[Opendnssec-user] how to match/correlate key's CKA_ID & PUBKEY?

Wed Feb 22 17:23:08 UTC 2017

For a given list of keys in an ODS2 db,

	ods-enforcer key list -v
		Keys:
		Zone:                           Keytype: State:    Date of next transition: Size: Algorithm: CKA_ID: Repository: KeyTag:
		example.com                     KSK      retire    waiting for ds-gone      384   14         d2f...  SoftHSM     91234
		example.com                     KSK      retire    waiting for ds-gone      384   14         9f1...  SoftHSM     13454
		example.com                     KSK      retire    waiting for ds-gone      384   14         50d...  SoftHSM     4215
		example.com                     KSK      retire    waiting for ds-gone      384   14         f90...  SoftHSM     69524
		example.com                     KSK      retire    waiting for ds-gone      384   14         4f8...  SoftHSM     64511
		example.com                     ZSK      retire    2017-02-22 09:43:07      384   14         081...  SoftHSM     7944
		example.com                     KSK      ready     waiting for ds-seen      384   14         850...  SoftHSM     47635
		example.com                     ZSK      retire    2017-02-22 09:43:07      384   14         b5f...  SoftHSM     2524
		example.com                     ZSK      ready     2017-02-22 09:43:07      384   14         853...  SoftHSM     33745

	ods-enforcer key list -d
		Keys:
		Zone:                           Key role:     DS:          DNSKEY:      RRSIGDNSKEY: RRSIG:       Pub: Act: Id:
		example.com                     KSK           unretentive  omnipresent  omnipresent  NA           1    1    d2f...
		example.com                     KSK           unretentive  hidden       hidden       NA           0    0    9f1...
		example.com                     KSK           unretentive  hidden       hidden       NA           0    0    50d...
		example.com                     KSK           unretentive  hidden       hidden       NA           0    0    f90...
		example.com                     KSK           unretentive  hidden       hidden       NA           0    0    4f8...
		example.com                     ZSK           NA           hidden       NA           hidden       0    0    081...
		example.com                     KSK           rumoured     omnipresent  omnipresent  NA           1    1    850...
		example.com                     ZSK           NA           omnipresent  NA           unretentive  1    0    b5f...
		example.com                     ZSK           NA           omnipresent  NA           rumoured     1    1    853...

how do you find/export the public key for a specified CKA_ID?

unlike `key import`

	key import
	        --cka_id <CKA_ID>                       aka -k
	        --repository <repository>               aka -r
	        --zone <zone>                           aka -z
	        --bits <size>                           aka -b
	        --algorithm <algorithm>                 aka -g
	        --keystate <state>                      aka -e
	        --keytype <type>                        aka -t
	        --inception_time <time>                 aka -w

which provides a --cka-id flag, `key export` does not appear to provide a method to correlate cka_id to public_key,

	key export
        --zone <zone> | --all                   aka -z | -a 
        --keystate <state>                      aka -e
        --keytype <type>                        aka -t 
        [--ds [--sha1]]                         aka -d [-s]

	ods-enforcer key export --all
		example.com.     300     IN      DNSKEY  257 3 14 YJ9...
		example.com.     300     IN      DNSKEY  257 3 14 jbP...
		example.com.     300     IN      DNSKEY  257 3 14 TQ0...
		example.com.     300     IN      DNSKEY  257 3 14 Veo...
		example.com.     300     IN      DNSKEY  257 3 14 M2u...
		example.com.     300     IN      DNSKEY  257 3 14 Lj1...