The database storing the keys with OpenDNSSEC 2.1 has a
different schema from OpenDNSSEC 1.4, and the keytype
(ZSK, KSK) is stored in a different table column: "role"
instead of "keytype".
With OpenDNSSEC 1.4, keytype can be 256 (ZSK) or 257 (KSK), while
with OpenDNSSEC 2.1, role can be 1 (KSK) or 2 (ZSK).
The schema migration can be seen in opendnssec source code:
enforcer/utils/1.4-2.0_db_convert/sqlite_convert.sql
INSERT INTO hsmKey
SELECT DISTINCT REMOTE.keypairs.id, 1, REMOTE.keypairs.policy_id,
REMOTE.keypairs.HSMkey_id, 2, REMOTE.keypairs.size,
REMOTE.keypairs.algorithm, (~(REMOTE.dnsseckeys.keytype)&1)+1,
CASE WHEN REMOTE.keypairs.generate IS NOT NULL THEN
strftime('%s', REMOTE.keypairs.generate)
ELSE strftime("%s", "now") END,
0,
1, --only RSA supported
REMOTE.securitymodules.name,
0 --assume no backup
FROM REMOTE.keypairs
JOIN REMOTE.dnsseckeys
ON REMOTE.keypairs.id = REMOTE.dnsseckeys.keypair_id
JOIN REMOTE.securitymodules
ON REMOTE.securitymodules.id = REMOTE.keypairs.securitymodule_id;
and the schema for the table is defined in enforcer/src/db/kasp.sqlite:
CREATE TABLE HsmKey (
locator VARCHAR(255) NOT NULL,
candidate_for_sharing TINYINT UNSIGNED DEFAULT 0,
bits INT UNSIGNED DEFAULT 2048,
policy VARCHAR(255) DEFAULT 'default',
algorithm INT UNSIGNED DEFAULT 1,
role VARCHAR(3) DEFAULT 'ZSK',
inception INT UNSIGNED,
isrevoked TINYINT UNSIGNED DEFAULT 0,
key_type VARCHAR(255),
repository VARCHAR(255),
backmeup TINYINT UNSIGNED DEFAULT 0,
backedup TINYINT UNSIGNED DEFAULT 0,
requirebackup TINYINT UNSIGNED DEFAULT 0,
id INTEGER PRIMARY KEY AUTOINCREMENT
);
Fixes: https://pagure.io/freeipa/issue/8647
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
According to datetime.utcfromtimestamp() method documentation[1],
this and similar methods fail for dates past 2038 and can be replaced by
the following expression on the POSIX compliant systems:
datetime(1970, 1, 1, tzinfo=timezone.utc) + timedelta(seconds=timestamp)
Make sure to use a method that at least allows to import the timestamps
properly to datetime objects on 32-bit platforms.
[1] https://docs.python.org/3/library/datetime.html#datetime.datetime.utcfromtimestamp
Fixes: https://pagure.io/freeipa/issue/8378
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Move all the routines run_ods* from tasks to _ods14 or _ods21 module
Related: https://pagure.io/freeipa/issue/8214
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The communication between ods-signer and the socket-activated process
has changed with OpenDNSSEC 2.1. Adapt ipa-ods-exporter to support also
the new protocol.
The internal database was also modified. Add a wrapper calling the
right code (table names hab=ve changed, as well as table columns).
With OpenDNSSEC the policy also needs to be explicitely loaded after
ods-enforcer-db-setup has been run, with
ods-enforcer policy import
The command ods-ksmutil notify must be replace with ods-enforce flush.
Related: https://pagure.io/freeipa/issue/8214
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>