Commit Graph

4 Commits

Author SHA1 Message Date
Florence Blanc-Renaud
cdfc86364e dnssec: fix the key type with OpenDNSSEC 2.1
The database storing the keys with OpenDNSSEC 2.1 has a
different schema from OpenDNSSEC 1.4, and the keytype
(ZSK, KSK) is stored in a different table column: "role"
instead of "keytype".

With OpenDNSSEC 1.4, keytype can be 256 (ZSK) or 257 (KSK), while
with OpenDNSSEC 2.1, role can be 1 (KSK) or 2 (ZSK).
The schema migration can be seen in opendnssec source code:
enforcer/utils/1.4-2.0_db_convert/sqlite_convert.sql

INSERT INTO hsmKey
SELECT DISTINCT REMOTE.keypairs.id, 1, REMOTE.keypairs.policy_id,
REMOTE.keypairs.HSMkey_id, 2, REMOTE.keypairs.size,
REMOTE.keypairs.algorithm,  (~(REMOTE.dnsseckeys.keytype)&1)+1,
CASE WHEN REMOTE.keypairs.generate IS NOT NULL THEN
	strftime('%s', REMOTE.keypairs.generate)
	ELSE strftime("%s", "now") END,
0,
1, --only RSA supported
 REMOTE.securitymodules.name,
0 --assume no backup
FROM REMOTE.keypairs
JOIN REMOTE.dnsseckeys
	ON REMOTE.keypairs.id = REMOTE.dnsseckeys.keypair_id
JOIN REMOTE.securitymodules
	ON REMOTE.securitymodules.id = REMOTE.keypairs.securitymodule_id;

and the schema for the table is defined in enforcer/src/db/kasp.sqlite:
CREATE TABLE HsmKey (
    locator VARCHAR(255) NOT NULL,
    candidate_for_sharing TINYINT UNSIGNED DEFAULT 0,
    bits INT UNSIGNED DEFAULT 2048,
    policy VARCHAR(255) DEFAULT 'default',
    algorithm INT UNSIGNED DEFAULT 1,
    role VARCHAR(3) DEFAULT 'ZSK',
    inception INT UNSIGNED,
    isrevoked TINYINT UNSIGNED DEFAULT 0,
    key_type VARCHAR(255),
    repository VARCHAR(255),
    backmeup TINYINT UNSIGNED DEFAULT 0,
    backedup TINYINT UNSIGNED DEFAULT 0,
    requirebackup TINYINT UNSIGNED DEFAULT 0,
    id INTEGER PRIMARY KEY AUTOINCREMENT
);

Fixes: https://pagure.io/freeipa/issue/8647
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-02-04 14:20:59 +01:00
Alexander Bokovoy
1f6ca418ee handle Y2038 in timestamp to datetime conversions
According to datetime.utcfromtimestamp() method documentation[1],
this and similar methods fail for dates past 2038 and can be replaced by
the following expression on the POSIX compliant systems:

  datetime(1970, 1, 1, tzinfo=timezone.utc) + timedelta(seconds=timestamp)

Make sure to use a method that at least allows to import the timestamps
properly to datetime objects on 32-bit platforms.

[1] https://docs.python.org/3/library/datetime.html#datetime.datetime.utcfromtimestamp

Fixes: https://pagure.io/freeipa/issue/8378

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-06-25 09:18:02 +03:00
Florence Blanc-Renaud
682b59c8e8 opendnssec2.1 support: move all ods tasks to specific file
Move all the routines run_ods* from tasks to _ods14 or _ods21 module

Related: https://pagure.io/freeipa/issue/8214
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-03-12 21:48:25 +01:00
Florence Blanc-Renaud
8080bf7b35 Support OpenDNSSEC 2.1: new ods-signer protocol
The communication between ods-signer and the socket-activated process
has changed with OpenDNSSEC 2.1. Adapt ipa-ods-exporter to support also
the new protocol.

The internal database was also modified. Add a wrapper calling the
right code (table names hab=ve changed, as well as table columns).

With OpenDNSSEC the policy also needs to be explicitely loaded after
ods-enforcer-db-setup has been run, with
ods-enforcer policy import

The command ods-ksmutil notify must be replace with ods-enforce flush.

Related: https://pagure.io/freeipa/issue/8214
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-03-12 21:48:25 +01:00