OpenDNSSEC-enforcer  2.1.5
hsm_key_factory.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2014 .SE (The Internet Infrastructure Foundation).
3  * Copyright (c) 2014 OpenDNSSEC AB (svb)
4  * All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  * 1. Redistributions of source code must retain the above copyright
10  * notice, this list of conditions and the following disclaimer.
11  * 2. Redistributions in binary form must reproduce the above copyright
12  * notice, this list of conditions and the following disclaimer in the
13  * documentation and/or other materials provided with the distribution.
14  *
15  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
17  * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18  * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
19  * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
21  * GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
22  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
23  * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
24  * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
25  * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
26  *
27  */
28 
29 #include "config.h"
30 
31 #include "db/hsm_key.h"
32 #include "db/policy.h"
33 #include "db/policy_key.h"
34 #include "db/key_data.h"
35 #include "log.h"
36 #include "scheduler/schedule.h"
37 #include "scheduler/task.h"
38 #include "enforcer/enforce_task.h"
39 #include "daemon/engine.h"
40 #include "duration.h"
41 #include "libhsm.h"
42 
43 #include <math.h>
44 #include <pthread.h>
45 
46 #include "hsmkey/hsm_key_factory.h"
47 
48 
51  /* YBS: I find it scary that these database objects are carried
52  * around in our scheduler. Is that safe? */
55  time_t duration;
57 };
58 
59 static pthread_once_t __hsm_key_factory_once = PTHREAD_ONCE_INIT;
60 static pthread_mutex_t* __hsm_key_factory_lock = NULL;
61 
62 static void hsm_key_factory_init(void) {
63  pthread_mutexattr_t attr;
64 
65  if (!__hsm_key_factory_lock) {
66  if (!(__hsm_key_factory_lock = calloc(1, sizeof(pthread_mutex_t)))
67  || pthread_mutexattr_init(&attr)
68  || pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_RECURSIVE)
69  || pthread_mutex_init(__hsm_key_factory_lock, &attr))
70  {
71  /* TODO: This should be fatal */
72  ods_log_error("[hsm_key_factory_init] mutex error");
73  if (__hsm_key_factory_lock) {
74  pthread_mutex_destroy(__hsm_key_factory_lock);
75  free(__hsm_key_factory_lock);
76  __hsm_key_factory_lock = NULL;
77  }
78  }
79  }
80 }
81 
83 {
84  if (__hsm_key_factory_lock) {
85  (void)pthread_mutex_destroy(__hsm_key_factory_lock);
86  free(__hsm_key_factory_lock);
87  __hsm_key_factory_lock = NULL;
88  }
89 }
90 
91 int
93  const policy_t* policy, const policy_key_t* policy_key, time_t duration)
94 {
95  db_clause_list_t* clause_list;
96  hsm_key_t* hsm_key = NULL;
97  size_t num_keys;
98  zone_db_t* zone = NULL;
99  size_t num_zones;
100  ssize_t generate_keys;
101  libhsm_key_t *key = NULL;
102  hsm_ctx_t *hsm_ctx;
103  char* key_id;
104  hsm_repository_t* hsm;
105  char* hsm_err;
106 
107  if (!engine) {
108  return 1;
109  }
110  if (!policy_key) {
111  return 1;
112  }
113 
114  if (!__hsm_key_factory_lock) {
115  pthread_once(&__hsm_key_factory_once, hsm_key_factory_init);
116  if (!__hsm_key_factory_lock) {
117  ods_log_error("[hsm_key_factory_generate] mutex init error");
118  return 1;
119  }
120  }
121  if (pthread_mutex_lock(__hsm_key_factory_lock)) {
122  ods_log_error("[hsm_key_factory_generate] mutex lock error");
123  return 1;
124  }
125 
126  ods_log_debug("[hsm_key_factory_generate] repository %s role %s", policy_key_repository(policy_key), policy_key_role_text(policy_key));
127 
128  /*
129  * Get a count of unused keys that match our policy key to determine how
130  * many keys we need to make if any
131  */
132  if (!(clause_list = db_clause_list_new())
133  || !(hsm_key = hsm_key_new(connection))
139  || !hsm_key_is_revoked_clause(clause_list, 0)
142  || hsm_key_count(hsm_key, clause_list, &num_keys))
143  {
144  ods_log_error("[hsm_key_factory_generate] unable to count unused keys, database or memory allocation error");
146  db_clause_list_free(clause_list);
147  pthread_mutex_unlock(__hsm_key_factory_lock);
148  return 1;
149  }
150  db_clause_list_free(clause_list);
152 
153  /*
154  * Get the count of zones we have for the policy
155  */
156  if (!(clause_list = db_clause_list_new())
157  || !(zone = zone_db_new(connection))
159  || zone_db_count(zone, clause_list, &num_zones))
160  {
161  ods_log_error("[hsm_key_factory_generate] unable to count zones for policy, database or memory allocation error");
162  zone_db_free(zone);
163  db_clause_list_free(clause_list);
164  pthread_mutex_unlock(__hsm_key_factory_lock);
165  return 1;
166  }
167  zone_db_free(zone);
168  db_clause_list_free(clause_list);
169 
170  /*
171  * Calculate the number of keys we need to generate now but exit if we do
172  * not have to generate any keys
173  */
175  pthread_mutex_unlock(__hsm_key_factory_lock);
176  return 1;
177  }
178  /* OPENDNSSEC-690: this function is called per-zone, and the policy id differs per zone, thus the
179  * keys generated will never be shared.
180  * Additionally, this used to calculate the number of keys to be generated based upon the
181  * duration, times the number of zones. Not only is this wrong when using shared keys, but
182  * also for non-shared keys, this function would be called per-zone, with a different id for each
183  * zone.
184  */
185  duration = (duration ? duration : engine->config->automatic_keygen_duration);
186  generate_keys = (ssize_t)ceil(duration / (double)policy_key_lifetime(policy_key));
187  if (num_zones == 0 || (ssize_t)num_keys >= generate_keys) {
188  pthread_mutex_unlock(__hsm_key_factory_lock);
189  return 0;
190  }
191 
192  if (policy != NULL) {
193  ods_log_info("%lu zone(s) found on policy \"%s\"", num_zones, policy_name(policy));
194  } else {
195  ods_log_info("%lu zone(s) found on policy <unknown>", num_zones);
196  }
197  ods_log_info("[hsm_key_factory_generate] %lu keys needed for %lu "
198  "zones covering %lld seconds, generating %lu keys for policy %s",
199  generate_keys, num_zones, (long long)duration,
200  (unsigned long)(generate_keys-num_keys), /* This is safe because we checked num_keys < generate_keys */
202  generate_keys -= num_keys;
203  ods_log_info("%ld new %s(s) (%d bits) need to be created.", (long) generate_keys, policy_key_role_text(policy_key), policy_key_bits(policy_key));
204 
205  /*
206  * Create a HSM context and check that the repository exists
207  */
208  if (!(hsm_ctx = hsm_create_context())) {
209  pthread_mutex_unlock(__hsm_key_factory_lock);
210  return 1;
211  }
212  if (!hsm_token_attached(hsm_ctx, policy_key_repository(policy_key))) {
213  if ((hsm_err = hsm_get_error(hsm_ctx))) {
214  ods_log_error("[hsm_key_factory_generate] unable to check for repository %s, HSM error: %s", policy_key_repository(policy_key), hsm_err);
215  free(hsm_err);
216  }
217  else {
218  ods_log_error("[hsm_key_factory_generate] unable to find repository %s in HSM", policy_key_repository(policy_key));
219  }
220  hsm_destroy_context(hsm_ctx);
221  pthread_mutex_unlock(__hsm_key_factory_lock);
222  return 1;
223  }
224 
225  /*
226  * Generate a HSM keys
227  */
228  while (generate_keys--) {
229  /*
230  * Find the HSM repository to get the backup configuration
231  */
232  hsm = engine->config->repositories;
233  while (hsm) {
234  if (!strcmp(hsm->name, policy_key_repository(policy_key))) {
235  break;
236  }
237  hsm = hsm->next;
238  }
239  if (!hsm) {
240  ods_log_error("[hsm_key_factory_generate] unable to find repository %s needed for key generation", policy_key_repository(policy_key));
241  hsm_destroy_context(hsm_ctx);
242  pthread_mutex_unlock(__hsm_key_factory_lock);
243  return 1;
244  }
245 
247  case LDNS_DSA: /* */
248  key = hsm_generate_dsa_key(hsm_ctx, policy_key_repository(policy_key), policy_key_bits(policy_key));
249  break;
250  case LDNS_RSASHA1:
251  case LDNS_RSASHA1_NSEC3:
252  case LDNS_RSASHA256:
253  case LDNS_RSASHA512:
254  key = hsm_generate_rsa_key(hsm_ctx, policy_key_repository(policy_key), policy_key_bits(policy_key));
255  break;
256  case LDNS_ECC_GOST:
257  key = hsm_generate_gost_key(hsm_ctx, policy_key_repository(policy_key));
258  break;
259  case LDNS_ECDSAP256SHA256:
260  key = hsm_generate_ecdsa_key(hsm_ctx, policy_key_repository(policy_key), "P-256");
261  break;
262  case LDNS_ECDSAP384SHA384:
263  key = hsm_generate_ecdsa_key(hsm_ctx, policy_key_repository(policy_key), "P-384");
264  break;
265  default:
266  key = NULL;
267  }
268 
269  if (key) {
270  /*
271  * The key ID is the locator and we check first that we can get it
272  */
273  if (!(key_id = hsm_get_key_id(hsm_ctx, key))) {
274  if ((hsm_err = hsm_get_error(hsm_ctx))) {
275  ods_log_error("[hsm_key_factory_generate] unable to get the ID of the key generated, HSM error: %s", hsm_err);
276  free(hsm_err);
277  }
278  else {
279  ods_log_error("[hsm_key_factory_generate] unable to get the ID of the key generated");
280  }
281  libhsm_key_free(key);
282  hsm_destroy_context(hsm_ctx);
283  pthread_mutex_unlock(__hsm_key_factory_lock);
284  return 1;
285  }
286 
287  /*
288  * Create the HSM key (database object)
289  */
290  if (!(hsm_key = hsm_key_new(connection))
294  || hsm_key_set_inception(hsm_key, time_now())
296  || hsm_key_set_locator(hsm_key, key_id)
302  {
303  ods_log_error("[hsm_key_factory_generate] hsm key creation failed, database or memory error");
305  free(key_id);
306  free(key);
307  hsm_destroy_context(hsm_ctx);
308  pthread_mutex_unlock(__hsm_key_factory_lock);
309  return 1;
310  }
311 
312  ods_log_debug("[hsm_key_factory_generate] generated key %s successfully", key_id);
313 
315  free(key_id);
316  libhsm_key_free(key);
317  }
318  else {
319  if ((hsm_err = hsm_get_error(hsm_ctx))) {
320  ods_log_error("[hsm_key_factory_generate] key generation failed, HSM error: %s", hsm_err);
321  free(hsm_err);
322  }
323  else {
324  ods_log_error("[hsm_key_factory_generate] key generation failed");
325  }
326  hsm_destroy_context(hsm_ctx);
327  pthread_mutex_unlock(__hsm_key_factory_lock);
328  return 1;
329  }
330  }
331  hsm_destroy_context(hsm_ctx);
332  pthread_mutex_unlock(__hsm_key_factory_lock);
333  return 0;
334 }
335 
336 int hsm_key_factory_generate_policy(engine_type* engine, const db_connection_t* connection, const policy_t* policy, time_t duration) {
338  const policy_key_t* policy_key;
339  int error = 0;
340 
341  if (!engine || !policy || !connection) {
342  return 1;
343  }
344 
345  if (!__hsm_key_factory_lock) {
346  pthread_once(&__hsm_key_factory_once, hsm_key_factory_init);
347  if (!__hsm_key_factory_lock) {
348  ods_log_error("[hsm_key_factory_generate_policy] mutex init error");
349  return 1;
350  }
351  }
352  if (pthread_mutex_lock(__hsm_key_factory_lock)) {
353  ods_log_error("[hsm_key_factory_generate_policy] mutex lock error");
354  return 1;
355  }
356 
357  ods_log_debug("[hsm_key_factory_generate_policy] policy %s", policy_name(policy));
358 
359  /*
360  * Get all policy keys for the specified policy and generate new keys if
361  * needed
362  */
364  pthread_mutex_unlock(__hsm_key_factory_lock);
365  return 1;
366  }
367 
369  error |= hsm_key_factory_generate(engine, connection, policy, policy_key, duration);
370  }
372  pthread_mutex_unlock(__hsm_key_factory_lock);
373  return error;
374 }
375 
376 int hsm_key_factory_generate_all(engine_type* engine, const db_connection_t* connection, time_t duration) {
378  const policy_t* policy;
380  const policy_key_t* policy_key;
381  int error;
382 
383  if (!engine || !connection) {
384  return 1;
385  }
386 
387  if (!__hsm_key_factory_lock) {
388  pthread_once(&__hsm_key_factory_once, hsm_key_factory_init);
389  if (!__hsm_key_factory_lock) {
390  ods_log_error("[hsm_key_factory_generate_all] mutex init error");
391  return 1;
392  }
393  }
394  if (pthread_mutex_lock(__hsm_key_factory_lock)) {
395  ods_log_error("[hsm_key_factory_generate_all] mutex lock error");
396  return 1;
397  }
398 
399  ods_log_debug("[hsm_key_factory_generate_all] generating keys");
400 
401  /*
402  * Get all the policies and for each get all the policy keys and generate
403  * new keys for them if needed
404  */
405  if (!(policy_list = policy_list_new_get(connection))) {
406  pthread_mutex_unlock(__hsm_key_factory_lock);
407  return 1;
408  }
409  error = 0;
410  while ((policy = policy_list_next(policy_list))) {
412  continue;
413  }
414 
416  error |= hsm_key_factory_generate(engine, connection, policy, policy_key, duration);
417  }
419  }
421  pthread_mutex_unlock(__hsm_key_factory_lock);
422  return error;
423 }
424 
425 static time_t
426 hsm_key_factory_generate_cb(task_type* task, char const *owner, void* userdata, void* context)
427 {
428  struct __hsm_key_factory_task* task2;
429  policy_t* policy;
430  db_connection_t *dbconn = (db_connection_t*) context;
431  (void)owner;
432  int error;
433 
434  if (!userdata) {
435  return schedule_SUCCESS;
436  }
437  task2 = (struct __hsm_key_factory_task*) userdata;
438 
439  if ((policy = policy_new(dbconn)) != NULL) {
442  policy = NULL;
443  }
444  }
445 
446  ods_log_debug("[hsm_key_factory_generate_cb] generate for policy key [duration: %lu]", (unsigned long)task2->duration);
447  error = hsm_key_factory_generate(task2->engine, dbconn, policy, task2->policy_key, task2->duration);
448  ods_log_debug("[hsm_key_factory_generate_cb] generate for policy key done");
449  policy_key_free(task2->policy_key);
450  task2->policy_key = NULL;
451  if (task2->reschedule_enforce_task && policy && !error)
452  enforce_task_flush_policy(task2->engine, dbconn, policy);
454  return schedule_SUCCESS;
455 }
456 
457 static time_t
458 hsm_key_factory_generate_policy_cb(task_type* task, char const *owner, void *userdata,
459  void *context)
460 {
461  struct __hsm_key_factory_task* task2;
462  db_connection_t* dbconn = (db_connection_t*) context;
463  (void)owner;
464  int error;
465 
466  if (!userdata) {
467  return schedule_SUCCESS;
468  }
469  task2 = (struct __hsm_key_factory_task*)userdata;
470 
471  ods_log_debug("[hsm_key_factory_generate_policy_cb] generate for policy [duration: %lu]", (unsigned long) task2->duration);
472  error = hsm_key_factory_generate_policy(task2->engine, dbconn, task2->policy, task2->duration);
473  ods_log_debug("[hsm_key_factory_generate_policy_cb] generate for policy done");
474  if (task2->reschedule_enforce_task && task2->policy && !error)
475  enforce_task_flush_policy(task2->engine, dbconn, task2->policy);
476  return schedule_SUCCESS;
477 }
478 
479 static time_t
480 hsm_key_factory_generate_all_cb(task_type* task, char const *owner, void *userdata,
481  void* context)
482 {
483  struct __hsm_key_factory_task* task2;
484  db_connection_t *dbconn = (db_connection_t *) context;
485  (void)owner;
486  int error;
487 
488  if (!userdata) {
489  return schedule_SUCCESS;
490  }
491  task2 = (struct __hsm_key_factory_task*)userdata;
492 
493  ods_log_debug("[hsm_key_factory_generate_all_cb] generate for all policies [duration: %lu]", (unsigned long)task2->duration);
494  error = hsm_key_factory_generate_all(task2->engine, dbconn, task2->duration);
495  ods_log_debug("[hsm_key_factory_generate_all_cb] generate for all policies done");
496  if (task2->reschedule_enforce_task && !error)
497  enforce_task_flush_all(task2->engine, dbconn);
498  return schedule_SUCCESS;
499 }
500 
510 static int
511 hsm_key_factory_schedule_generate(engine_type* engine,
512  const policy_key_t* policy_key_orig, time_t duration,
514 {
516  task_type* task;
517  struct __hsm_key_factory_task* task2 = NULL;
518 
519  if (!(task2 = calloc(1, sizeof(struct __hsm_key_factory_task)))) {
520  return 1;
521  }
522  if (!(policy_key = policy_key_new_copy(policy_key_orig))) {
523  free(task2);
524  return 1;
525  }
526 
527  task2->engine = engine;
528  task2->duration = duration;
529  task2->policy_key = policy_key;
530  task2->policy = NULL;
532 
533  task = task_create(strdup("hsm_key_factory_schedule_generation"),
534  TASK_CLASS_ENFORCER, TASK_TYPE_HSMKEYGEN,
535  hsm_key_factory_generate_cb, task2,
536  free, time_now());
537 
538  if (schedule_task(engine->taskq, task, 1, 0) != ODS_STATUS_OK) {
539  if (!task) {
540  free(task2);
542  }
543  task_destroy(task);
544  return 1;
545  }
546  return 0;
547 }
548 
549 int
551  const policy_t* policy_orig, time_t duration)
552 {
553  policy_t* policy;
554  task_type* task;
555  struct __hsm_key_factory_task* task2 = NULL;
556 
557  if (!(task2 = calloc(1, sizeof(struct __hsm_key_factory_task)))) {
558  return 1;
559  }
560  if (!(policy = policy_new_copy(policy_orig))) {
561  free(task2);
562  return 1;
563  }
564 
565  task2->engine = engine;
566  task2->duration = duration;
567  task2->policy_key = NULL;
568  task2->policy = policy;
569  task2->reschedule_enforce_task = 1;
570 
571  task = task_create(strdup("hsm_key_factory_schedule_generation_policy"),
572  TASK_CLASS_ENFORCER, TASK_TYPE_HSMKEYGEN,
573  hsm_key_factory_generate_policy_cb, task2,
574  free, time_now());
575 
576  if (schedule_task(engine->taskq, task, 1, 0) != ODS_STATUS_OK) {
577  if (!task) {
578  free(task2);
580  }
581  task_destroy(task);
582  return 1;
583  }
584  return 0;
585 }
586 
587 int
589 {
590  task_type* task;
591  struct __hsm_key_factory_task* task2 = NULL;
592 
593  if (!(task2 = calloc(1, sizeof(struct __hsm_key_factory_task)))) {
594  return 1;
595  }
596 
597  task2->engine = engine;
598  task2->duration = duration;
599  task2->policy_key = NULL;
600  task2->policy = NULL;
601  task2->reschedule_enforce_task = 1;
602 
603  task = task_create(strdup("hsm_key_factory_schedule_generation"),
604  TASK_CLASS_ENFORCER, TASK_TYPE_HSMKEYGEN,
605  hsm_key_factory_generate_all_cb, task2,
606  free, time_now());
607 
608  if (schedule_task(engine->taskq, task, 1, 0) != ODS_STATUS_OK) {
609  if (!task) {
610  free(task2);
611  }
612  task_destroy(task);
613  return 1;
614  }
615  return 0;
616 }
617 
618 
620  const db_connection_t* connection, const policy_key_t* policy_key,
622 {
623  db_clause_list_t* clause_list;
626 
627  if (!connection) {
628  return NULL;
629  }
630  if (!policy_key) {
631  return NULL;
632  }
635  {
636  return NULL;
637  }
638 
639  ods_log_debug("[hsm_key_factory_get_key] get %s key", (hsm_key_state == HSM_KEY_STATE_PRIVATE ? "private" : "shared"));
640 
641  /*
642  * Get a list of unused HSM keys matching our requirments
643  */
644  if (!(clause_list = db_clause_list_new())
650  || !hsm_key_is_revoked_clause(clause_list, 0)
653  || !(hsm_key_list = hsm_key_list_new_get_by_clauses(connection, clause_list)))
654  {
655  ods_log_error("[hsm_key_factory_get_key] unable to list keys, database or memory allocation error");
656  db_clause_list_free(clause_list);
657  return NULL;
658  }
659  db_clause_list_free(clause_list);
660 
661  /*
662  * If there are no keys returned in the list we schedule generation and
663  * return NULL
664  */
666  ods_log_warning("[hsm_key_factory_get_key] no keys available");
667  if (!engine->config->manual_keygen)
668  hsm_key_factory_schedule_generate(engine, policy_key, 0, 1);
670  return NULL;
671  }
673 
674  /*
675  * Update the state of the returned HSM key
676  */
679  {
680  ods_log_debug("[hsm_key_factory_get_key] unable to update fetched key");
682  return NULL;
683  }
684 
685  /*
686  * Schedule generation because we used up a key and return the HSM key
687  */
688  ods_log_debug("[hsm_key_factory_get_key] key allocated");
689  if (!engine->config->manual_keygen)
690  hsm_key_factory_schedule_generate(engine, policy_key, 0, 0);
691  return hsm_key;
692 }
693 
696  db_clause_list_t* clause_list = NULL;
697  key_data_t* key_data = NULL;
698  size_t count;
699 
700  if (!hsm_key_id) {
701  return 1;
702  }
703  if (!connection) {
704  return 1;
705  }
706 
707  if (!(hsm_key = hsm_key_new(connection))
708  || !(clause_list = db_clause_list_new())
709  || !(key_data = key_data_new(connection))
710  || !key_data_hsm_key_id_clause(clause_list, hsm_key_id)
711  || key_data_count(key_data, clause_list, &count))
712  {
713  ods_log_debug("[hsm_key_factory_release_key_id] unable to check usage of hsm_key, database or memory allocation error");
715  db_clause_list_free(clause_list);
717  return 1;
718  }
720  db_clause_list_free(clause_list);
721 
722  if (count > 0) {
723  ods_log_debug("[hsm_key_factory_release_key_id] unable to release hsm_key, in use");
725  return 0;
726  }
727 
729  ods_log_debug("[hsm_key_factory_release_key_id] unable to fetch hsm_key");
731  return 1;
732  }
733 
735  ods_log_debug("[hsm_key_factory_release_key_id] hsm_key already DELETE (?)");
737  return 0;
738  }
739 
742  {
743  ods_log_debug("[hsm_key_factory_release_key_id] unable to change hsm_key state to DELETE");
745  return 1;
746  }
747  ods_log_debug("[hsm_key_factory_release_key_id] key %s marked DELETE", hsm_key_locator(hsm_key));
748 
750  return 0;
751 }
752 
754  db_clause_list_t* clause_list = NULL;
755  key_data_t* key_data = NULL;
756  size_t count;
757 
758  if (!hsm_key) {
759  return 1;
760  }
761  if (!connection) {
762  return 1;
763  }
764 
765  if (!(clause_list = db_clause_list_new())
766  || !(key_data = key_data_new(connection))
768  || key_data_count(key_data, clause_list, &count))
769  {
770  ods_log_debug("[hsm_key_factory_release_key] unable to check usage of hsm_key, database or memory allocation error");
772  db_clause_list_free(clause_list);
773  return 1;
774  }
776  db_clause_list_free(clause_list);
777 
778  if (count > 0) {
779  ods_log_debug("[hsm_key_factory_release_key] unable to release hsm_key, in use");
780  return 0;
781  }
782 
784  ods_log_debug("[hsm_key_factory_release_key] hsm_key already DELETE (?)");
785  return 0;
786  }
787 
790  {
791  ods_log_debug("[hsm_key_factory_release_key] unable to change hsm_key state to DELETE");
792  return 1;
793  }
794  ods_log_debug("[hsm_key_factory_release_key] key %s marked DELETE", hsm_key_locator(hsm_key));
795 
796  return 0;
797 }
policy_key_list
Definition: policy_key.h:322
hsm_key_set_state
int hsm_key_set_state(hsm_key_t *hsm_key, hsm_key_state_t state)
Definition: hsm_key.c:625
hsm_key_algorithm_clause
db_clause_t * hsm_key_algorithm_clause(db_clause_list_t *clause_list, unsigned int algorithm)
Definition: hsm_key.c:798
hsm_key_factory_release_key_id
int hsm_key_factory_release_key_id(const db_value_t *hsm_key_id, const db_connection_t *connection)
Definition: hsm_key_factory.c:694
HSM_KEY_STATE_DELETE
Definition: hsm_key.h:45
policy.h
hsm_key_set_bits
int hsm_key_set_bits(hsm_key_t *hsm_key, unsigned int bits)
Definition: hsm_key.c:638
hsm_key_factory.h
engineconfig_struct::repositories
hsm_repository_t * repositories
Definition: cfg.h:79
hsm_key_list_free
void hsm_key_list_free(hsm_key_list_t *hsm_key_list)
Definition: hsm_key.c:1496
hsm_key_factory_schedule_generate_policy
int hsm_key_factory_schedule_generate_policy(engine_type *engine, const policy_t *policy_orig, time_t duration)
Definition: hsm_key_factory.c:550
__hsm_key_factory_task::engine
engine_type * engine
Definition: hsm_key_factory.c:50
db_value
Definition: db_value.h:48
hsm_key_set_inception
int hsm_key_set_inception(hsm_key_t *hsm_key, unsigned int inception)
Definition: hsm_key.c:671
hsm_key_id
const db_value_t * hsm_key_id(const hsm_key_t *hsm_key)
Definition: hsm_key.c:504
key_data_new
key_data_t * key_data_new(const db_connection_t *connection)
Definition: key_data.c:264
policy_list_free
void policy_list_free(policy_list_t *policy_list)
Definition: policy.c:2664
hsm_key_factory_deinit
void hsm_key_factory_deinit(void)
Definition: hsm_key_factory.c:82
policy_name
const char * policy_name(const policy_t *policy)
Definition: policy.c:813
hsm_key_factory_generate_all
int hsm_key_factory_generate_all(engine_type *engine, const db_connection_t *connection, time_t duration)
Definition: hsm_key_factory.c:376
hsm_key_role_clause
db_clause_t * hsm_key_role_clause(db_clause_list_t *clause_list, hsm_key_role_t role)
Definition: hsm_key.c:819
hsm_key_new
hsm_key_t * hsm_key_new(const db_connection_t *connection)
Definition: hsm_key.c:244
hsm_key_set_backup
int hsm_key_set_backup(hsm_key_t *hsm_key, hsm_key_backup_t backup)
Definition: hsm_key.c:716
hsm_key_state
hsm_key_state
Definition: hsm_key.h:40
zone_db_new
zone_db_t * zone_db_new(const db_connection_t *connection)
Definition: zone_db.c:287
__hsm_key_factory_task::policy
policy_t * policy
Definition: hsm_key_factory.c:54
engineconfig_struct::automatic_keygen_duration
time_t automatic_keygen_duration
Definition: cfg.h:77
zone_db_free
void zone_db_free(zone_db_t *zone)
Definition: zone_db.c:325
hsm_key_state_t
enum hsm_key_state hsm_key_state_t
policy_key_list_next
const policy_key_t * policy_key_list_next(policy_key_list_t *policy_key_list)
Definition: policy_key.c:1378
policy_key_algorithm
unsigned int policy_key_algorithm(const policy_key_t *policy_key)
Definition: policy_key.c:510
hsm_key_is_revoked_clause
db_clause_t * hsm_key_is_revoked_clause(db_clause_list_t *clause_list, unsigned int is_revoked)
Definition: hsm_key.c:840
hsm_key_set_locator
int hsm_key_set_locator(hsm_key_t *hsm_key, const char *locator_text)
Definition: hsm_key.c:603
hsm_key_factory_get_key
hsm_key_t * hsm_key_factory_get_key(engine_type *engine, const db_connection_t *connection, const policy_key_t *policy_key, hsm_key_state_t hsm_key_state)
Definition: hsm_key_factory.c:619
policy_key_policy_id
const db_value_t * policy_key_policy_id(const policy_key_t *policy_key)
Definition: policy_key.c:478
hsm_key_set_key_type
int hsm_key_set_key_type(hsm_key_t *hsm_key, hsm_key_key_type_t key_type)
Definition: hsm_key.c:681
HSM_KEY_BACKUP_NO_BACKUP
Definition: hsm_key.h:64
enforce_task_flush_all
void enforce_task_flush_all(engine_type *engine, db_connection_t *dbconn)
Definition: enforce_task.c:179
db_clause_list
Definition: db_clause.h:226
policy_list_next
const policy_t * policy_list_next(policy_list_t *policy_list)
Definition: policy.c:3214
hsm_key_set_repository
int hsm_key_set_repository(hsm_key_t *hsm_key, const char *repository_text)
Definition: hsm_key.c:694
key_data_free
void key_data_free(key_data_t *key_data)
Definition: key_data.c:304
policy_free
void policy_free(policy_t *policy)
Definition: policy.c:518
hsm_key_set_policy_id
int hsm_key_set_policy_id(hsm_key_t *hsm_key, const db_value_t *policy_id)
Definition: hsm_key.c:584
zone_db
Definition: zone_db.h:46
engineconfig_struct::manual_keygen
int manual_keygen
Definition: cfg.h:74
engine_struct::taskq
schedule_type * taskq
Definition: engine.h:60
enforce_task_flush_policy
void enforce_task_flush_policy(engine_type *engine, db_connection_t *dbconn, policy_t const *policy)
Definition: enforce_task.c:158
hsm_key_create
int hsm_key_create(hsm_key_t *hsm_key)
Definition: hsm_key.c:927
policy_list_new_get
policy_list_t * policy_list_new_get(const db_connection_t *connection)
Definition: policy.c:3079
hsm_key_policy_id_clause
db_clause_t * hsm_key_policy_id_clause(db_clause_list_t *clause_list, const db_value_t *policy_id)
Definition: hsm_key.c:729
db_clause_list_free
void db_clause_list_free(db_clause_list_t *clause_list)
Definition: db_clause.c:209
policy_key_role
policy_key_role
Definition: policy_key.h:40
hsm_key_set_algorithm
int hsm_key_set_algorithm(hsm_key_t *hsm_key, unsigned int algorithm)
Definition: hsm_key.c:648
hsm_key_role_t
enum hsm_key_role hsm_key_role_t
hsm_key
Definition: hsm_key.h:77
policy_key_list_free
void policy_key_list_free(policy_key_list_t *policy_key_list)
Definition: policy_key.c:1006
policy_key_lifetime
unsigned int policy_key_lifetime(const policy_key_t *policy_key)
Definition: policy_key.c:526
HSM_KEY_BACKUP_BACKUP_REQUIRED
Definition: hsm_key.h:65
hsm_key_factory_generate
int hsm_key_factory_generate(engine_type *engine, const db_connection_t *connection, const policy_t *policy, const policy_key_t *policy_key, time_t duration)
Definition: hsm_key_factory.c:92
hsm_key_update
int hsm_key_update(hsm_key_t *hsm_key)
Definition: hsm_key.c:1225
HSM_KEY_STATE_PRIVATE
Definition: hsm_key.h:43
policy_key
Definition: policy_key.h:54
key_data_hsm_key_id_clause
db_clause_t * key_data_hsm_key_id_clause(db_clause_list_t *clause_list, const db_value_t *hsm_key_id)
Definition: key_data.c:1003
HSM_KEY_STATE_SHARED
Definition: hsm_key.h:44
policy_key_free
void policy_key_free(policy_key_t *policy_key)
Definition: policy_key.c:246
policy_new
policy_t * policy_new(const db_connection_t *connection)
Definition: policy.c:479
hsm_key_factory_release_key
int hsm_key_factory_release_key(hsm_key_t *hsm_key, const db_connection_t *connection)
Definition: hsm_key_factory.c:753
hsm_key_bits_clause
db_clause_t * hsm_key_bits_clause(db_clause_list_t *clause_list, unsigned int bits)
Definition: hsm_key.c:777
HSM_KEY_STATE_UNUSED
Definition: hsm_key.h:42
engine_struct
Definition: engine.h:47
key_data_count
int key_data_count(key_data_t *key_data, db_clause_list_t *clause_list, size_t *count)
Definition: key_data.c:1633
hsm_key_count
int hsm_key_count(hsm_key_t *hsm_key, db_clause_list_t *clause_list, size_t *count)
Definition: hsm_key.c:1435
db_clause_list_new
db_clause_list_t * db_clause_list_new(void)
Definition: db_clause.c:202
hsm_key_factory_schedule_generate_all
int hsm_key_factory_schedule_generate_all(engine_type *engine, time_t duration)
Definition: hsm_key_factory.c:588
engine_struct::config
engineconfig_type * config
Definition: engine.h:48
policy
Definition: policy.h:60
zone_db_policy_id_clause
db_clause_t * zone_db_policy_id_clause(db_clause_list_t *clause_list, const db_value_t *policy_id)
Definition: zone_db.c:1179
policy_key_list_new_get_by_policy_id
policy_key_list_t * policy_key_list_new_get_by_policy_id(const db_connection_t *connection, const db_value_t *policy_id)
Definition: policy_key.c:1299
policy_list
Definition: policy.h:733
hsm_key_key_type_clause
db_clause_t * hsm_key_key_type_clause(db_clause_list_t *clause_list, hsm_key_key_type_t key_type)
Definition: hsm_key.c:861
__hsm_key_factory_task
Definition: hsm_key_factory.c:49
hsm_key_state_clause
db_clause_t * hsm_key_state_clause(db_clause_list_t *clause_list, hsm_key_state_t state)
Definition: hsm_key.c:756
hsm_key_locator
const char * hsm_key_locator(const hsm_key_t *hsm_key)
Definition: hsm_key.c:520
policy_key.h
policy_get_by_id
int policy_get_by_id(policy_t *policy, const db_value_t *id)
Definition: policy.c:1987
policy_new_copy
policy_t * policy_new_copy(const policy_t *policy)
Definition: policy.c:499
policy_key_role_text
const char * policy_key_role_text(const policy_key_t *policy_key)
Definition: policy_key.c:494
HSM_KEY_KEY_TYPE_RSA
Definition: hsm_key.h:59
hsm_key_list_get_next
hsm_key_t * hsm_key_list_get_next(hsm_key_list_t *hsm_key_list)
Definition: hsm_key.c:1990
engine.h
hsm_key.h
hsm_key_repository_clause
db_clause_t * hsm_key_repository_clause(db_clause_list_t *clause_list, const char *repository_text)
Definition: hsm_key.c:882
hsm_key_set_role
int hsm_key_set_role(hsm_key_t *hsm_key, hsm_key_role_t role)
Definition: hsm_key.c:658
policy_key_bits
unsigned int policy_key_bits(const policy_key_t *policy_key)
Definition: policy_key.c:518
db_connection
Definition: db_connection.h:46
hsm_key_factory_generate_policy
int hsm_key_factory_generate_policy(engine_type *engine, const db_connection_t *connection, const policy_t *policy, time_t duration)
Definition: hsm_key_factory.c:336
policy_key_new_copy
policy_key_t * policy_key_new_copy(const policy_key_t *policy_key)
Definition: policy_key.c:227
enforce_task.h
policy_key_repository
const char * policy_key_repository(const policy_key_t *policy_key)
Definition: policy_key.c:534
__hsm_key_factory_task::policy_key
policy_key_t * policy_key
Definition: hsm_key_factory.c:53
hsm_key_free
void hsm_key_free(hsm_key_t *hsm_key)
Definition: hsm_key.c:286
__hsm_key_factory_task::reschedule_enforce_task
int reschedule_enforce_task
Definition: hsm_key_factory.c:56
hsm_key_list
Definition: hsm_key.h:434
policy_id
const db_value_t * policy_id(const policy_t *policy)
Definition: policy.c:805
key_data
Definition: key_data.h:66
key_data.h
hsm_key_get_by_id
int hsm_key_get_by_id(hsm_key_t *hsm_key, const db_value_t *id)
Definition: hsm_key.c:1102
__hsm_key_factory_task::duration
time_t duration
Definition: hsm_key_factory.c:55
zone_db_count
int zone_db_count(zone_db_t *zone, db_clause_list_t *clause_list, size_t *count)
Definition: zone_db.c:1930
hsm_key_list_new_get_by_clauses
hsm_key_list_t * hsm_key_list_new_get_by_clauses(const db_connection_t *connection, const db_clause_list_t *clause_list)
Definition: hsm_key.c:1726