.\n",
-                           nbits);
-            ods_writen(sockfd, buf, strlen(buf));
+            ods_log_error_and_printf(sockfd,
+									 module_str,
+									 "unable to generate a %s of %d bits",
+									 ::ods::hsmkey::keyrole_Name(role).c_str(),
+									 nbits);
             break;
+		} else {
+			
+			// initialize the db hsm key with info from the generated hsm key.
+            ::ods::hsmkey::HsmKey key;
+            key.set_locator(locator);
+            key.set_bits(nbits);
+            key.set_repository(repository);
+            key.set_policy(policy_name);
+            key.set_algorithm(algorithm);
+            key.set_role(role);
+            key.set_key_type("RSA");
+
+			{
+				// We do insertion of the generated key into the database here
+				// after generating of the key.
+				// Key generation can take a long time so we accept the risk of 
+				// creating orphaned keys in the hsm that are not registered in
+				// the database because the transaction to insert them failed.
+				OrmTransactionRW transaction(conn);
+				const char *errmsg = NULL;
+				if (!transaction.started())
+					errmsg = "error starting transaction for storing "
+							 "generated hsm key in the database.";
+				else {
+					pb::uint64 keyid;
+					if (!OrmMessageInsert(conn, key, keyid)) 
+						errmsg = "error inserting generated hsm key into "
+								 "the database.";
+					else {
+						if (!transaction.commit())
+							errmsg = "error commiting generated hsm key to "
+									 "the database.";
+						else
+							bkeysgenerated_and_stored = true;
+					}
+				}
+				if (errmsg) {
+					ods_log_error_and_printf(sockfd, module_str, errmsg);
+					break;
+				}
+			}
         }
     }
     
-    if (ngen==0) {
-        (void)snprintf(buf, ODS_SE_MAXLINE,
-                       "finished generating %d bit keys.\n", nbits);
-        ods_writen(sockfd, buf, strlen(buf));
+    if (ngen<=0) {
+        ods_printf(sockfd,
+				   "finished generating %d bit %ss.\n",
+				   nbits,
+				   ::ods::hsmkey::keyrole_Name(role).c_str());
     }
+    return bkeysgenerated_and_stored;
+}
 
-    return bkeysgenerated;
+static bool
+count_unused_hsmkeys(OrmConn conn,
+					 const std::string &policy,
+					 const std::string &repository,
+					 pb::uint32 algorithm,
+					 int bits,
+					 ::ods::hsmkey::keyrole role,
+					 int &nunusedkeys)
+{
+	nunusedkeys = 0;
+	
+	OrmTransaction transaction(conn);
+	if (!transaction.started())
+		return false;
+	
+	// Count the keys that match this 
+	OrmResultRef rows;
+	if (OrmMessageEnumWhere(conn,::ods::hsmkey::HsmKey::descriptor(),
+							rows,"inception IS NULL")) 
+	{
+		for (bool next=OrmFirst(rows); next; next=OrmNext(rows)) {
+			::ods::hsmkey::HsmKey key;
+			if (OrmGetMessage(rows, key, true)) {
+				
+				// only count keys that are not used and 
+				// thus have inception not set.
+				if (!key.has_inception()) {
+					// key is available
+					if (key.bits() == bits
+						&& key.role() == role
+						&& key.policy() == policy
+						&& key.repository() == repository
+						&& key.algorithm() == algorithm
+						)
+					{
+						// This key has all the right properties
+						++nunusedkeys;
+					}
+				}
+			}
+		}
+		rows.release();
+	}
+	
+	return true;
 }
 
+static void
+generate_ksks(int sockfd, OrmConn conn, const ::ods::kasp::Policy &policy,
+			  time_t duration)
+{
+	::ods::hsmkey::keyrole key_role = ::ods::hsmkey::KSK;
+	for (int k=0; k<policy.keys().ksk_size(); ++k) {
+		const ::ods::kasp::Ksk& key = policy.keys().ksk(k);
+		int nunusedkeys;
+		if (!count_unused_hsmkeys(conn,
+								  policy.name(),
+								  key.repository(),
+								  key.algorithm(),
+								  key.bits(),
+								  key_role,
+								  nunusedkeys))
+		{
+			ods_log_error_and_printf(sockfd,module_str,
+									 "counting KSKs failed");
+		} else {
+			int key_pregen = 1 + (duration / key.lifetime());
+			if (!generate_keypairs(sockfd,
+								   conn,
+								   key_pregen-nunusedkeys,
+								   key.bits(),
+								   key.repository().c_str(),
+								   policy.name().c_str(),
+								   key.algorithm(),
+								   key_role))
+			{
+				ods_log_error_and_printf(sockfd,module_str,
+										 "generating KSKs failed");
+			}
+		}
+	}
+}
+
+static void
+generate_zsks(int sockfd, OrmConn conn, const ::ods::kasp::Policy &policy,
+			  time_t duration)
+{
+	::ods::hsmkey::keyrole key_role = ::ods::hsmkey::ZSK;
+	for (int k=0; k<policy.keys().zsk_size(); ++k) {
+		const ::ods::kasp::Zsk& key = policy.keys().zsk(k);
+		int nunusedkeys;
+		if (!count_unused_hsmkeys(conn,
+								  policy.name(),
+								  key.repository(),
+								  key.algorithm(),
+								  key.bits(),
+								  key_role,
+								  nunusedkeys))
+		{
+			ods_log_error_and_printf(sockfd,module_str,
+									 "counting ZSKs failed");
+		} else {
+			int key_pregen = 1 + (duration / key.lifetime());
+			if (!generate_keypairs(sockfd,
+								   conn,
+								   key_pregen-nunusedkeys,
+								   key.bits(),
+								   key.repository().c_str(),
+								   policy.name().c_str(),
+								   key.algorithm(),
+								   key_role))
+			{
+				ods_log_error_and_printf(sockfd,module_str,
+										 "generating ZSKs failed");
+			}
+		}
+	}
+}
+
+static void
+generate_csks(int sockfd, OrmConn conn, const ::ods::kasp::Policy &policy,
+			  time_t duration)
+{
+	::ods::hsmkey::keyrole key_role = ::ods::hsmkey::CSK;
+	for (int k=0; k<policy.keys().csk_size(); ++k) {
+		const ::ods::kasp::Csk& key = policy.keys().csk(k);
+		int nunusedkeys;
+		if (!count_unused_hsmkeys(conn,
+								  policy.name(),
+								  key.repository(),
+								  key.algorithm(),
+								  key.bits(),
+								  key_role,
+								  nunusedkeys))
+		{
+			ods_log_error_and_printf(sockfd,module_str,
+									 "counting CSKs failed");
+		} else {
+			int key_pregen = 1 + (duration / key.lifetime());
+			if (!generate_keypairs(sockfd,
+								   conn,
+								   key_pregen-nunusedkeys,
+								   key.bits(),
+								   key.repository().c_str(),
+								   policy.name().c_str(),
+								   key.algorithm(),
+								   key_role))
+			{
+				ods_log_error_and_printf(sockfd,module_str,
+										 "generating CSKs failed");
+			}
+		}
+	}
+}
+
+bool count_zones_for_policy(int sockfd,
+							OrmConn conn,
+							const std::string &policy,
+							pb::uint64 &count)
+{
+	count = 0;
+	
+	OrmTransaction transaction(conn);
+	if (!transaction.started()) {
+		ods_log_error_and_printf(sockfd, module_str,
+								 "starting transaction failed");
+		return false;
+	}
+	
+	std::string qpolicy;
+	if (!OrmQuoteStringValue(conn, policy, qpolicy)) {
+		ods_log_error_and_printf(sockfd,module_str,
+								 "quoting a string failed");
+		return false;
+	}
+
+	const ::google::protobuf::Descriptor *zdesc =
+		::ods::keystate::EnforcerZone::descriptor();
+	if (!OrmMessageCountWhere(conn,zdesc,count,"policy=%s",qpolicy.c_str()))
+	{
+		ods_log_error_and_printf(sockfd,module_str,
+							"counting zones associated with policy %s failed",
+								 policy.c_str() );
+		return false;
+	}
+
+	return true;
+}
+
 void 
 perform_hsmkey_gen(int sockfd, engineconfig_type *config, int bManual)
 {
-    const int KSK_PREGEN = 2;
-    const int ZSK_PREGEN = 4;
-    const int CSK_PREGEN = 4;
-    
+    GOOGLE_PROTOBUF_VERIFY_VERSION;
+
     // If only manual key generation is allowed and we are not being called 
     // manually, then return.
     if (config->manual_keygen != 0 && bManual == 0) {
-        char buf[ODS_SE_MAXLINE];
         ods_log_debug("[%s] not generating keys, because ManualKeyGeneration "
                       "flag is set in conf.xml.",
                       module_str);
-        (void)snprintf(buf, ODS_SE_MAXLINE,
-                       "not generating keys, because ManualKeyGeneration "
-                       "flag is set in conf.xml.\n");
-        ods_writen(sockfd, buf, strlen(buf));
+        ods_printf(sockfd,
+				   "not generating keys, because ManualKeyGeneration flag is "
+				   "set in conf.xml.\n");
         return;
     }
     
-    const char *datastore = config->datastore;
-    
-    GOOGLE_PROTOBUF_VERIFY_VERSION;
+	OrmConnRef conn;
+	if (!ods_orm_connect(sockfd, config, conn))
+		return; // errors have already been reported.
+	
+	// load all policies into memory, we are going to be modifying the database 
+	// hsm key tables later on in multiple separate transactions. We therefore 
+	// need to finalize the transaction used to access the policies because
+	// transaction nesting may not be possible on all databases.
+	::ods::kasp::KASP kasp;
+	{	OrmTransaction transaction(conn);
+		if (!transaction.started()) {
+			ods_log_error_and_printf(sockfd, module_str,
+									 "starting transaction failed");
+			return;
+		}
+		
+		{	OrmResultRef rows;
+			if (!OrmMessageEnum(conn,::ods::kasp::Policy::descriptor(),rows)) {
+				ods_log_error_and_printf(sockfd, module_str,
+										 "enumerating policies failed");
+				return;
+			}
+			
+			for (bool next=OrmFirst(rows); next; next=OrmNext(rows)) {
+				::ods::kasp::Policy *policy = kasp.add_policies();
+				if (!policy) {
+					ods_log_error_and_printf(sockfd, module_str,
+											 "out of memory allocating policy");
+					return;
+				}
+				
+				if (!OrmGetMessage(rows, *policy, true)) {
+					ods_log_error_and_printf(sockfd, module_str,
+										"reading policy from database failed");
+					return;
+				}
+			}
+		}
+	}	
 
-    // Use auto_ptr so we don't forget to delete the KaspDocument
-    std::auto_ptr< ::ods::kasp::KaspDocument >
-        kaspDoc( new ::ods::kasp::KaspDocument );
-    {
-        std::string datapath(datastore);
-        datapath += ".policy.pb";
-        int fd = open(datapath.c_str(),O_RDONLY);
-        if (fd != -1) {
-            if (kaspDoc->ParseFromFileDescriptor(fd)) {
-                ods_log_debug("[%s] policies have been loaded",
-                              module_str);
-            } else {
-                ods_log_error("[%s] policies could not be loaded from \"%s\"",
-                              module_str,datapath.c_str());
-            }
-            close(fd);
-        }
-    }
+	// Now perform the policy driven key pre-generation.
+	time_t duration = 365 * 24 * 3600; // a normal year in seconds.
+	
+	//FIXME: get duration as a parameter on the command line.
+	
+    for (int i=0; i<kasp.policies_size(); ++i) {
 
-    // Load the current list of pre-generated keys
-    std::auto_ptr< ::ods::hsmkey::HsmKeyDocument >
-        hsmkeyDoc( new ::ods::hsmkey::HsmKeyDocument );
-    {
-        std::string datapath(datastore);
-        datapath += ".hsmkey.pb";
-        int fd = open(datapath.c_str(),O_RDONLY);
-        if (fd != -1) {
-            if (hsmkeyDoc->ParseFromFileDescriptor(fd)) {
-                ods_log_debug("[%s] HSM key info list has been loaded",
-                              module_str);
-            } else {
-                ods_log_error("[%s] HSM key info list could not be loaded "
-                              "from \"%s\"",
-                              module_str,datapath.c_str());
-            }
-            close(fd);
-        }
+		pb::uint64 count;
+		if (!count_zones_for_policy(sockfd,conn,kasp.policies(i).name(),count)) {
+			ods_log_error_and_printf(sockfd,
+									 module_str,
+									 "skipping key generation for %s policy",
+									 kasp.policies(i).name().c_str());
+			continue;
+		}
+				
+		generate_ksks(sockfd, conn, kasp.policies(i), duration);
+		generate_zsks(sockfd, conn, kasp.policies(i), duration);
+		generate_csks(sockfd, conn, kasp.policies(i), duration);
     }
-
-    bool bkeysgenerated = false;
-
-    // We implement policy driven key pre-generation.
-    int npolicies = kaspDoc->kasp().policies_size();
-    for (int i=0; i<npolicies; ++i) {
-        const ::ods::kasp::Policy &policy = kaspDoc->kasp().policies(i);
-        
-        // handle KSK keys
-        for (int iksk=0; iksk<policy.keys().ksk_size(); ++iksk) {
-            const ::ods::kasp::Ksk& ksk = policy.keys().ksk(iksk);
-            int nfreekeys = 0;
-            for (int k=0; k<hsmkeyDoc->keys_size(); ++k) {
-                const ::ods::hsmkey::HsmKey& key = hsmkeyDoc->keys(k);
-                if (!key.has_inception()) {
-                    // this key is available
-                    if (key.bits() == ksk.bits()
-                        && key.role() == ::ods::hsmkey::KSK
-                        && key.policy() == policy.name()
-                        && key.repository() == ksk.repository()
-                        )
-                    {
-                        // This key has all the right properties
-                        ++nfreekeys;
-                    }
-                }
-            }
-            int ngen = KSK_PREGEN-nfreekeys;
-            if (ngen>0) {
-                int nbits = ksk.bits();
-                
-                if (generate_keypairs(sockfd, hsmkeyDoc.get(),
-                                      ngen, nbits,
-                                      ksk.repository().c_str(),
-                                      policy.name().c_str(),
-                                      ksk.algorithm(),
-                                      ::ods::hsmkey::KSK))
-                {
-                    bkeysgenerated = true;
-                }
-            }
-        }
-
-        // handle ZSK keys
-        for (int izsk=0; izsk<policy.keys().zsk_size(); ++izsk) {
-            const ::ods::kasp::Zsk& zsk = policy.keys().zsk(izsk);
-            int nfreekeys = 0;
-            for (int k=0; k<hsmkeyDoc->keys_size(); ++k) {
-                const ::ods::hsmkey::HsmKey& key = hsmkeyDoc->keys(k);
-                if (!key.has_inception()) {
-                    // this key is available
-                    if (key.bits() == zsk.bits()
-                        && key.role() == ::ods::hsmkey::ZSK
-                        && key.policy() == policy.name()
-                        && key.repository() == zsk.repository()
-                        )
-                    {
-                        // This key has all the right properties
-                        ++nfreekeys;
-                    }
-                }
-            }
-            int ngen = ZSK_PREGEN-nfreekeys;
-            if (ngen>0) {
-                int nbits = zsk.bits();
-                
-                if (generate_keypairs(sockfd, hsmkeyDoc.get(),
-                                      ngen, nbits,
-                                      zsk.repository().c_str(),
-                                      policy.name().c_str(),
-                                      zsk.algorithm(),
-                                      ::ods::hsmkey::ZSK))
-                {
-                    bkeysgenerated = true;
-                }
-            }
-        }
-
-        // handle CSK keys
-        for (int icsk=0; icsk<policy.keys().csk_size(); ++icsk) {
-            const ::ods::kasp::Csk& csk = policy.keys().csk(icsk);
-            int nfreekeys = 0;
-            for (int k=0; k<hsmkeyDoc->keys_size(); ++k) {
-                const ::ods::hsmkey::HsmKey& key = hsmkeyDoc->keys(k);
-                if (!key.has_inception()) {
-                    // this key is available
-                    if (key.bits() == csk.bits()
-                        && key.role() == ::ods::hsmkey::CSK
-                        && key.policy() == policy.name()
-                        && key.repository() == csk.repository()
-                        )
-                    {
-                        // This key has all the right properties
-                        ++nfreekeys;
-                    }
-                }
-            }
-            int ngen = CSK_PREGEN-nfreekeys;
-            if (ngen>0) {
-                int nbits = csk.bits();
-                
-                if (generate_keypairs(sockfd, hsmkeyDoc.get(),
-                                      ngen, nbits,
-                                      csk.repository().c_str(),
-                                      policy.name().c_str(),
-                                      csk.algorithm(),
-                                      ::ods::hsmkey::CSK))
-                {
-                    bkeysgenerated = true;
-                }
-            }
-        }
-    }
-
-    // Write the list of pre-generated keys back to a pb file.
-    if (bkeysgenerated) {
-        std::string datapath(datastore);
-        datapath += ".hsmkey.pb";
-        int fd = open(datapath.c_str(),O_CREAT|O_WRONLY,0644);
-        if (hsmkeyDoc->SerializeToFileDescriptor(fd)) {
-            ods_log_debug("[%s] HSM key info list has been written",
-                          module_str);
-        } else {
-            ods_log_error("[%s] HSM key info list could not be written to \"%s\"",
-                          module_str,datapath.c_str());
-        }
-        close(fd);
-    }
 }
 
 static task_type * 

Modified: branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/hsmkey_list_cmd.cpp
===================================================================
--- branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/hsmkey_list_cmd.cpp	2012-01-05 10:04:50 UTC (rev 6027)
+++ branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/hsmkey_list_cmd.cpp	2012-01-05 10:04:52 UTC (rev 6028)
@@ -13,17 +13,15 @@
 
 void help_hsmkey_list_cmd(int sockfd)
 {
-    char buf[ODS_SE_MAXLINE];
-    (void) snprintf(buf, ODS_SE_MAXLINE,
+    ods_printf(sockfd,
         "hsm key list    list all the cryptographic keys present in the\n"
         "                configured hardware security modules\n"
         "  --verbose     (aka -v) show additonal information for every key.\n"
         );
-    ods_writen(sockfd, buf, strlen(buf));
 }
 
 int handled_hsmkey_list_cmd(int sockfd, engine_type* engine, const char *cmd,
-                              ssize_t n)
+							ssize_t n)
 {
     char buf[ODS_SE_MAXLINE];
     const char *argv[8];
@@ -46,8 +44,7 @@
     if (argc > NARGV) {
         ods_log_warning("[%s] too many arguments for %s command",
                         module_str,scmd);
-        (void)snprintf(buf, ODS_SE_MAXLINE,"too many arguments\n");
-        ods_writen(sockfd, buf, strlen(buf));
+        ods_printf(sockfd,"too many arguments\n");
         return 1; // errors, but handled
     }
     
@@ -55,17 +52,14 @@
     if (argc) {
         ods_log_warning("[%s] unknown arguments for %s command",
                         module_str,scmd);
-        (void)snprintf(buf, ODS_SE_MAXLINE,"unknown arguments\n");
-        ods_writen(sockfd, buf, strlen(buf));
+        ods_printf(sockfd,"unknown arguments\n");
         return 1; // errors, but handled
     }
     
-    /* perform task immediately */
     time_t tstart = time(NULL);
+	
     perform_hsmkey_list(sockfd,engine->config,bVerbose?1:0);
-    (void)snprintf(buf, ODS_SE_MAXLINE, "%s completed in %ld seconds.\n",
-                   scmd,time(NULL)-tstart);
-    ods_writen(sockfd, buf, strlen(buf));
-    
+
+    ods_printf(sockfd,"%s completed in %ld seconds.\n",scmd,time(NULL)-tstart);
     return 1;
 }

Modified: branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/hsmkey_list_task.cpp
===================================================================
--- branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/hsmkey_list_task.cpp	2012-01-05 10:04:50 UTC (rev 6027)
+++ branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/hsmkey_list_task.cpp	2012-01-05 10:04:52 UTC (rev 6028)
@@ -10,40 +10,26 @@
 
 #include "xmlext-pb/xmlext-rd.h"
 
-
 #include <fcntl.h>
 
+#include "protobuf-orm/pb-orm.h"
+#include "daemon/orm.h"
+
 static const char *module_str = "hsmkey_list_task";
 
 void 
 perform_hsmkey_list(int sockfd, engineconfig_type *config, int bVerbose)
 {
-    char buf[ODS_SE_MAXLINE];
-    const char *datastore = config->datastore;
-    
 	GOOGLE_PROTOBUF_VERIFY_VERSION;
     
     // Load the current list of pre-generated keys
-    ::ods::hsmkey::HsmKeyDocument *hsmkeyDoc = 
-        new ::ods::hsmkey::HsmKeyDocument;
-    {
-        std::string datapath(datastore);
-        datapath += ".hsmkey.pb";
-        int fd = open(datapath.c_str(),O_RDONLY);
-        if (hsmkeyDoc->ParseFromFileDescriptor(fd)) {
-            ods_log_debug("[%s] HSM key info list has been loaded",
-                          module_str);
-        } else {
-            ods_log_error("[%s] HSM key info list could not be loaded "
-                          "from \"%s\"",
-                          module_str,datapath.c_str());
-        }
-        close(fd);
-    }
 
-
+	OrmConnRef conn;
+	if (!ods_orm_connect(sockfd, config, conn))
+		return; // errors have already been reported.
+	
     if (!bVerbose){
-        (void)snprintf(buf, ODS_SE_MAXLINE,
+        ods_printf(sockfd,
                        "HSM keys:\n"
                        "Id:                                      "
                        "Key type:  "
@@ -53,7 +39,7 @@
                        "\n"
                        );
     } else {
-        (void)snprintf(buf, ODS_SE_MAXLINE,
+        ods_printf(sockfd,
                        "HSM keys:\n"
                        "Id:                                      "
                        "Key type:  "
@@ -66,57 +52,73 @@
                        "\n"
                        );
     }
-    ods_writen(sockfd, buf, strlen(buf));
-    
-    // Enumerate the keys found in the doc file on disk.
-    for (int k=0; k<hsmkeyDoc->keys_size(); ++k) {
-        const ::ods::hsmkey::HsmKey& key = hsmkeyDoc->keys(k);
-        std::string ktype  = key.key_type();
-        uint32_t bits = key.bits();
-        std::string loca = key.locator();
-        std::string repo = key.repository();
-        char incep[32];
-        if (key.inception() != 0) {
-            if (!ods_ctime_r(incep,sizeof(incep),key.inception())) {
-                strncpy(incep,"invalid date/time",sizeof(incep));
-                incep[sizeof(incep)-1] = '\0';
-            }
-        } else {
-            strncpy(incep,"never",sizeof(incep));
-            incep[sizeof(incep)-1] = '\0';
-        }
-        
-        char keyalgo[32];
-        if (key.has_algorithm()) {
-            snprintf(keyalgo,sizeof(keyalgo),"%d",key.algorithm());
-        } else {
-            strncpy(keyalgo,"not set",sizeof(keyalgo));
-        }
-        keyalgo[sizeof(keyalgo)-1] = '\0';
-        
-        std::string role;
-        if ( key.has_role() )
-            role.assign( ::ods::hsmkey::keyrole_Name(key.role()) );
-        else
-            role.assign("not set");
-        
-        
-        std::string polic;
-        if ( key.has_policy() )
-            polic.assign( key.policy() );
-        else
-            polic.assign("not set");
-        
-        if (!bVerbose) {
-            (void)snprintf(buf, ODS_SE_MAXLINE,
-                           "%-40s %-10s %-7u %-12s %-26s\n",
-                           loca.c_str(),ktype.c_str(),bits,repo.c_str(),incep);
-        } else {
-            (void)snprintf(buf, ODS_SE_MAXLINE,
-                           "%-40s %-10s %-7u %-12s %-26s %-11s %-11s %-31s\n",
-                           loca.c_str(),ktype.c_str(),bits,repo.c_str(),incep,
-                           role.c_str(),keyalgo,polic.c_str());
-        }
-        ods_writen(sockfd, buf, strlen(buf));
-    }
+
+	{	OrmTransaction transaction(conn);
+		
+		if (!transaction.started()) {
+			ods_printf(sockfd,"error: database transaction failed\n");
+			return false;
+		}
+			
+		{	OrmResultRef rows;
+
+			if (!OrmMessageEnum(conn, ::ods::hsmkey::HsmKey::descriptor(), rows)) {
+				ods_printf(sockfd,"error: database hsm key enumeration failed\n");
+				return false;
+			}
+			
+			// Enumerate the hsm keys referenced in the database
+			for (bool next=OrmFirst(rows); next; next=OrmNext(rows)) {
+				::ods::hsmkey::HsmKey key;
+				if (OrmGetMessage(rows, key, true)) {
+					std::string ktype  = key.key_type();
+					uint32_t bits = key.bits();
+					std::string loca = key.locator();
+					std::string repo = key.repository();
+					char incep[32];
+					if (key.inception() != 0) {
+						if (!ods_ctime_r(incep,sizeof(incep),key.inception())) {
+							strncpy(incep,"invalid date/time",sizeof(incep));
+							incep[sizeof(incep)-1] = '\0';
+						}
+					} else {
+						strncpy(incep,"never",sizeof(incep));
+						incep[sizeof(incep)-1] = '\0';
+					}
+					
+					char keyalgo[32];
+					if (key.has_algorithm()) {
+						snprintf(keyalgo,sizeof(keyalgo),"%d",key.algorithm());
+					} else {
+						strncpy(keyalgo,"not set",sizeof(keyalgo));
+					}
+					keyalgo[sizeof(keyalgo)-1] = '\0';
+					
+					std::string role;
+					if ( key.has_role() )
+						role.assign( ::ods::hsmkey::keyrole_Name(key.role()) );
+					else
+						role.assign("not set");
+					
+					
+					std::string polic;
+					if ( key.has_policy() )
+						polic.assign( key.policy() );
+					else
+						polic.assign("not set");
+					
+					if (!bVerbose) {
+						ods_printf(sockfd,
+									   "%-40s %-10s %-7u %-12s %-26s\n",
+									   loca.c_str(),ktype.c_str(),bits,repo.c_str(),incep);
+					} else {
+						ods_printf(sockfd,
+									   "%-40s %-10s %-7u %-12s %-26s %-11s %-11s %-31s\n",
+									   loca.c_str(),ktype.c_str(),bits,repo.c_str(),incep,
+									   role.c_str(),keyalgo,polic.c_str());
+					}
+				}
+			}
+		}
+	}
 }

Modified: branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/update_hsmkeys_cmd.cpp
===================================================================
--- branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/update_hsmkeys_cmd.cpp	2012-01-05 10:04:50 UTC (rev 6027)
+++ branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/update_hsmkeys_cmd.cpp	2012-01-05 10:04:52 UTC (rev 6028)
@@ -16,23 +16,17 @@
 void
 help_update_hsmkeys_cmd(int sockfd)
 {
-    char buf[ODS_SE_MAXLINE];
-    (void) snprintf(buf, ODS_SE_MAXLINE,
+    ods_printf(sockfd,
         "update hsmkeys  import the keys found in all configured HSMs\n"
         "                into the database.\n"
         );
-    ods_writen(sockfd, buf, strlen(buf));
 }
 
 int
 handled_update_hsmkeys_cmd(int sockfd, engine_type* engine, const char *cmd,
                            ssize_t n)
 {
-    char buf[ODS_SE_MAXLINE];
-    task_type *task;
-    ods_status status;
     const char *scmd = "update hsmkeys";
-    ssize_t ncmd = strlen(scmd);
 
     cmd = ods_check_command(cmd,n,scmd);
     if (!cmd)
@@ -40,12 +34,10 @@
 
     ods_log_debug("[%s] %s command", module_str, scmd);
 
-    /* perform task immediately */
     time_t tstart = time(NULL);
-    perform_update_hsmkeys(sockfd,engine->config);
-    (void)snprintf(buf, ODS_SE_MAXLINE, "%s completed in %ld seconds.\n",
-                   scmd,time(NULL)-tstart);
-    ods_writen(sockfd, buf, strlen(buf));
 
-    return 1;
+    perform_update_hsmkeys(sockfd,engine->config,true);
+	
+    ods_printf(sockfd,"%s completed in %ld seconds.\n",scmd,time(NULL)-tstart);
+	return 1;
 }

Modified: branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/update_hsmkeys_task.cpp
===================================================================
--- branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/update_hsmkeys_task.cpp	2012-01-05 10:04:50 UTC (rev 6027)
+++ branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/update_hsmkeys_task.cpp	2012-01-05 10:04:52 UTC (rev 6028)
@@ -13,73 +13,159 @@
 #include <map>
 #include <fcntl.h>
 
+#include "protobuf-orm/pb-orm.h"
+#include "daemon/orm.h"
+
 static const char *module_str = "update_hsmkeys_task";
 
-
-static void import_all_keys_from_all_hsms(int sockfd, 
-                                          ::ods::hsmkey::HsmKeyDocument *doc)
+static void 
+import_all_keys_from_all_hsms(int sockfd, OrmConn conn)
 {
-    char buf[ODS_SE_MAXLINE];
     hsm_ctx_t * hsm_ctx = hsm_create_context();
     if (!hsm_ctx) {
-        ods_log_error("[%s] Could not connect to HSM", module_str);
+        ods_log_error_and_printf(sockfd, module_str, "could not connect to HSM");
         return;
     }
     size_t nkeys;
     hsm_key_t **kl = hsm_list_keys(hsm_ctx, &nkeys);
-
-    // Add new hsm keys found in the HSMs to the key list.
-    // We don't want nested lookup loops of O(N^2) we create a map to get O(2N)
-    std::map<const std::string,::ods::hsmkey::HsmKey*> keymap;
-    for (int k=0; k<doc->keys_size(); ++k) {
-        ::ods::hsmkey::HsmKey *key = doc->mutable_keys(k);
-        keymap[ key->locator() ] = key;
+    if (!kl) {
+        ods_log_error_and_printf(sockfd, module_str, "could not list hsm keys");
+        return;
     }
 
-    (void)snprintf(buf, ODS_SE_MAXLINE,
-                   "HSM keys:\n"
-                   "        "
-                   "Algorithm: "
-                   "Bits:   "
-                   "Id:                                      "
-                   "\n"
-                   );
-    ods_writen(sockfd, buf, strlen(buf));
+    ods_printf(sockfd,
+				"HSM keys:\n"
+				"        "
+				"Algorithm: "
+				"Bits:   "
+				"Id:                                      "
+				"\n"
+				);
+
+	OrmTransactionRW transaction(conn);
+	if (!transaction.started()) {
+        ods_log_error_and_printf(sockfd, module_str,
+								 "could not start database transaction");
+		hsm_key_list_free(kl,nkeys);
+		hsm_destroy_context(hsm_ctx);
+        return;
+	}
+	
     for (int i=0; i<nkeys; ++i) {
         hsm_key_t *k = kl[i];
         hsm_key_info_t *kinf = hsm_get_key_info(hsm_ctx,k);
 
-        
-        // skip HSM keys that already exist.
-        ::ods::hsmkey::HsmKey *key = NULL;
-        if (keymap.find( kinf->id ) != keymap.end()) {
-            
-            (void)snprintf(buf, ODS_SE_MAXLINE,
-                           "%-7s %-10s %-7ld %-40s\n",
-                           "update",
-                           kinf->algorithm_name,
-                           kinf->keysize,
-                           kinf->id
-                           );
-            ods_writen(sockfd, buf, strlen(buf));
-            key = keymap[ kinf->id ];
-        } else {
-            (void)snprintf(buf, ODS_SE_MAXLINE,
-                           "%-7s %-10s %-7ld %-40s\n",
-                           "import",
-                           kinf->algorithm_name,
-                           kinf->keysize,
-                           kinf->id
-                           );
-            ods_writen(sockfd, buf, strlen(buf));
-            key = doc->add_keys();
-            key->set_locator(kinf->id);
-            key->set_bits(kinf->keysize);
-        }
-        
-        key->set_key_type( kinf->algorithm_name );
-        key->set_repository( k->module->name );
-                
+		OrmResultRef result;
+		if (!OrmMessageEnumWhere(conn, ::ods::hsmkey::HsmKey::descriptor(),
+								 result, "locator='%s'",kinf->id))
+		{
+			// free allocated resources
+			hsm_key_info_free(kinf);
+
+			ods_log_error_and_printf(sockfd, module_str,
+									 "database query failed");
+			break;
+		}
+			
+		if (OrmFirst(result)) {
+			// Key already exists
+			::ods::hsmkey::HsmKey key;
+			OrmContextRef context;
+			if (!OrmGetMessage(result,key,true,context)) {
+				// free allocated resources
+				hsm_key_info_free(kinf);
+				// release query result, we don't need it anymore.
+				result.release();
+				
+				// This is an unexpected error !
+				ods_log_error_and_printf(sockfd, module_str,
+										 "database record retrieval failed");
+				break;
+			} else {
+				// release query result, we don't need it anymore.
+				result.release();
+
+				// retrieved the key from the database
+				
+				// Change key settings based on information from HSM key info
+				if (key.key_type() == std::string(kinf->algorithm_name)
+					|| key.repository() == std::string(k->module->name))
+				{
+
+					// key in the table does NOT need updating.
+					
+				} else {
+					// key in the table needs updating.
+					key.set_key_type( kinf->algorithm_name );
+					key.set_repository( k->module->name );
+					
+					if (!OrmMessageUpdate(context)) {
+						
+						// This is an unexpected error !
+						ods_log_error_and_printf(sockfd, module_str,
+											"database record retrieval failed");
+						
+					} else {
+
+						ods_printf(sockfd,
+									"%-7s %-10s %-7ld %-40s\n",
+									"update",
+									kinf->algorithm_name,
+									kinf->keysize,
+									kinf->id
+									);
+
+					}
+				}
+				
+				// release the context, we don't need it anymore.
+				context.release();
+			}
+		} else {
+			// release query result, we don't need it anymore.
+			result.release();
+			
+			// key does not exist
+			::ods::hsmkey::HsmKey key;
+			key.set_locator(kinf->id);
+			key.set_bits(kinf->keysize);
+			key.set_key_type( kinf->algorithm_name );
+			key.set_repository( k->module->name );
+			
+			// verify that according to the proto file definition the key is
+			// fully initialized.
+			if(!key.IsInitialized()) {
+				// free allocated resources
+				hsm_key_info_free(kinf);
+				
+				ods_log_error_and_printf(sockfd, module_str,
+										 "new HsmKey missing required fields");				
+				break;
+			}
+			
+			pb::uint64 keyid;
+			if (!OrmMessageInsert(conn, key, keyid)) {
+				// free allocated resources
+				hsm_key_info_free(kinf);
+
+				// This is an unexpected error !
+				ods_log_error_and_printf(sockfd, module_str,
+										 "database record insertion failed");
+				
+				break;
+			} else {
+				
+				// Key was inserted successfully
+				ods_printf(sockfd,
+							"%-7s %-10s %-7ld %-40s\n",
+							"import",
+							kinf->algorithm_name,
+							kinf->keysize,
+							kinf->id
+							);
+			}
+		}
+
         hsm_key_info_free(kinf);
     }
     hsm_key_list_free(kl,nkeys);
@@ -87,78 +173,20 @@
 }
 
 void 
-perform_update_hsmkeys(int sockfd, engineconfig_type *config)
+perform_update_hsmkeys(int sockfd, engineconfig_type *config, int bManual)
 {
-    char buf[ODS_SE_MAXLINE];
-    const char *datastore = config->datastore;
-    
+	// check that we are using a compatible protobuf version.
 	GOOGLE_PROTOBUF_VERIFY_VERSION;
-    
-    // Load the current list of pre-generated keys
-    ::ods::hsmkey::HsmKeyDocument *hsmkeyDoc = 
-        new ::ods::hsmkey::HsmKeyDocument;
-    {
-        std::string datapath(datastore);
-        datapath += ".hsmkey.pb";
-        int fd = open(datapath.c_str(),O_RDONLY);
-        if (hsmkeyDoc->ParseFromFileDescriptor(fd)) {
-            ods_log_debug("[%s] HSM key list has been loaded",
-                          module_str);
-        } else {
-            ods_log_error("[%s] HSM key list could not be loaded from \"%s\"",
-                          module_str,datapath.c_str());
-        }
-        close(fd);
-    }
-
-    // Go through all the keys in HSMs and import them if they are 
-    // not already present
-    (void)snprintf(buf, ODS_SE_MAXLINE, "Database set to: %s\n", datastore);
-    ods_writen(sockfd, buf, strlen(buf));
-    import_all_keys_from_all_hsms(sockfd,hsmkeyDoc);
-    
-    // Persist the hsmkey doc back to disk as it may have
-    // been changed by the enforcer update
-    if (hsmkeyDoc->IsInitialized()) {
-        std::string datapath(datastore);
-        datapath += ".hsmkey.pb";
-        int fd = open(datapath.c_str(),O_WRONLY|O_CREAT, 0644);
-        if (hsmkeyDoc->SerializeToFileDescriptor(fd)) {
-            ods_log_debug("[%s] HSM keys have been updated",
-                          module_str);
-            
-            (void)snprintf(buf, ODS_SE_MAXLINE, 
-                           "update of HSM keys completed.\n");
-            ods_writen(sockfd, buf, strlen(buf));
-        } else {
-            (void)snprintf(buf, ODS_SE_MAXLINE, 
-                           "error: HSM keys file could not be written.\n");
-            ods_writen(sockfd, buf, strlen(buf));
-        }
-        close(fd);
-    } else {
-        (void)snprintf(buf, ODS_SE_MAXLINE, 
-                       "error: a message in the HSM keys is missing "
-                       "mandatory information.\n");
-        ods_writen(sockfd, buf, strlen(buf));
-    }
-    delete hsmkeyDoc;
+	
+	OrmConnRef conn;
+	if (!ods_orm_connect(sockfd, config, conn))
+		return; // errors have already been reported.
+	
+	// Go through all the keys in HSMs and import them if they are 
+	// not already present
+	if (bManual) {
+		ods_printf(sockfd, "Database set to: %s\n", config->datastore);
+		// DEPRECATED, key state import should selectively import keys.
+		import_all_keys_from_all_hsms(sockfd,conn);
+	}
 }
-
-static task_type * 
-update_hsmkeys_task_perform(task_type *task)
-{
-    perform_update_hsmkeys(-1,(engineconfig_type *)task->context);
-    
-    task_cleanup(task);
-    return NULL;
-}
-
-task_type *
-update_hsmkeys_task(engineconfig_type *config, const char *shortname)
-{
-    task_id what = task_register(shortname,
-                                 "update_hsmkeys_task_perform",
-                                 update_hsmkeys_task_perform);
-	return task_create(what, time_now(), "all", (void*)config);
-}

Modified: branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/update_hsmkeys_task.h
===================================================================
--- branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/update_hsmkeys_task.h	2012-01-05 10:04:50 UTC (rev 6027)
+++ branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/update_hsmkeys_task.h	2012-01-05 10:04:52 UTC (rev 6028)
@@ -4,9 +4,6 @@
 #include "daemon/cfg.h"
 #include "scheduler/task.h"
 
-void perform_update_hsmkeys(int sockfd, engineconfig_type *config);
+void perform_update_hsmkeys(int sockfd, engineconfig_type *config, int bManual);
 
-task_type *update_hsmkeys_task(engineconfig_type *config, 
-                               const char *shortname);
-
 #endif




More information about the Opendnssec-commits mailing list