#!/usr/pkg/bin/perl -w                        
=head1 NAME

    dnssecmaint-config  Congiguration option editor

=head1 SYNOPSIS

    dnssec-copyprivate  


=head1 DESCRIPTION

This is a little utility to create a conguration file for the
DNSSECMAINT key management suite.

The program presents configuration options with a small explanation 
and presents a default value.

one can always type 'exit' to terminate the program.

=head1 EXAMPLE

Here follows and example session

$ bert >dnssecmaint-config 

$ bert >

    This is a program to write Net::DNS::SEC::Maint configuration files. 
    It is typically used at install time or to create alternative configurations.
    Type 'exit' to leave the program.
    ----
    conffile specifies where the configuration file can be found
    conffile is set to /usr/local/etc/dnssecmaint.conf
    Enter value for conffile>/spool/olaf/etc/dnssecmaint.conf
    ----
    dns_key_db Path to the directory in which the key database is kept
    dns_key_db is set to /usr/local/var/dnssec_maint/DNS_Key_DB
    Enter value for dns_key_db>/usr/local/var/dnssec_maint/DNS_Key_DB
    ----
    dnssec_keygen full path to BIND's dnssec-keygen command with optional arguments
    This vallue is currently set using the DNSSECMAINT_DNSSEC_KEYGEN
    dnssec_keygen is set to /home/olaf/sbin/dnssec-keygen -r /dev/urandom 
    Enter value for dnssec_keygen>/home/olaf/sbin/dnssec-keygen -r /dev/urandom 
    ----
    dnssec_signzone full path to BIND's dnssec-signzone command with optional argume
    nts
    This vallue is currently set using the DNSSECMAINT_DNSSEC_SIGNZONE
    dnssec_signzone is set to /home/olaf/sbin/dnssec-signzone -r /dev/urandom 
    Enter value for dnssec_signzone>/home/olaf/sbin/dnssec-signzone -r /dev/urandom 
    ----
    dsakeysizekey Default size for DSA Key Signing Keys
    dsakeysizekey is set to 1024
    Enter value for dsakeysizekey>1024
    ----
    dsakeysizezone Default size for DSA Zone Signing Keys
    dsakeysizezone is set to 512
    Enter value for dsakeysizezone>512
    ----
    logdir specifies the directory under logfiles are stored
    logdir is set to /usr/local/var/dnssec_maint/log
    Enter value for logdir>/usr/local/var/dnssec_maint/log
    ----
    maintgroup Name of group that has R/W access to the dnssecmt
    maintgroup is set to dnssecmt
    Enter value for maintgroup>dnssecmt
    ----
    rsakeysizekey Default size for RSA Key Signing Keys
    rsakeysizekey is set to 2048
    Enter value for rsakeysizekey>2048
    ----
    rsakeysizezone Default size for RSA Zone Signing Keys
    rsakeysizezone is set to 768
    Enter value for rsakeysizezone>768
    ----
    tmpdir Path to the directory in which temporary files are stored
    tmpdir is set to /tmp/
    Enter value for tmpdir>/tmp/
    Save configuration file to:/spool/olaf/etc/dnssecmaint.conf? (yes|no)>yes
    To use this configuration file you have to set DNSSECMAINT_CONFFILE=/spool/olaf/
    etc/dnssecmaint.conf
    dnssecmt is an unknown group
    Please add the group to /etc/group or



=cut





use Net::DNS::SEC::Maint::Key::Config;

print "This is a program to write Net::DNS::SEC::Maint configuration files. \n";
print "It is typically used at install time or to create alternative configurations.\n";
print "Type 'exit' to leave the program.\n";






use Fcntl qw(:DEFAULT :Fcompat);






my $nokeygen=0;
my $noopenssl=0;
my $no_devurandom=1;


my $dnssec_keygen_path;
my $dnssec_signzone_path;


my $openssl_path;
use Shell qw (which);
$dnssec_keygen_path = which("dnssec-keygen");
$dnssec_keygen_path =~ s/\s+$//;

$dnssec_signzone_path = which("dnssec-signzone");
$dnssec_signzone_path =~ s/\s+$//;



# On mac OSX /dev/urandom fails on fcntl NONBLOCK
if ( open(FH, "/dev/urandom") ){
    if ( !(   $flags = fcntl(FH, F_GETFL, 0) )){
	print "fcntl F_GETFL on /dev/urandom fails:  $! \n";
    }else {
	$flags=0;
	$flags |= O_NONBLOCK;
	
	if ( !(fcntl(FH, F_SETFL, $flags))){
	    print "fcntl NONBLOCK on /dev/urandom fails:  $! \n";
	}else{
	    $no_devurandom=0;
	}
    }
}

    
# I wonder how portable this is...
if ($dnssec_keygen_path =~ /no *. in/ ){
  print $dnssec_keygen_path ."\n";
  print "Change your path to include dnssec_keygen";
  $nokeygen=1;
}
#extra test
if ( !( -x $dnssec_keygen_path )){
  print $dnssec_keygen_path."<----\n is not executable\n";
  print "Change your path to include dnssec_keygen";
  $nokeygen=1;
}



# I again wonder how portable this is...
if ($dnssec_signzone_path =~ /no *. in/ ){
  print $dnssec_signzone_path ."\n";
  print "Change your path to include dnssec_signzone";
  $nokeygen=1;
}
#extra test
if ( !( -x $dnssec_signzone_path )){
  print $dnssec_keygen_path."<----\n is not executable\n";
  print "Change your path to include dnssec_signzone";
  $nokeygen=1;
}




if ( $no_devurandom ){
    $openssl_path = which("openssl");
    $openssl_path =~ s/\s+$//;
    
# I still  wonder how portable this is...
    if ($openssl_path =~ /no *. in/ ){
	print $openssl_path ."\n";
	print "Change your path to include openssl";
	$nokeygen=1;
    }
#extra test
    if ( !( -x $openssl_path )){
	print $openssl_path."<----\n is not executable\n";
	print "Change your path to include openssl";
	$nokeygen=1;
    }
    
    

    
    $ENV{"DNSSECMAINT_DNSSEC_KEYGEN"}=$openssl_path. " rand -out /tmp/random 100000 ;".$dnssec_keygen_path. " -r /tmp/random ; rm /tmp/random ";
    
    $ENV{"DNSSECMAINT_DNSSEC_SIGNZONE"}=$openssl_path. " rand -out /tmp/random 100000 ;".$dnssec_signzone_path. " -r /tmp/random ; rm /tmp/random";

    print "NOTE dnssec_signzone and dnssec_keygen will generate\n
    /tmp/random each time they are called\n";
    print "this is a security vulnarability on multi user systems.\n"

    
}else{
    

    $ENV{"DNSSECMAINT_DNSSEC_KEYGEN"}=$dnssec_keygen_path. " -r /dev/urandom ";
    
    $ENV{"DNSSECMAINT_DNSSEC_SIGNZONE"}=$dnssec_signzone_path. " -r /dev/urandom ";

}



Net::DNS::SEC::Maint::Key::Config->makeconfig;
