upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2026-02-16 00:58:14 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

list builtin.

Browse source 
git-svn-id: file:///svn/unbound/trunk@2269 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
Wouter Wijngaards 2010-10-01 11:47:53 +00:00
parent b3e4186cf2
commit fb4a5492da
2 changed files with 75 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
doc/unbound-anchor.8.in
View file

@ -57,6 +57,9 @@ The root update certificate file, that is read in.
Default is @UNBOUND_ROOTCERT_FILE@.
If the file does not exist, or is empty, a builtin certificate is used.
.TP
.B \-l
List the builtin root key and builtin root update certificate on stdout.
.TP
.B \-u \fIname
The server name, it connects to https://name. Specify without https:// prefix.
The default is "data.iana.org". It connects to the port specified with \-P.
@ -130,17 +133,24 @@ This tool exits with value 1 if the root anchor was updated using the
certificate or if the builtin root-anchor was used. It exits with code
0 if no update was necessary, if the update was possible with RFC5011
tracking, or if an error occurred.
.SH "TRUST"
We provide builtin root keys and update certificates to be trustworthy,
in our opinion. But that does not mean the results from running this
tool may be trustworthy for you, or that this tool works perfectly.
If you want to make sure, you have to check the output manually.
.P
You can do this by checking the exit value. In this manner:
You can check the exit value in this manner:
.nf
unbound-anchor -a "root.key" || logger "Please check root.key"
.fi
Or something more suitable for your operational environment.
.SH "TRUST"
The root keys and update certificate included in this tool
are provided for convenience and under the terms of our
license (see the LICENSE file in the source distribution or
http://unbound.nlnetlabs.nl/svn/trunk/LICENSE) and might be stale or
not suitable to your purpose.
.P
By running "unbound\-anchor \-l" the keys and certificate that are
configured in the code are printed for your convenience.
.P
The build\-in configuration can be overridden by providing a root\-cert
file and a rootkey file.
.SH "FILES"
.TP
.I @UNBOUND_ROOTKEY_FILE@

86
smallapp/unbound-anchor.c
View file

@ -175,6 +175,7 @@ usage()
printf("-a file root key file, default %s\n", ROOT_ANCHOR_FILE);
printf(" The key is input and output for this tool.\n");
printf("-c file cert file, default %s\n", ROOT_CERT_FILE);
printf("-l list builtin key and cert on stdout\n");
printf("-u name server in https url, default %s\n", URLNAME);
printf("-x path pathname to xml, default %s\n", XMLNAME);
printf("-s path pathname to p7s, default %s\n", P7SNAME);
@ -194,6 +195,45 @@ usage()
exit(1);
}
/** return the built in root update certificate */
static const char*
get_builtin_cert(void)
{
return
/* The ICANN CA fetched at 24 Sep 2010. Valid to 2028 */
"-----BEGIN CERTIFICATE-----\n"
"MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO\n"
"TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV\n"
"BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX\n"
"DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O\n"
"IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB\n"
"MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb\n"
"cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S\n"
"G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg\n"
"ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2\n"
"paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7\n"
"MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29\n"
"iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B\n"
"Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3\n"
"DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH\n"
"6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD\n"
"2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h\n"
"15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF\n"
"0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg\n"
"j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk\n"
"-----END CERTIFICATE-----\n"
;
}
/** return the built in root DS trust anchor */
static const char*
get_builtin_ds(void)
{
return
". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n";
;
}
/** print hex data */
static void
print_data(char* msg, char* data, int len)
@ -393,30 +433,7 @@ read_cert_file(char* file)
static STACK_OF(X509)*
read_builtin_cert(void)
{
/* The ICANN CA fetched at 24 Sep 2010. Valid to 2028 */
const char* builtin_cert =
"-----BEGIN CERTIFICATE-----\n"
"MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO\n"
"TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV\n"
"BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX\n"
"DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O\n"
"IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB\n"
"MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb\n"
"cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S\n"
"G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg\n"
"ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2\n"
"paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7\n"
"MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29\n"
"iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B\n"
"Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3\n"
"DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH\n"
"6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD\n"
"2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h\n"
"15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF\n"
"0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg\n"
"j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk\n"
"-----END CERTIFICATE-----\n"
;
const char* builtin_cert = get_builtin_cert();
STACK_OF(X509)* sk;
BIO *bio = BIO_new_mem_buf((void*)builtin_cert,
(int)strlen(builtin_cert));
@ -447,6 +464,16 @@ read_cert_or_builtin(char* file)
return sk;
}
static void
do_list_builtin(void)
{
const char* builtin_cert = get_builtin_cert();
const char* builtin_ds = get_builtin_ds();
printf("%s\n", builtin_ds);
printf("%s\n", builtin_cert);
exit(0);
}
/** printout IP address with message */
static void
verb_addr(char* msg, struct ip_list* ip)
@ -1687,7 +1714,7 @@ try_read_anchor(char* file)
static void
write_builtin_anchor(char* file)
{
const char* builtin_root_anchor = ". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n";
const char* builtin_root_anchor = get_builtin_ds();
FILE* out = fopen(file, "w");
if(!out) {
if(verb) printf("%s: %s\n", file, strerror(errno));
@ -1897,10 +1924,13 @@ int main(int argc, char* argv[])
char* res_conf = NULL;
char* root_hints = NULL;
char* debugconf = NULL;
int ip4only=0, ip6only=0, force=0, port = HTTPS_PORT;
int dolist=0, ip4only=0, ip6only=0, force=0, port = HTTPS_PORT;
/* parse the options */
while( (c=getopt(argc, argv, "46C:FP:a:c:f:hr:s:u:vx:")) != -1) {
while( (c=getopt(argc, argv, "46C:FP:a:c:f:hlr:s:u:vx:")) != -1) {
switch(c) {
case 'l':
dolist = 1;
break;
case '4':
ip4only = 1;
break;
@ -1956,6 +1986,8 @@ int main(int argc, char* argv[])
OpenSSL_add_all_algorithms();
(void)SSL_library_init();
if(dolist) do_list_builtin();
return do_root_update_work(root_anchor_file, root_cert_file, urlname,
xmlname, p7sname, res_conf, root_hints, debugconf, ip4only,
ip6only, force, port);