freeipa/ipaserver/dnssec
Florence Blanc-Renaud cdfc86364e dnssec: fix the key type with OpenDNSSEC 2.1
The database storing the keys with OpenDNSSEC 2.1 has a
different schema from OpenDNSSEC 1.4, and the keytype
(ZSK, KSK) is stored in a different table column: "role"
instead of "keytype".

With OpenDNSSEC 1.4, keytype can be 256 (ZSK) or 257 (KSK), while
with OpenDNSSEC 2.1, role can be 1 (KSK) or 2 (ZSK).
The schema migration can be seen in opendnssec source code:
enforcer/utils/1.4-2.0_db_convert/sqlite_convert.sql

INSERT INTO hsmKey
SELECT DISTINCT REMOTE.keypairs.id, 1, REMOTE.keypairs.policy_id,
REMOTE.keypairs.HSMkey_id, 2, REMOTE.keypairs.size,
REMOTE.keypairs.algorithm,  (~(REMOTE.dnsseckeys.keytype)&1)+1,
CASE WHEN REMOTE.keypairs.generate IS NOT NULL THEN
	strftime('%s', REMOTE.keypairs.generate)
	ELSE strftime("%s", "now") END,
0,
1, --only RSA supported
 REMOTE.securitymodules.name,
0 --assume no backup
FROM REMOTE.keypairs
JOIN REMOTE.dnsseckeys
	ON REMOTE.keypairs.id = REMOTE.dnsseckeys.keypair_id
JOIN REMOTE.securitymodules
	ON REMOTE.securitymodules.id = REMOTE.keypairs.securitymodule_id;

and the schema for the table is defined in enforcer/src/db/kasp.sqlite:
CREATE TABLE HsmKey (
    locator VARCHAR(255) NOT NULL,
    candidate_for_sharing TINYINT UNSIGNED DEFAULT 0,
    bits INT UNSIGNED DEFAULT 2048,
    policy VARCHAR(255) DEFAULT 'default',
    algorithm INT UNSIGNED DEFAULT 1,
    role VARCHAR(3) DEFAULT 'ZSK',
    inception INT UNSIGNED,
    isrevoked TINYINT UNSIGNED DEFAULT 0,
    key_type VARCHAR(255),
    repository VARCHAR(255),
    backmeup TINYINT UNSIGNED DEFAULT 0,
    backedup TINYINT UNSIGNED DEFAULT 0,
    requirebackup TINYINT UNSIGNED DEFAULT 0,
    id INTEGER PRIMARY KEY AUTOINCREMENT
);

Fixes: https://pagure.io/freeipa/issue/8647
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-02-04 14:20:59 +01:00
..
__init__.py ipapython: move dnssec, p11helper and secrets to ipaserver 2016-11-29 14:50:51 +01:00
_ods14.py opendnssec2.1 support: move all ods tasks to specific file 2020-03-12 21:48:25 +01:00
_ods21.py dnssec: fix the key type with OpenDNSSEC 2.1 2021-02-04 14:20:59 +01:00
_odsbase.py Support OpenDNSSEC 2.1: new ods-signer protocol 2020-03-12 21:48:25 +01:00
abshsm.py Py3: Remove subclassing from object 2018-09-27 11:49:04 +02:00
bindmgr.py Change mkdir logic in DNSSEC 2020-12-18 20:40:36 +02:00
keysyncer.py Add absolute_import future imports 2018-04-20 09:43:37 +02:00
ldapkeydb.py Import ABCs from collections.abc 2018-07-05 19:45:10 +02:00
localhsm.py Cleanup shebang and executable bit 2018-07-05 19:46:42 +02:00
odsmgr.py opendnssec2.1 support: move all ods tasks to specific file 2020-03-12 21:48:25 +01:00
opendnssec.py opendnssec2.1 support: move all ods tasks to specific file 2020-03-12 21:48:25 +01:00
syncrepl.py Fix pylint 2.0 return-related violations 2018-07-11 10:11:38 +02:00
temp.py Py3: Remove subclassing from object 2018-09-27 11:49:04 +02:00