[Opendnssec-commits] [svn.opendnssec.org/svn/dnssec] r6039 - in branches/OpenDNSSEC-enforcer-ng/enforcer-ng: enforcer.xcodeproj src/enforcer src/hsmkey

rene at xpt.nl rene at xpt.nl
Mon Jan 9 09:23:12 CET 2012


Author: rene
Date: 2012-01-09 09:23:12 +0100 (Mon, 09 Jan 2012)
New Revision: 6039

Modified:
   branches/OpenDNSSEC-enforcer-ng/enforcer-ng/enforcer.xcodeproj/project.pbxproj
   branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/enforcer/setup_cmd.cpp
   branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/hsmkey_gen_cmd.cpp
   branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/hsmkey_gen_task.cpp
   branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/hsmkey_gen_task.h
Log:
Fix hsm key pre-generation for enforcer-ng

Modified: branches/OpenDNSSEC-enforcer-ng/enforcer-ng/enforcer.xcodeproj/project.pbxproj
===================================================================
--- branches/OpenDNSSEC-enforcer-ng/enforcer-ng/enforcer.xcodeproj/project.pbxproj	2012-01-09 08:23:08 UTC (rev 6038)
+++ branches/OpenDNSSEC-enforcer-ng/enforcer-ng/enforcer.xcodeproj/project.pbxproj	2012-01-09 08:23:12 UTC (rev 6039)
@@ -13,7 +13,6 @@
 		A71B7E9D1484D7BE0084A251 /* kasp.proto in Sources */ = {isa = PBXBuildFile; fileRef = A772F49713323E7A004179E8 /* kasp.proto */; };
 		A71B7E9E1484D7CA0084A251 /* zonelist.proto in Sources */ = {isa = PBXBuildFile; fileRef = A75E74B6133B6E9700F09B43 /* zonelist.proto */; };
 		A71B7E9F1484D7D20084A251 /* xmlext.proto in Sources */ = {isa = PBXBuildFile; fileRef = A772F49213323E5E004179E8 /* xmlext.proto */; };
-		A71B7EA11484E9D10084A251 /* conf.proto in Sources */ = {isa = PBXBuildFile; fileRef = A77C57F0136CB0A0000A4E51 /* conf.proto */; };
 		A71D0996136C44EA00D8F205 /* hsmkey_list_task.cpp in Sources */ = {isa = PBXBuildFile; fileRef = A71D0993136C44E300D8F205 /* hsmkey_list_task.cpp */; };
 		A71D0997136C44EF00D8F205 /* hsmkey_list_cmd.cpp in Sources */ = {isa = PBXBuildFile; fileRef = A71D098F136C42E100D8F205 /* hsmkey_list_cmd.cpp */; };
 		A73185BB1314F41C007DB701 /* cfg.c in Sources */ = {isa = PBXBuildFile; fileRef = A73184FF13144EE1007DB701 /* cfg.c */; };
@@ -180,7 +179,6 @@
 		A772F49C13324716004179E8 /* xmlext-rd.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "xmlext-rd.h"; sourceTree = "<group>"; };
 		A772F49D13324716004179E8 /* xmlext-rd.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = "xmlext-rd.cpp"; sourceTree = "<group>"; };
 		A7790E59135CE27C00EED13E /* hsmkey.proto */ = {isa = PBXFileReference; explicitFileType = sourcecode.cpp.cpp.preprocessed; fileEncoding = 4; path = hsmkey.proto; sourceTree = "<group>"; };
-		A77C57F0136CB0A0000A4E51 /* conf.proto */ = {isa = PBXFileReference; explicitFileType = sourcecode.cpp.cpp.preprocessed; fileEncoding = 4; path = conf.proto; sourceTree = "<group>"; };
 		A77C57FD136D674C000A4E51 /* keystate_list_task.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = keystate_list_task.h; path = keystate/keystate_list_task.h; sourceTree = "<group>"; };
 		A77C57FE136D674C000A4E51 /* keystate_list_task.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = keystate_list_task.cpp; path = keystate/keystate_list_task.cpp; sourceTree = "<group>"; };
 		A77C5800136D6BC7000A4E51 /* keystate_list_cmd.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = keystate_list_cmd.cpp; path = keystate/keystate_list_cmd.cpp; sourceTree = "<group>"; };
@@ -423,7 +421,6 @@
 		A731851A13144EE1007DB701 /* parser */ = {
 			isa = PBXGroup;
 			children = (
-				A77C57F0136CB0A0000A4E51 /* conf.proto */,
 				A731851B13144EE1007DB701 /* confparser.c */,
 				A731851C13144EE1007DB701 /* confparser.h */,
 			);
@@ -818,7 +815,6 @@
 				A71B7E9D1484D7BE0084A251 /* kasp.proto in Sources */,
 				A71B7E9E1484D7CA0084A251 /* zonelist.proto in Sources */,
 				A71B7E9F1484D7D20084A251 /* xmlext.proto in Sources */,
-				A71B7EA11484E9D10084A251 /* conf.proto in Sources */,
 				A7BAA574149937D400C7DD2B /* pb-orm-connect.cc in Sources */,
 				A7BAA575149937D400C7DD2B /* pb-orm-context.cc in Sources */,
 				A7BAA576149937D400C7DD2B /* pb-orm-create-table.cc in Sources */,

Modified: branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/enforcer/setup_cmd.cpp
===================================================================
--- branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/enforcer/setup_cmd.cpp	2012-01-09 08:23:08 UTC (rev 6038)
+++ branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/enforcer/setup_cmd.cpp	2012-01-09 08:23:12 UTC (rev 6039)
@@ -144,8 +144,10 @@
     perform_update_kasp(sockfd, engine->config);
     perform_update_keyzones(sockfd, engine->config);
 	perform_update_hsmkeys(sockfd, engine->config, 0 /* automatic */);
-    perform_hsmkey_gen(sockfd, engine->config, 0 /* automatic */);
 
+    perform_hsmkey_gen(sockfd, engine->config, 0 /* automatic */,
+					   engine->config->automatic_keygen_duration);
+
     flush_all_tasks(sockfd, engine);
 
     ods_printf(sockfd, "%s completed in %ld seconds.\n",scmd,time(NULL)-tstart);

Modified: branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/hsmkey_gen_cmd.cpp
===================================================================
--- branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/hsmkey_gen_cmd.cpp	2012-01-09 08:23:08 UTC (rev 6038)
+++ branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/hsmkey_gen_cmd.cpp	2012-01-09 08:23:12 UTC (rev 6039)
@@ -18,11 +18,81 @@
 void help_hsmkey_gen_cmd(int sockfd)
 {
     ods_printf(sockfd,
-        "hsm key gen     pre-generate a collection of cryptographic keys\n"
-        "                before they are actually needed by the enforcer\n"
+        "hsm key gen     pre-generate a collection of hsm keys\n"
+        "                before they are actually needed by the enforcer.\n"
+		"  --duration <duration>\n"
+		"                (aka -d) generate enough keys for the currently\n"
+		"                present zones to last for the duration specified.\n"
+		"                examples:\n"
+		"                  -d P2Y         2 years\n"
+		"                  -d P3YT1H6M    3 years, 1 hour and 6 minutes\n"
         );
 }
 
+static bool
+get_period(int sockfd,
+		   engineconfig_type *config,
+		   const char *scmd,
+		   const char *cmd,
+		   time_t &period)
+{
+	char buf[ODS_SE_MAXLINE];
+    const char *argv[1];
+    const int NARGV = sizeof(argv)/sizeof(char*);    
+    int argc;
+	
+	// Use buf as an intermediate buffer for the command.
+    strncpy(buf,cmd,sizeof(buf));
+    buf[sizeof(buf)-1] = '\0';
+
+    // separate the arguments
+    argc = ods_str_explode(&buf[0], NARGV, &argv[0]);
+    if (argc > NARGV) {
+		ods_log_error_and_printf(sockfd, module_str,
+								 "too many arguments for %s command",
+								 scmd);
+        return false; // errors, but handled
+    }
+    
+    const char *str = NULL;
+    (void)ods_find_arg_and_param(&argc,argv,"duration","d",&str);
+	
+	// fail on unhandled arguments;
+    if (argc) {
+		ods_log_error_and_printf(sockfd, module_str,
+								 "unknown arguments for %s command",
+								 scmd);
+        return false; // errors, but handled
+    }
+
+	// Use the automatic keygen period when no period is specified 
+	// on the commandline. This defaults to a year.
+	period = config->automatic_keygen_duration;
+	
+	// Analyze the argument and fail on error.
+	if (str) {
+		duration_type *duration = duration_create_from_string(str);
+		if (!duration) {
+			ods_log_error_and_printf(sockfd, module_str,
+									 "invalid duration argument %s",
+									 str);
+			return false; // errors, but handled
+		}
+		period = duration2time(duration);
+		duration_cleanup(duration);
+		if (!period) {
+			ods_log_error_and_printf(sockfd, module_str,
+									 "invalid period in duration argument %s",
+									 str);
+			return false; // errors, but handled
+		}
+	}
+		
+	return true;
+}
+
+
+
 int handled_hsmkey_gen_cmd(int sockfd, engine_type* engine, const char *cmd,
 						   ssize_t n)
 {
@@ -34,9 +104,13 @@
 
     ods_log_debug("[%s] %s command", module_str, scmd);
 
+	time_t period;
+	if (!get_period(sockfd,engine->config, scmd, cmd, period))
+		return 1; // errors, but handled
+
     time_t tstart = time(NULL);
 
-    perform_hsmkey_gen(sockfd,engine->config,1);
+    perform_hsmkey_gen(sockfd,engine->config,1,period);
     
 	ods_printf(sockfd,"%s completed in %ld seconds.\n",scmd,time(NULL)-tstart);
     return 1;

Modified: branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/hsmkey_gen_task.cpp
===================================================================
--- branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/hsmkey_gen_task.cpp	2012-01-09 08:23:08 UTC (rev 6038)
+++ branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/hsmkey_gen_task.cpp	2012-01-09 08:23:12 UTC (rev 6039)
@@ -15,6 +15,7 @@
 #include <fcntl.h>
 #include <string.h>
 #include <memory>
+#include <math.h>
 
 #include "protobuf-orm/pb-orm.h"
 #include "daemon/orm.h"
@@ -211,7 +212,7 @@
 
 static void
 generate_ksks(int sockfd, OrmConn conn, const ::ods::kasp::Policy &policy,
-			  time_t duration)
+			  time_t duration, pb::uint64 nzones)
 {
 	::ods::hsmkey::keyrole key_role = ::ods::hsmkey::KSK;
 	for (int k=0; k<policy.keys().ksk_size(); ++k) {
@@ -228,10 +229,10 @@
 			ods_log_error_and_printf(sockfd,module_str,
 									 "counting KSKs failed");
 		} else {
-			int key_pregen = 1 + (duration / key.lifetime());
+			int key_pregen = (int)ceil((double)duration/(double)key.lifetime());
 			if (!generate_keypairs(sockfd,
 								   conn,
-								   key_pregen-nunusedkeys,
+								   (nzones*key_pregen)-nunusedkeys,
 								   key.bits(),
 								   key.repository().c_str(),
 								   policy.name().c_str(),
@@ -247,7 +248,7 @@
 
 static void
 generate_zsks(int sockfd, OrmConn conn, const ::ods::kasp::Policy &policy,
-			  time_t duration)
+			  time_t duration, pb::uint64 nzones)
 {
 	::ods::hsmkey::keyrole key_role = ::ods::hsmkey::ZSK;
 	for (int k=0; k<policy.keys().zsk_size(); ++k) {
@@ -264,10 +265,10 @@
 			ods_log_error_and_printf(sockfd,module_str,
 									 "counting ZSKs failed");
 		} else {
-			int key_pregen = 1 + (duration / key.lifetime());
+			int key_pregen = (int)ceil((double)duration/(double)key.lifetime());
 			if (!generate_keypairs(sockfd,
 								   conn,
-								   key_pregen-nunusedkeys,
+								   (nzones*key_pregen)-nunusedkeys,
 								   key.bits(),
 								   key.repository().c_str(),
 								   policy.name().c_str(),
@@ -283,7 +284,7 @@
 
 static void
 generate_csks(int sockfd, OrmConn conn, const ::ods::kasp::Policy &policy,
-			  time_t duration)
+			  time_t duration, pb::uint64 nzones)
 {
 	::ods::hsmkey::keyrole key_role = ::ods::hsmkey::CSK;
 	for (int k=0; k<policy.keys().csk_size(); ++k) {
@@ -300,10 +301,10 @@
 			ods_log_error_and_printf(sockfd,module_str,
 									 "counting CSKs failed");
 		} else {
-			int key_pregen = 1 + (duration / key.lifetime());
+			int key_pregen = (int)ceil((double)duration/(double)key.lifetime());
 			if (!generate_keypairs(sockfd,
 								   conn,
-								   key_pregen-nunusedkeys,
+								   (nzones*key_pregen)-nunusedkeys,
 								   key.bits(),
 								   key.repository().c_str(),
 								   policy.name().c_str(),
@@ -352,7 +353,8 @@
 }
 
 void 
-perform_hsmkey_gen(int sockfd, engineconfig_type *config, int bManual)
+perform_hsmkey_gen(int sockfd, engineconfig_type *config, int bManual,
+				   time_t duration)
 {
     GOOGLE_PROTOBUF_VERIFY_VERSION;
 
@@ -408,11 +410,6 @@
 		}
 	}	
 
-	// Now perform the policy driven key pre-generation.
-	time_t duration = 365 * 24 * 3600; // a normal year in seconds.
-	
-	//FIXME: get duration as a parameter on the command line.
-	
     for (int i=0; i<kasp.policies_size(); ++i) {
 
 		pb::uint64 count;
@@ -424,16 +421,18 @@
 			continue;
 		}
 				
-		generate_ksks(sockfd, conn, kasp.policies(i), duration);
-		generate_zsks(sockfd, conn, kasp.policies(i), duration);
-		generate_csks(sockfd, conn, kasp.policies(i), duration);
+		generate_ksks(sockfd, conn, kasp.policies(i), duration, count);
+		generate_zsks(sockfd, conn, kasp.policies(i), duration, count);
+		generate_csks(sockfd, conn, kasp.policies(i), duration, count);
     }
 }
 
 static task_type * 
 hsmkey_gen_task_perform(task_type *task)
 {
-    perform_hsmkey_gen(-1, (engineconfig_type *)task->context, 0);
+	// by default pre-generate keys for all zones to last for a year.
+	time_t year = 365 * 24 * 3600;
+    perform_hsmkey_gen(-1, (engineconfig_type *)task->context, 0, year);
     task_cleanup(task);
     return NULL;
 }

Modified: branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/hsmkey_gen_task.h
===================================================================
--- branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/hsmkey_gen_task.h	2012-01-09 08:23:08 UTC (rev 6038)
+++ branches/OpenDNSSEC-enforcer-ng/enforcer-ng/src/hsmkey/hsmkey_gen_task.h	2012-01-09 08:23:12 UTC (rev 6039)
@@ -4,7 +4,8 @@
 #include "daemon/cfg.h"
 #include "scheduler/task.h"
 
-void perform_hsmkey_gen(int sockfd, engineconfig_type *config, int bManual);
+void perform_hsmkey_gen(int sockfd, engineconfig_type *config, int bManual,
+						time_t duration);
 
 task_type *hsmkey_gen_task(engineconfig_type *config);
 




More information about the Opendnssec-commits mailing list