1 /** dnssec_verify */ 2 3 #ifndef LDNS_DNSSEC_SIGN_H 4 #define LDNS_DNSSEC_SIGN_H 5 6 #include <ldns/dnssec.h> 7 8 #ifdef __cplusplus 9 extern "C" { 10 #endif 11 12 /* sign functions */ 13 14 /** Sign flag that makes DNSKEY type signed by all keys, not only by SEP keys*/ 15 #define LDNS_SIGN_DNSKEY_WITH_ZSK 1 16 #define LDNS_SIGN_WITH_ALL_ALGORITHMS 2 17 #define LDNS_SIGN_NO_KEYS_NO_NSECS 4 18 #define LDNS_SIGN_WITH_ZONEMD_SIMPLE_SHA384 8 19 #define LDNS_SIGN_WITH_ZONEMD_SIMPLE_SHA512 16 20 21 /** 22 * Create an empty RRSIG RR (i.e. without the actual signature data) 23 * \param[in] rrset The RRset to create the signature for 24 * \param[in] key The key that will create the signature 25 * \return signature rr 26 */ 27 ldns_rr * 28 ldns_create_empty_rrsig(const ldns_rr_list *rrset, 29 const ldns_key *key); 30 31 /** 32 * Sign the buffer which contains the wiredata of an rrset, and the 33 * corresponding empty rrsig rr with the given key 34 * \param[in] sign_buf the buffer with data to sign 35 * \param[in] key the key to sign with 36 * \return an rdata field with the signature data 37 */ 38 ldns_rdf * 39 ldns_sign_public_buffer(ldns_buffer *sign_buf, ldns_key *key); 40 41 /** 42 * Sign an rrset 43 * \param[in] rrset the rrset 44 * \param[in] keys the keys to use 45 * \return a rr_list with the signatures 46 */ 47 ldns_rr_list *ldns_sign_public(ldns_rr_list *rrset, ldns_key_list *keys); 48 49 #if LDNS_BUILD_CONFIG_HAVE_SSL 50 /** 51 * Sign a buffer with the DSA key (hash with SHA1) 52 * 53 * \param[in] to_sign The ldns_buffer containing raw data that is to be signed 54 * \param[in] key The DSA key structure to sign with 55 * \return a ldns_rdf for the RRSIG ldns_rr 56 */ 57 ldns_rdf *ldns_sign_public_dsa(ldns_buffer *to_sign, DSA *key); 58 59 /** 60 * Sign data with EVP (general method for different algorithms) 61 * 62 * \param[in] to_sign The ldns_buffer containing raw data that is 63 * to be signed 64 * \param[in] key The EVP_PKEY key structure to sign with 65 * \param[in] digest_type The digest algorithm to use in the creation of 66 * the signature 67 * \return ldns_rdf for the RRSIG ldns_rr 68 */ 69 ldns_rdf *ldns_sign_public_evp(ldns_buffer *to_sign, 70 EVP_PKEY *key, 71 const EVP_MD *digest_type); 72 73 /** 74 * Sign a buffer with the RSA key (hash with SHA1) 75 * \param[in] to_sign buffer with the data 76 * \param[in] key the key to use 77 * \return a ldns_rdf with the signed data 78 */ 79 ldns_rdf *ldns_sign_public_rsasha1(ldns_buffer *to_sign, RSA *key); 80 81 /** 82 * Sign a buffer with the RSA key (hash with MD5) 83 * \param[in] to_sign buffer with the data 84 * \param[in] key the key to use 85 * \return a ldns_rdf with the signed data 86 */ 87 ldns_rdf *ldns_sign_public_rsamd5(ldns_buffer *to_sign, RSA *key); 88 #endif /* LDNS_BUILD_CONFIG_HAVE_SSL */ 89 90 /** 91 * Marks the names in the zone that are occluded. Those names will be skipped 92 * when walking the tree with the ldns_dnssec_name_node_next_nonglue() 93 * function. But watch out! Names that are partially occluded (like glue with 94 * the same name as the delegation) will not be marked and should specifically 95 * be taken into account separately. 96 * 97 * When glue_list is given (not NULL), in the process of marking the names, all 98 * glue resource records will be pushed to that list, even glue at the delegation name. 99 * 100 * \param[in] zone the zone in which to mark the names 101 * \param[in] glue_list the list to which to push the glue rrs 102 * \return LDNS_STATUS_OK on success, an error code otherwise 103 */ 104 ldns_status 105 ldns_dnssec_zone_mark_and_get_glue( 106 ldns_dnssec_zone *zone, ldns_rr_list *glue_list); 107 108 /** 109 * Marks the names in the zone that are occluded. Those names will be skipped 110 * when walking the tree with the ldns_dnssec_name_node_next_nonglue() 111 * function. But watch out! Names that are partially occluded (like glue with 112 * the same name as the delegation) will not be marked and should specifically 113 * be taken into account separately. 114 * 115 * \param[in] zone the zone in which to mark the names 116 * \return LDNS_STATUS_OK on successful completion, an error code otherwise 117 */ 118 ldns_status 119 ldns_dnssec_zone_mark_glue(ldns_dnssec_zone *zone); 120 121 /** 122 * Finds the first dnssec_name node in the rbtree that is not occluded. 123 * It *does* return names that are partially occluded. 124 * 125 * \param[in] node the first node to check 126 * \return the first node that has not been marked as glue, or NULL 127 * if not found (TODO: make that LDNS_RBTREE_NULL?) 128 */ 129 ldns_rbnode_t *ldns_dnssec_name_node_next_nonglue(ldns_rbnode_t *node); 130 131 /** 132 * Adds NSEC records to the given dnssec_zone 133 * 134 * \param[in] zone the zone to add the records to 135 * \param[in] new_rrs ldns_rr's created by this function are 136 * added to this rr list, so the caller can free them later 137 * \return LDNS_STATUS_OK on success, an error code otherwise 138 */ 139 ldns_status ldns_dnssec_zone_create_nsecs(ldns_dnssec_zone *zone, 140 ldns_rr_list *new_rrs); 141 142 /** 143 * Adds NSEC3 records to the zone 144 */ 145 ldns_status 146 ldns_dnssec_zone_create_nsec3s(ldns_dnssec_zone *zone, 147 ldns_rr_list *new_rrs, 148 uint8_t algorithm, 149 uint8_t flags, 150 uint16_t iterations, 151 uint8_t salt_length, 152 uint8_t *salt); 153 154 /** 155 * remove signatures if callback function tells to 156 * 157 * \param[in] signatures list of signatures to check, and 158 * possibly remove, depending on the value of the 159 * callback 160 * \param[in] key_list these are marked to be used or not, 161 * on the return value of the callback 162 * \param[in] func this function is called to specify what to 163 * do with each signature (and corresponding key) 164 * \param[in] arg Optional argument for the callback function 165 * \returns pointer to the new signatures rrs (the original 166 * passed to this function may have been removed) 167 */ 168 ldns_dnssec_rrs *ldns_dnssec_remove_signatures(ldns_dnssec_rrs *signatures, 169 ldns_key_list *key_list, 170 int (*func)(ldns_rr *, void *), 171 void *arg); 172 173 /** 174 * Adds signatures to the zone 175 * 176 * \param[in] zone the zone to add RRSIG Resource Records to 177 * \param[in] new_rrs the RRSIG RRs that are created are also 178 * added to this list, so the caller can free them 179 * later 180 * \param[in] key_list list of keys to sign with. 181 * \param[in] func Callback function to decide what keys to 182 * use and what to do with old signatures 183 * \param[in] arg Optional argument for the callback function 184 * \param[in] flags option flags for signing process. 0 makes DNSKEY 185 * RRset signed with the minimal key set, that is only SEP keys are used 186 * for signing. If there are no SEP keys available, non-SEP keys will 187 * be used. LDNS_SIGN_DNSKEY_WITH_ZSK makes DNSKEY type signed with all 188 * keys. 0 is the default. 189 * \return LDNS_STATUS_OK on success, error otherwise 190 */ 191 ldns_status ldns_dnssec_zone_create_rrsigs_flg(ldns_dnssec_zone *zone, 192 ldns_rr_list *new_rrs, 193 ldns_key_list *key_list, 194 int (*func)(ldns_rr *, void*), 195 void *arg, 196 int flags); 197 198 /** 199 * Adds signatures to the zone 200 * 201 * \param[in] zone the zone to add RRSIG Resource Records to 202 * \param[in] new_rrs the RRSIG RRs that are created are also 203 * added to this list, so the caller can free them 204 * later 205 * \param[in] key_list list of keys to sign with. 206 * \param[in] func Callback function to decide what keys to 207 * use and what to do with old signatures 208 * \param[in] arg Optional argument for the callback function 209 * \return LDNS_STATUS_OK on success, error otherwise 210 */ 211 ldns_status ldns_dnssec_zone_create_rrsigs(ldns_dnssec_zone *zone, 212 ldns_rr_list *new_rrs, 213 ldns_key_list *key_list, 214 int (*func)(ldns_rr *, void*), 215 void *arg); 216 217 /** 218 * signs the given zone with the given keys 219 * 220 * \param[in] zone the zone to sign 221 * \param[in] key_list the list of keys to sign the zone with 222 * \param[in] new_rrs newly created resource records are added to this list, to free them later 223 * \param[in] func callback function that decides what to do with old signatures 224 * This function takes an ldns_rr* and an optional void *arg argument, and returns one of four values: 225 * LDNS_SIGNATURE_LEAVE_ADD_NEW: 226 * leave the signature and add a new one for the corresponding key 227 * LDNS_SIGNATURE_REMOVE_ADD_NEW: 228 * remove the signature and replace is with a new one from the same key 229 * LDNS_SIGNATURE_LEAVE_NO_ADD: 230 * leave the signature and do not add a new one with the corresponding key 231 * LDNS_SIGNATURE_REMOVE_NO_ADD: 232 * remove the signature and do not replace 233 * 234 * \param[in] arg optional argument for the callback function 235 * \param[in] flags option flags for signing process. 0 makes DNSKEY 236 * RRset signed with the minimal key set, that is only SEP keys are used 237 * for signing. If there are no SEP keys available, non-SEP keys will 238 * be used. LDNS_SIGN_DNSKEY_WITH_ZSK makes DNSKEY type signed with all 239 * keys. 0 is the default. 240 * \return LDNS_STATUS_OK on success, an error code otherwise 241 */ 242 ldns_status ldns_dnssec_zone_sign_flg(ldns_dnssec_zone *zone, 243 ldns_rr_list *new_rrs, 244 ldns_key_list *key_list, 245 int (*func)(ldns_rr *, void *), 246 void *arg, 247 int flags); 248 249 /** 250 * signs the given zone with the given new zone, with NSEC3 251 * 252 * \param[in] zone the zone to sign 253 * \param[in] key_list the list of keys to sign the zone with 254 * \param[in] new_rrs newly created resource records are added to this list, to free them later 255 * \param[in] func callback function that decides what to do with old signatures 256 * \param[in] arg optional argument for the callback function 257 * \param[in] algorithm the NSEC3 hashing algorithm to use 258 * \param[in] flags NSEC3 flags 259 * \param[in] iterations the number of NSEC3 hash iterations to use 260 * \param[in] salt_length the length (in octets) of the NSEC3 salt 261 * \param[in] salt the NSEC3 salt data 262 * \param[in] signflags option flags for signing process. 0 is the default. 263 * \return LDNS_STATUS_OK on success, an error code otherwise 264 */ 265 ldns_status ldns_dnssec_zone_sign_nsec3_flg(ldns_dnssec_zone *zone, 266 ldns_rr_list *new_rrs, 267 ldns_key_list *key_list, 268 int (*func)(ldns_rr *, void *), 269 void *arg, 270 uint8_t algorithm, 271 uint8_t flags, 272 uint16_t iterations, 273 uint8_t salt_length, 274 uint8_t *salt, 275 int signflags); 276 277 /** 278 * signs the given zone with the given new zone, with NSEC3 279 * 280 * \param[in] zone the zone to sign 281 * \param[in] key_list the list of keys to sign the zone with 282 * \param[in] new_rrs newly created resource records are added to this list, to free them later 283 * \param[in] func callback function that decides what to do with old signatures 284 * \param[in] arg optional argument for the callback function 285 * \param[in] algorithm the NSEC3 hashing algorithm to use 286 * \param[in] flags NSEC3 flags 287 * \param[in] iterations the number of NSEC3 hash iterations to use 288 * \param[in] salt_length the length (in octets) of the NSEC3 salt 289 * \param[in] salt the NSEC3 salt data 290 * \param[in] signflags option flags for signing process. 0 is the default. 291 * \param[out] map a referenced rbtree pointer variable. The newly created 292 * rbtree will contain mappings from hashed owner names to the 293 * unhashed name. 294 * \return LDNS_STATUS_OK on success, an error code otherwise 295 */ 296 ldns_status ldns_dnssec_zone_sign_nsec3_flg_mkmap(ldns_dnssec_zone *zone, 297 ldns_rr_list *new_rrs, 298 ldns_key_list *key_list, 299 int (*func)(ldns_rr *, void *), 300 void *arg, 301 uint8_t algorithm, 302 uint8_t flags, 303 uint16_t iterations, 304 uint8_t salt_length, 305 uint8_t *salt, 306 int signflags, 307 ldns_rbtree_t **map 308 ); 309 310 311 /** 312 * signs the given zone with the given keys 313 * 314 * \param[in] zone the zone to sign 315 * \param[in] key_list the list of keys to sign the zone with 316 * \param[in] new_rrs newly created resource records are added to this list, to free them later 317 * \param[in] func callback function that decides what to do with old signatures 318 * This function takes an ldns_rr* and an optional void *arg argument, and returns one of four values: 319 * LDNS_SIGNATURE_LEAVE_ADD_NEW: 320 * leave the signature and add a new one for the corresponding key 321 * LDNS_SIGNATURE_REMOVE_ADD_NEW: 322 * remove the signature and replace is with a new one from the same key 323 * LDNS_SIGNATURE_LEAVE_NO_ADD: 324 * leave the signature and do not add a new one with the corresponding key 325 * LDNS_SIGNATURE_REMOVE_NO_ADD: 326 * remove the signature and do not replace 327 * 328 * \param[in] arg optional argument for the callback function 329 * \return LDNS_STATUS_OK on success, an error code otherwise 330 */ 331 ldns_status ldns_dnssec_zone_sign(ldns_dnssec_zone *zone, 332 ldns_rr_list *new_rrs, 333 ldns_key_list *key_list, 334 int (*func)(ldns_rr *, void *), 335 void *arg); 336 337 /** 338 * signs the given zone with the given new zone, with NSEC3 339 * 340 * \param[in] zone the zone to sign 341 * \param[in] key_list the list of keys to sign the zone with 342 * \param[in] new_rrs newly created resource records are added to this list, to free them later 343 * \param[in] func callback function that decides what to do with old signatures 344 * \param[in] arg optional argument for the callback function 345 * \param[in] algorithm the NSEC3 hashing algorithm to use 346 * \param[in] flags NSEC3 flags 347 * \param[in] iterations the number of NSEC3 hash iterations to use 348 * \param[in] salt_length the length (in octets) of the NSEC3 salt 349 * \param[in] salt the NSEC3 salt data 350 * \return LDNS_STATUS_OK on success, an error code otherwise 351 */ 352 ldns_status ldns_dnssec_zone_sign_nsec3(ldns_dnssec_zone *zone, 353 ldns_rr_list *new_rrs, 354 ldns_key_list *key_list, 355 int (*func)(ldns_rr *, void *), 356 void *arg, 357 uint8_t algorithm, 358 uint8_t flags, 359 uint16_t iterations, 360 uint8_t salt_length, 361 uint8_t *salt); 362 363 /** 364 * Signs the zone, and returns a newly allocated signed zone 365 * \param[in] zone the zone to sign 366 * \param[in] key_list list of keys to sign with 367 * \return signed zone 368 */ 369 ldns_zone *ldns_zone_sign(const ldns_zone *zone, ldns_key_list *key_list); 370 371 /** 372 * Signs the zone with NSEC3, and returns a newly allocated signed zone 373 * \param[in] zone the zone to sign 374 * \param[in] key_list list of keys to sign with 375 * \param[in] algorithm the NSEC3 hashing algorithm to use 376 * \param[in] flags NSEC3 flags 377 * \param[in] iterations the number of NSEC3 hash iterations to use 378 * \param[in] salt_length the length (in octets) of the NSEC3 salt 379 * \param[in] salt the NSEC3 salt data 380 * \return signed zone 381 */ 382 ldns_zone *ldns_zone_sign_nsec3(ldns_zone *zone, ldns_key_list *key_list, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt); 383 384 #ifdef __cplusplus 385 } 386 #endif 387 388 #endif 389