Move common create key functions to dnssectool.c

The dnssec-ksr tool needs to read a dnssec-policy from configuration
too, as well as deal with FIPS mode checks.

bin/dnssec/Makefile.am

@@ -2,6 +2,7 @@ include $(top_srcdir)/Makefile.top
 
 AM_CPPFLAGS +=			\
 	$(LIBISC_CFLAGS)	\
+	$(LIBISCCFG_CFLAGS)	\
 	$(LIBDNS_CFLAGS)
 
 AM_CPPFLAGS +=			\
@@ -12,6 +13,7 @@ noinst_LTLIBRARIES = libdnssectool.la
 LDADD +=			\
 	libdnssectool.la	\
 	$(LIBISC_LIBS)		\
+	$(LIBISCCFG_LIBS)	\
 	$(LIBDNS_LIBS)		\
 	$(OPENSSL_LIBS)
 
@@ -33,20 +35,16 @@ libdnssectool_la_SOURCES =	\
 
 dnssec_keygen_CPPFLAGS =	\
 	$(AM_CPPFLAGS)		\
-	$(LIBISCCFG_CFLAGS)	\
 	$(OPENSSL_CFLAGS)
 
 dnssec_keygen_LDADD =		\
 	$(LDADD)		\
-	$(LIBISCCFG_LIBS)	\
 	$(OPENSSL_LIBS)
 
 dnssec_signzone_CPPFLAGS =	\
 	$(AM_CPPFLAGS)		\
-	$(LIBISCCFG_CFLAGS)	\
 	$(OPENSSL_CFLAGS)
 
 dnssec_signzone_LDADD =		\
 	$(LDADD)		\
-	$(LIBISCCFG_LIBS)	\
 	$(OPENSSL_LIBS)

bin/dnssec/dnssec-keygen.c

@@ -56,10 +56,6 @@
 
 #include <dst/dst.h>
 
-#include <isccfg/cfg.h>
-#include <isccfg/grammar.h>
-#include <isccfg/kaspconf.h>
-#include <isccfg/namedconf.h>
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
 #include <openssl/err.h>
 #include <openssl/provider.h>
@@ -67,9 +63,6 @@
 
 #include "dnssectool.h"
 
-#define MAX_RSA 4096 /* should be long enough... */
-#define MAX_DH	4096 /* should be long enough... */
-
 const char *program = "dnssec-keygen";
 
 /*
@@ -254,90 +247,6 @@ progress(int p) {
 	(void)fflush(stderr);
 }
 
-static void
-kasp_from_conf(cfg_obj_t *config, isc_mem_t *mctx, const char *name,
-	       const char *keydir, const char *engine, dns_kasp_t **kaspp) {
-	isc_result_t result = ISC_R_NOTFOUND;
-	const cfg_listelt_t *element;
-	const cfg_obj_t *kasps = NULL;
-	dns_kasp_t *kasp = NULL, *kasp_next;
-	dns_kasplist_t kasplist;
-	const cfg_obj_t *keystores = NULL;
-	dns_keystore_t *ks = NULL, *ks_next;
-	dns_keystorelist_t kslist;
-
-	ISC_LIST_INIT(kasplist);
-	ISC_LIST_INIT(kslist);
-
-	(void)cfg_map_get(config, "key-store", &keystores);
-	for (element = cfg_list_first(keystores); element != NULL;
-	     element = cfg_list_next(element))
-	{
-		cfg_obj_t *kconfig = cfg_listelt_value(element);
-		ks = NULL;
-		result = cfg_keystore_fromconfig(kconfig, mctx, lctx, engine,
-						 &kslist, NULL);
-		if (result != ISC_R_SUCCESS) {
-			fatal("failed to configure key-store '%s': %s",
-			      cfg_obj_asstring(cfg_tuple_get(kconfig, "name")),
-			      isc_result_totext(result));
-		}
-	}
-	/* Default key-directory key store. */
-	ks = NULL;
-	(void)cfg_keystore_fromconfig(NULL, mctx, lctx, engine, &kslist, &ks);
-	INSIST(ks != NULL);
-	if (keydir != NULL) {
-		/* '-K keydir' takes priority */
-		dns_keystore_setdirectory(ks, keydir);
-	}
-	dns_keystore_detach(&ks);
-
-	(void)cfg_map_get(config, "dnssec-policy", &kasps);
-	for (element = cfg_list_first(kasps); element != NULL;
-	     element = cfg_list_next(element))
-	{
-		cfg_obj_t *kconfig = cfg_listelt_value(element);
-		kasp = NULL;
-		if (strcmp(cfg_obj_asstring(cfg_tuple_get(kconfig, "name")),
-			   name) != 0)
-		{
-			continue;
-		}
-
-		result = cfg_kasp_fromconfig(kconfig, NULL, true, mctx, lctx,
-					     &kslist, &kasplist, &kasp);
-		if (result != ISC_R_SUCCESS) {
-			fatal("failed to configure dnssec-policy '%s': %s",
-			      cfg_obj_asstring(cfg_tuple_get(kconfig, "name")),
-			      isc_result_totext(result));
-		}
-		INSIST(kasp != NULL);
-		dns_kasp_freeze(kasp);
-		break;
-	}
-
-	*kaspp = kasp;
-
-	/*
-	 * Cleanup kasp list.
-	 */
-	for (kasp = ISC_LIST_HEAD(kasplist); kasp != NULL; kasp = kasp_next) {
-		kasp_next = ISC_LIST_NEXT(kasp, link);
-		ISC_LIST_UNLINK(kasplist, kasp, link);
-		dns_kasp_detach(&kasp);
-	}
-
-	/*
-	 * Cleanup keystore list.
-	 */
-	for (ks = ISC_LIST_HEAD(kslist); ks != NULL; ks = ks_next) {
-		ks_next = ISC_LIST_NEXT(ks, link);
-		ISC_LIST_UNLINK(kslist, ks, link);
-		dns_keystore_detach(&ks);
-	}
-}
-
 static void
 keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
 	char filename[255];
@@ -1330,8 +1239,8 @@ main(int argc, char **argv) {
 				      ctx.policy, ctx.configfile);
 			}
 
-			kasp_from_conf(config, mctx, ctx.policy, ctx.directory,
+			kasp_from_conf(config, mctx, lctx, ctx.policy,
-				       engine, &kasp);
+				       ctx.directory, engine, &kasp);
 			if (kasp == NULL) {
 				fatal("failed to load dnssec-policy '%s'",
 				      ctx.policy);
@@ -1361,6 +1270,7 @@ main(int argc, char **argv) {
 				if (ctx.keystore != NULL) {
 					check_keystore_options(&ctx);
 				}
+
 				keygen(&ctx, mctx, argc, argv);
 
 				kaspkey = ISC_LIST_NEXT(kaspkey, link);

bin/dnssec/dnssectool.c

@@ -602,3 +602,88 @@ loadjournal(isc_mem_t *mctx, dns_db_t *db, const char *file) {
 cleanup:
 	dns_journal_destroy(&jnl);
 }
+
+void
+kasp_from_conf(cfg_obj_t *config, isc_mem_t *mctx, isc_log_t *lctx,
+	       const char *name, const char *keydir, const char *engine,
+	       dns_kasp_t **kaspp) {
+	isc_result_t result = ISC_R_NOTFOUND;
+	const cfg_listelt_t *element;
+	const cfg_obj_t *kasps = NULL;
+	dns_kasp_t *kasp = NULL, *kasp_next;
+	dns_kasplist_t kasplist;
+	const cfg_obj_t *keystores = NULL;
+	dns_keystore_t *ks = NULL, *ks_next;
+	dns_keystorelist_t kslist;
+
+	ISC_LIST_INIT(kasplist);
+	ISC_LIST_INIT(kslist);
+
+	(void)cfg_map_get(config, "key-store", &keystores);
+	for (element = cfg_list_first(keystores); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		cfg_obj_t *kconfig = cfg_listelt_value(element);
+		ks = NULL;
+		result = cfg_keystore_fromconfig(kconfig, mctx, lctx, engine,
+						 &kslist, NULL);
+		if (result != ISC_R_SUCCESS) {
+			fatal("failed to configure key-store '%s': %s",
+			      cfg_obj_asstring(cfg_tuple_get(kconfig, "name")),
+			      isc_result_totext(result));
+		}
+	}
+	/* Default key-directory key store. */
+	ks = NULL;
+	(void)cfg_keystore_fromconfig(NULL, mctx, lctx, engine, &kslist, &ks);
+	INSIST(ks != NULL);
+	if (keydir != NULL) {
+		/* '-K keydir' takes priority */
+		dns_keystore_setdirectory(ks, keydir);
+	}
+	dns_keystore_detach(&ks);
+
+	(void)cfg_map_get(config, "dnssec-policy", &kasps);
+	for (element = cfg_list_first(kasps); element != NULL;
+	     element = cfg_list_next(element))
+	{
+		cfg_obj_t *kconfig = cfg_listelt_value(element);
+		kasp = NULL;
+		if (strcmp(cfg_obj_asstring(cfg_tuple_get(kconfig, "name")),
+			   name) != 0)
+		{
+			continue;
+		}
+
+		result = cfg_kasp_fromconfig(kconfig, NULL, true, mctx, lctx,
+					     &kslist, &kasplist, &kasp);
+		if (result != ISC_R_SUCCESS) {
+			fatal("failed to configure dnssec-policy '%s': %s",
+			      cfg_obj_asstring(cfg_tuple_get(kconfig, "name")),
+			      isc_result_totext(result));
+		}
+		INSIST(kasp != NULL);
+		dns_kasp_freeze(kasp);
+		break;
+	}
+
+	*kaspp = kasp;
+
+	/*
+	 * Cleanup kasp list.
+	 */
+	for (kasp = ISC_LIST_HEAD(kasplist); kasp != NULL; kasp = kasp_next) {
+		kasp_next = ISC_LIST_NEXT(kasp, link);
+		ISC_LIST_UNLINK(kasplist, kasp, link);
+		dns_kasp_detach(&kasp);
+	}
+
+	/*
+	 * Cleanup keystore list.
+	 */
+	for (ks = ISC_LIST_HEAD(kslist); ks != NULL; ks = ks_next) {
+		ks_next = ISC_LIST_NEXT(ks, link);
+		ISC_LIST_UNLINK(kslist, ks, link);
+		dns_keystore_detach(&ks);
+	}
+}

bin/dnssec/dnssectool.h

@@ -20,10 +20,18 @@
 #include <isc/log.h>
 #include <isc/stdtime.h>
 
+#include <dns/kasp.h>
 #include <dns/rdatastruct.h>
 
 #include <dst/dst.h>
 
+#include <isccfg/cfg.h>
+#include <isccfg/kaspconf.h>
+#include <isccfg/namedconf.h>
+
+#define MAX_RSA 4096 /* should be long enough... */
+#define MAX_DH	4096 /* should be long enough... */
+
 /*! verbosity: set by -v and -q option in each program, defined in dnssectool.c
  */
 extern int verbose;
@@ -108,3 +116,8 @@ isoptarg(const char *arg, char **argv, void (*usage)(void));
 
 void
 loadjournal(isc_mem_t *mctx, dns_db_t *db, const char *journal);
+
+void
+kasp_from_conf(cfg_obj_t *config, isc_mem_t *mctx, isc_log_t *lctx,
+	       const char *name, const char *keydir, const char *engine,
+	       dns_kasp_t **kaspp);