17b5038d7SDag-Erling Smørgrav /** dnssec_verify */ 27b5038d7SDag-Erling Smørgrav 37b5038d7SDag-Erling Smørgrav #ifndef LDNS_DNSSEC_SIGN_H 47b5038d7SDag-Erling Smørgrav #define LDNS_DNSSEC_SIGN_H 57b5038d7SDag-Erling Smørgrav 67b5038d7SDag-Erling Smørgrav #include <ldns/dnssec.h> 77b5038d7SDag-Erling Smørgrav 87b5038d7SDag-Erling Smørgrav #ifdef __cplusplus 97b5038d7SDag-Erling Smørgrav extern "C" { 107b5038d7SDag-Erling Smørgrav #endif 117b5038d7SDag-Erling Smørgrav 127b5038d7SDag-Erling Smørgrav /* sign functions */ 137b5038d7SDag-Erling Smørgrav 147b5038d7SDag-Erling Smørgrav /** Sign flag that makes DNSKEY type signed by all keys, not only by SEP keys*/ 157b5038d7SDag-Erling Smørgrav #define LDNS_SIGN_DNSKEY_WITH_ZSK 1 16986ba33cSDag-Erling Smørgrav #define LDNS_SIGN_WITH_ALL_ALGORITHMS 2 17*5afab0e5SDag-Erling Smørgrav #define LDNS_SIGN_NO_KEYS_NO_NSECS 4 18*5afab0e5SDag-Erling Smørgrav #define LDNS_SIGN_WITH_ZONEMD_SIMPLE_SHA384 8 19*5afab0e5SDag-Erling Smørgrav #define LDNS_SIGN_WITH_ZONEMD_SIMPLE_SHA512 16 207b5038d7SDag-Erling Smørgrav 217b5038d7SDag-Erling Smørgrav /** 227b5038d7SDag-Erling Smørgrav * Create an empty RRSIG RR (i.e. without the actual signature data) 237b5038d7SDag-Erling Smørgrav * \param[in] rrset The RRset to create the signature for 247b5038d7SDag-Erling Smørgrav * \param[in] key The key that will create the signature 257b5038d7SDag-Erling Smørgrav * \return signature rr 267b5038d7SDag-Erling Smørgrav */ 277b5038d7SDag-Erling Smørgrav ldns_rr * 28986ba33cSDag-Erling Smørgrav ldns_create_empty_rrsig(const ldns_rr_list *rrset, 29986ba33cSDag-Erling Smørgrav const ldns_key *key); 307b5038d7SDag-Erling Smørgrav 317b5038d7SDag-Erling Smørgrav /** 327b5038d7SDag-Erling Smørgrav * Sign the buffer which contains the wiredata of an rrset, and the 337b5038d7SDag-Erling Smørgrav * corresponding empty rrsig rr with the given key 347b5038d7SDag-Erling Smørgrav * \param[in] sign_buf the buffer with data to sign 357b5038d7SDag-Erling Smørgrav * \param[in] key the key to sign with 367b5038d7SDag-Erling Smørgrav * \return an rdata field with the signature data 377b5038d7SDag-Erling Smørgrav */ 387b5038d7SDag-Erling Smørgrav ldns_rdf * 397b5038d7SDag-Erling Smørgrav ldns_sign_public_buffer(ldns_buffer *sign_buf, ldns_key *key); 407b5038d7SDag-Erling Smørgrav 417b5038d7SDag-Erling Smørgrav /** 427b5038d7SDag-Erling Smørgrav * Sign an rrset 437b5038d7SDag-Erling Smørgrav * \param[in] rrset the rrset 447b5038d7SDag-Erling Smørgrav * \param[in] keys the keys to use 457b5038d7SDag-Erling Smørgrav * \return a rr_list with the signatures 467b5038d7SDag-Erling Smørgrav */ 477b5038d7SDag-Erling Smørgrav ldns_rr_list *ldns_sign_public(ldns_rr_list *rrset, ldns_key_list *keys); 487b5038d7SDag-Erling Smørgrav 497b5038d7SDag-Erling Smørgrav #if LDNS_BUILD_CONFIG_HAVE_SSL 507b5038d7SDag-Erling Smørgrav /** 517b5038d7SDag-Erling Smørgrav * Sign a buffer with the DSA key (hash with SHA1) 52*5afab0e5SDag-Erling Smørgrav * 53*5afab0e5SDag-Erling Smørgrav * \param[in] to_sign The ldns_buffer containing raw data that is to be signed 54*5afab0e5SDag-Erling Smørgrav * \param[in] key The DSA key structure to sign with 55*5afab0e5SDag-Erling Smørgrav * \return a ldns_rdf for the RRSIG ldns_rr 567b5038d7SDag-Erling Smørgrav */ 577b5038d7SDag-Erling Smørgrav ldns_rdf *ldns_sign_public_dsa(ldns_buffer *to_sign, DSA *key); 587b5038d7SDag-Erling Smørgrav 597b5038d7SDag-Erling Smørgrav /** 607b5038d7SDag-Erling Smørgrav * Sign data with EVP (general method for different algorithms) 617b5038d7SDag-Erling Smørgrav * 627b5038d7SDag-Erling Smørgrav * \param[in] to_sign The ldns_buffer containing raw data that is 637b5038d7SDag-Erling Smørgrav * to be signed 647b5038d7SDag-Erling Smørgrav * \param[in] key The EVP_PKEY key structure to sign with 657b5038d7SDag-Erling Smørgrav * \param[in] digest_type The digest algorithm to use in the creation of 667b5038d7SDag-Erling Smørgrav * the signature 677b5038d7SDag-Erling Smørgrav * \return ldns_rdf for the RRSIG ldns_rr 687b5038d7SDag-Erling Smørgrav */ 697b5038d7SDag-Erling Smørgrav ldns_rdf *ldns_sign_public_evp(ldns_buffer *to_sign, 707b5038d7SDag-Erling Smørgrav EVP_PKEY *key, 717b5038d7SDag-Erling Smørgrav const EVP_MD *digest_type); 727b5038d7SDag-Erling Smørgrav 737b5038d7SDag-Erling Smørgrav /** 747b5038d7SDag-Erling Smørgrav * Sign a buffer with the RSA key (hash with SHA1) 757b5038d7SDag-Erling Smørgrav * \param[in] to_sign buffer with the data 767b5038d7SDag-Erling Smørgrav * \param[in] key the key to use 777b5038d7SDag-Erling Smørgrav * \return a ldns_rdf with the signed data 787b5038d7SDag-Erling Smørgrav */ 797b5038d7SDag-Erling Smørgrav ldns_rdf *ldns_sign_public_rsasha1(ldns_buffer *to_sign, RSA *key); 807b5038d7SDag-Erling Smørgrav 817b5038d7SDag-Erling Smørgrav /** 827b5038d7SDag-Erling Smørgrav * Sign a buffer with the RSA key (hash with MD5) 837b5038d7SDag-Erling Smørgrav * \param[in] to_sign buffer with the data 847b5038d7SDag-Erling Smørgrav * \param[in] key the key to use 857b5038d7SDag-Erling Smørgrav * \return a ldns_rdf with the signed data 867b5038d7SDag-Erling Smørgrav */ 877b5038d7SDag-Erling Smørgrav ldns_rdf *ldns_sign_public_rsamd5(ldns_buffer *to_sign, RSA *key); 887b5038d7SDag-Erling Smørgrav #endif /* LDNS_BUILD_CONFIG_HAVE_SSL */ 897b5038d7SDag-Erling Smørgrav 907b5038d7SDag-Erling Smørgrav /** 917b5038d7SDag-Erling Smørgrav * Marks the names in the zone that are occluded. Those names will be skipped 927b5038d7SDag-Erling Smørgrav * when walking the tree with the ldns_dnssec_name_node_next_nonglue() 937b5038d7SDag-Erling Smørgrav * function. But watch out! Names that are partially occluded (like glue with 947b5038d7SDag-Erling Smørgrav * the same name as the delegation) will not be marked and should specifically 9517d15b25SDag-Erling Smørgrav * be taken into account separately. 967b5038d7SDag-Erling Smørgrav * 977b5038d7SDag-Erling Smørgrav * When glue_list is given (not NULL), in the process of marking the names, all 987b5038d7SDag-Erling Smørgrav * glue resource records will be pushed to that list, even glue at the delegation name. 997b5038d7SDag-Erling Smørgrav * 1007b5038d7SDag-Erling Smørgrav * \param[in] zone the zone in which to mark the names 1017b5038d7SDag-Erling Smørgrav * \param[in] glue_list the list to which to push the glue rrs 1027b5038d7SDag-Erling Smørgrav * \return LDNS_STATUS_OK on success, an error code otherwise 1037b5038d7SDag-Erling Smørgrav */ 1047b5038d7SDag-Erling Smørgrav ldns_status 1057b5038d7SDag-Erling Smørgrav ldns_dnssec_zone_mark_and_get_glue( 1067b5038d7SDag-Erling Smørgrav ldns_dnssec_zone *zone, ldns_rr_list *glue_list); 1077b5038d7SDag-Erling Smørgrav 1087b5038d7SDag-Erling Smørgrav /** 1097b5038d7SDag-Erling Smørgrav * Marks the names in the zone that are occluded. Those names will be skipped 1107b5038d7SDag-Erling Smørgrav * when walking the tree with the ldns_dnssec_name_node_next_nonglue() 1117b5038d7SDag-Erling Smørgrav * function. But watch out! Names that are partially occluded (like glue with 1127b5038d7SDag-Erling Smørgrav * the same name as the delegation) will not be marked and should specifically 11317d15b25SDag-Erling Smørgrav * be taken into account separately. 1147b5038d7SDag-Erling Smørgrav * 1157b5038d7SDag-Erling Smørgrav * \param[in] zone the zone in which to mark the names 116*5afab0e5SDag-Erling Smørgrav * \return LDNS_STATUS_OK on successful completion, an error code otherwise 1177b5038d7SDag-Erling Smørgrav */ 1187b5038d7SDag-Erling Smørgrav ldns_status 1197b5038d7SDag-Erling Smørgrav ldns_dnssec_zone_mark_glue(ldns_dnssec_zone *zone); 1207b5038d7SDag-Erling Smørgrav 1217b5038d7SDag-Erling Smørgrav /** 1227b5038d7SDag-Erling Smørgrav * Finds the first dnssec_name node in the rbtree that is not occluded. 1237b5038d7SDag-Erling Smørgrav * It *does* return names that are partially occluded. 1247b5038d7SDag-Erling Smørgrav * 1257b5038d7SDag-Erling Smørgrav * \param[in] node the first node to check 1267b5038d7SDag-Erling Smørgrav * \return the first node that has not been marked as glue, or NULL 1277b5038d7SDag-Erling Smørgrav * if not found (TODO: make that LDNS_RBTREE_NULL?) 1287b5038d7SDag-Erling Smørgrav */ 1297b5038d7SDag-Erling Smørgrav ldns_rbnode_t *ldns_dnssec_name_node_next_nonglue(ldns_rbnode_t *node); 1307b5038d7SDag-Erling Smørgrav 1317b5038d7SDag-Erling Smørgrav /** 1327b5038d7SDag-Erling Smørgrav * Adds NSEC records to the given dnssec_zone 1337b5038d7SDag-Erling Smørgrav * 1347b5038d7SDag-Erling Smørgrav * \param[in] zone the zone to add the records to 1357b5038d7SDag-Erling Smørgrav * \param[in] new_rrs ldns_rr's created by this function are 1367b5038d7SDag-Erling Smørgrav * added to this rr list, so the caller can free them later 1377b5038d7SDag-Erling Smørgrav * \return LDNS_STATUS_OK on success, an error code otherwise 1387b5038d7SDag-Erling Smørgrav */ 1397b5038d7SDag-Erling Smørgrav ldns_status ldns_dnssec_zone_create_nsecs(ldns_dnssec_zone *zone, 1407b5038d7SDag-Erling Smørgrav ldns_rr_list *new_rrs); 1417b5038d7SDag-Erling Smørgrav 1427b5038d7SDag-Erling Smørgrav /** 1437b5038d7SDag-Erling Smørgrav * Adds NSEC3 records to the zone 1447b5038d7SDag-Erling Smørgrav */ 1457b5038d7SDag-Erling Smørgrav ldns_status 1467b5038d7SDag-Erling Smørgrav ldns_dnssec_zone_create_nsec3s(ldns_dnssec_zone *zone, 1477b5038d7SDag-Erling Smørgrav ldns_rr_list *new_rrs, 1487b5038d7SDag-Erling Smørgrav uint8_t algorithm, 1497b5038d7SDag-Erling Smørgrav uint8_t flags, 1507b5038d7SDag-Erling Smørgrav uint16_t iterations, 1517b5038d7SDag-Erling Smørgrav uint8_t salt_length, 1527b5038d7SDag-Erling Smørgrav uint8_t *salt); 1537b5038d7SDag-Erling Smørgrav 1547b5038d7SDag-Erling Smørgrav /** 1557b5038d7SDag-Erling Smørgrav * remove signatures if callback function tells to 1567b5038d7SDag-Erling Smørgrav * 1577b5038d7SDag-Erling Smørgrav * \param[in] signatures list of signatures to check, and 1587b5038d7SDag-Erling Smørgrav * possibly remove, depending on the value of the 1597b5038d7SDag-Erling Smørgrav * callback 1607b5038d7SDag-Erling Smørgrav * \param[in] key_list these are marked to be used or not, 1617b5038d7SDag-Erling Smørgrav * on the return value of the callback 1627b5038d7SDag-Erling Smørgrav * \param[in] func this function is called to specify what to 1637b5038d7SDag-Erling Smørgrav * do with each signature (and corresponding key) 1647b5038d7SDag-Erling Smørgrav * \param[in] arg Optional argument for the callback function 1657b5038d7SDag-Erling Smørgrav * \returns pointer to the new signatures rrs (the original 1667b5038d7SDag-Erling Smørgrav * passed to this function may have been removed) 1677b5038d7SDag-Erling Smørgrav */ 1687b5038d7SDag-Erling Smørgrav ldns_dnssec_rrs *ldns_dnssec_remove_signatures(ldns_dnssec_rrs *signatures, 1697b5038d7SDag-Erling Smørgrav ldns_key_list *key_list, 1707b5038d7SDag-Erling Smørgrav int (*func)(ldns_rr *, void *), 1717b5038d7SDag-Erling Smørgrav void *arg); 1727b5038d7SDag-Erling Smørgrav 1737b5038d7SDag-Erling Smørgrav /** 1747b5038d7SDag-Erling Smørgrav * Adds signatures to the zone 1757b5038d7SDag-Erling Smørgrav * 1767b5038d7SDag-Erling Smørgrav * \param[in] zone the zone to add RRSIG Resource Records to 1777b5038d7SDag-Erling Smørgrav * \param[in] new_rrs the RRSIG RRs that are created are also 1787b5038d7SDag-Erling Smørgrav * added to this list, so the caller can free them 1797b5038d7SDag-Erling Smørgrav * later 1807b5038d7SDag-Erling Smørgrav * \param[in] key_list list of keys to sign with. 1817b5038d7SDag-Erling Smørgrav * \param[in] func Callback function to decide what keys to 1827b5038d7SDag-Erling Smørgrav * use and what to do with old signatures 1837b5038d7SDag-Erling Smørgrav * \param[in] arg Optional argument for the callback function 1847b5038d7SDag-Erling Smørgrav * \param[in] flags option flags for signing process. 0 makes DNSKEY 1857b5038d7SDag-Erling Smørgrav * RRset signed with the minimal key set, that is only SEP keys are used 1867b5038d7SDag-Erling Smørgrav * for signing. If there are no SEP keys available, non-SEP keys will 1877b5038d7SDag-Erling Smørgrav * be used. LDNS_SIGN_DNSKEY_WITH_ZSK makes DNSKEY type signed with all 1887b5038d7SDag-Erling Smørgrav * keys. 0 is the default. 1897b5038d7SDag-Erling Smørgrav * \return LDNS_STATUS_OK on success, error otherwise 1907b5038d7SDag-Erling Smørgrav */ 1917b5038d7SDag-Erling Smørgrav ldns_status ldns_dnssec_zone_create_rrsigs_flg(ldns_dnssec_zone *zone, 1927b5038d7SDag-Erling Smørgrav ldns_rr_list *new_rrs, 1937b5038d7SDag-Erling Smørgrav ldns_key_list *key_list, 1947b5038d7SDag-Erling Smørgrav int (*func)(ldns_rr *, void*), 1957b5038d7SDag-Erling Smørgrav void *arg, 1967b5038d7SDag-Erling Smørgrav int flags); 1977b5038d7SDag-Erling Smørgrav 1987b5038d7SDag-Erling Smørgrav /** 1997b5038d7SDag-Erling Smørgrav * Adds signatures to the zone 2007b5038d7SDag-Erling Smørgrav * 2017b5038d7SDag-Erling Smørgrav * \param[in] zone the zone to add RRSIG Resource Records to 2027b5038d7SDag-Erling Smørgrav * \param[in] new_rrs the RRSIG RRs that are created are also 2037b5038d7SDag-Erling Smørgrav * added to this list, so the caller can free them 2047b5038d7SDag-Erling Smørgrav * later 2057b5038d7SDag-Erling Smørgrav * \param[in] key_list list of keys to sign with. 2067b5038d7SDag-Erling Smørgrav * \param[in] func Callback function to decide what keys to 2077b5038d7SDag-Erling Smørgrav * use and what to do with old signatures 2087b5038d7SDag-Erling Smørgrav * \param[in] arg Optional argument for the callback function 2097b5038d7SDag-Erling Smørgrav * \return LDNS_STATUS_OK on success, error otherwise 2107b5038d7SDag-Erling Smørgrav */ 2117b5038d7SDag-Erling Smørgrav ldns_status ldns_dnssec_zone_create_rrsigs(ldns_dnssec_zone *zone, 2127b5038d7SDag-Erling Smørgrav ldns_rr_list *new_rrs, 2137b5038d7SDag-Erling Smørgrav ldns_key_list *key_list, 2147b5038d7SDag-Erling Smørgrav int (*func)(ldns_rr *, void*), 2157b5038d7SDag-Erling Smørgrav void *arg); 2167b5038d7SDag-Erling Smørgrav 2177b5038d7SDag-Erling Smørgrav /** 2187b5038d7SDag-Erling Smørgrav * signs the given zone with the given keys 2197b5038d7SDag-Erling Smørgrav * 2207b5038d7SDag-Erling Smørgrav * \param[in] zone the zone to sign 2217b5038d7SDag-Erling Smørgrav * \param[in] key_list the list of keys to sign the zone with 2227b5038d7SDag-Erling Smørgrav * \param[in] new_rrs newly created resource records are added to this list, to free them later 2237b5038d7SDag-Erling Smørgrav * \param[in] func callback function that decides what to do with old signatures 2247b5038d7SDag-Erling Smørgrav * This function takes an ldns_rr* and an optional void *arg argument, and returns one of four values: 2257b5038d7SDag-Erling Smørgrav * LDNS_SIGNATURE_LEAVE_ADD_NEW: 2267b5038d7SDag-Erling Smørgrav * leave the signature and add a new one for the corresponding key 2277b5038d7SDag-Erling Smørgrav * LDNS_SIGNATURE_REMOVE_ADD_NEW: 2287b5038d7SDag-Erling Smørgrav * remove the signature and replace is with a new one from the same key 2297b5038d7SDag-Erling Smørgrav * LDNS_SIGNATURE_LEAVE_NO_ADD: 2307b5038d7SDag-Erling Smørgrav * leave the signature and do not add a new one with the corresponding key 2317b5038d7SDag-Erling Smørgrav * LDNS_SIGNATURE_REMOVE_NO_ADD: 2327b5038d7SDag-Erling Smørgrav * remove the signature and do not replace 2337b5038d7SDag-Erling Smørgrav * 2347b5038d7SDag-Erling Smørgrav * \param[in] arg optional argument for the callback function 2357b5038d7SDag-Erling Smørgrav * \param[in] flags option flags for signing process. 0 makes DNSKEY 2367b5038d7SDag-Erling Smørgrav * RRset signed with the minimal key set, that is only SEP keys are used 2377b5038d7SDag-Erling Smørgrav * for signing. If there are no SEP keys available, non-SEP keys will 2387b5038d7SDag-Erling Smørgrav * be used. LDNS_SIGN_DNSKEY_WITH_ZSK makes DNSKEY type signed with all 2397b5038d7SDag-Erling Smørgrav * keys. 0 is the default. 2407b5038d7SDag-Erling Smørgrav * \return LDNS_STATUS_OK on success, an error code otherwise 2417b5038d7SDag-Erling Smørgrav */ 2427b5038d7SDag-Erling Smørgrav ldns_status ldns_dnssec_zone_sign_flg(ldns_dnssec_zone *zone, 2437b5038d7SDag-Erling Smørgrav ldns_rr_list *new_rrs, 2447b5038d7SDag-Erling Smørgrav ldns_key_list *key_list, 2457b5038d7SDag-Erling Smørgrav int (*func)(ldns_rr *, void *), 2467b5038d7SDag-Erling Smørgrav void *arg, 2477b5038d7SDag-Erling Smørgrav int flags); 2487b5038d7SDag-Erling Smørgrav 2497b5038d7SDag-Erling Smørgrav /** 2507b5038d7SDag-Erling Smørgrav * signs the given zone with the given new zone, with NSEC3 2517b5038d7SDag-Erling Smørgrav * 2527b5038d7SDag-Erling Smørgrav * \param[in] zone the zone to sign 2537b5038d7SDag-Erling Smørgrav * \param[in] key_list the list of keys to sign the zone with 2547b5038d7SDag-Erling Smørgrav * \param[in] new_rrs newly created resource records are added to this list, to free them later 2557b5038d7SDag-Erling Smørgrav * \param[in] func callback function that decides what to do with old signatures 2567b5038d7SDag-Erling Smørgrav * \param[in] arg optional argument for the callback function 2577b5038d7SDag-Erling Smørgrav * \param[in] algorithm the NSEC3 hashing algorithm to use 2587b5038d7SDag-Erling Smørgrav * \param[in] flags NSEC3 flags 2597b5038d7SDag-Erling Smørgrav * \param[in] iterations the number of NSEC3 hash iterations to use 2607b5038d7SDag-Erling Smørgrav * \param[in] salt_length the length (in octets) of the NSEC3 salt 2617b5038d7SDag-Erling Smørgrav * \param[in] salt the NSEC3 salt data 2627b5038d7SDag-Erling Smørgrav * \param[in] signflags option flags for signing process. 0 is the default. 2637b5038d7SDag-Erling Smørgrav * \return LDNS_STATUS_OK on success, an error code otherwise 2647b5038d7SDag-Erling Smørgrav */ 2657b5038d7SDag-Erling Smørgrav ldns_status ldns_dnssec_zone_sign_nsec3_flg(ldns_dnssec_zone *zone, 2667b5038d7SDag-Erling Smørgrav ldns_rr_list *new_rrs, 2677b5038d7SDag-Erling Smørgrav ldns_key_list *key_list, 2687b5038d7SDag-Erling Smørgrav int (*func)(ldns_rr *, void *), 2697b5038d7SDag-Erling Smørgrav void *arg, 2707b5038d7SDag-Erling Smørgrav uint8_t algorithm, 2717b5038d7SDag-Erling Smørgrav uint8_t flags, 2727b5038d7SDag-Erling Smørgrav uint16_t iterations, 2737b5038d7SDag-Erling Smørgrav uint8_t salt_length, 2747b5038d7SDag-Erling Smørgrav uint8_t *salt, 2757b5038d7SDag-Erling Smørgrav int signflags); 2767b5038d7SDag-Erling Smørgrav 2777b5038d7SDag-Erling Smørgrav /** 2787b5038d7SDag-Erling Smørgrav * signs the given zone with the given new zone, with NSEC3 2797b5038d7SDag-Erling Smørgrav * 2807b5038d7SDag-Erling Smørgrav * \param[in] zone the zone to sign 2817b5038d7SDag-Erling Smørgrav * \param[in] key_list the list of keys to sign the zone with 2827b5038d7SDag-Erling Smørgrav * \param[in] new_rrs newly created resource records are added to this list, to free them later 2837b5038d7SDag-Erling Smørgrav * \param[in] func callback function that decides what to do with old signatures 2847b5038d7SDag-Erling Smørgrav * \param[in] arg optional argument for the callback function 2857b5038d7SDag-Erling Smørgrav * \param[in] algorithm the NSEC3 hashing algorithm to use 2867b5038d7SDag-Erling Smørgrav * \param[in] flags NSEC3 flags 2877b5038d7SDag-Erling Smørgrav * \param[in] iterations the number of NSEC3 hash iterations to use 2887b5038d7SDag-Erling Smørgrav * \param[in] salt_length the length (in octets) of the NSEC3 salt 2897b5038d7SDag-Erling Smørgrav * \param[in] salt the NSEC3 salt data 2907b5038d7SDag-Erling Smørgrav * \param[in] signflags option flags for signing process. 0 is the default. 2917b5038d7SDag-Erling Smørgrav * \param[out] map a referenced rbtree pointer variable. The newly created 2927b5038d7SDag-Erling Smørgrav * rbtree will contain mappings from hashed owner names to the 2937b5038d7SDag-Erling Smørgrav * unhashed name. 2947b5038d7SDag-Erling Smørgrav * \return LDNS_STATUS_OK on success, an error code otherwise 2957b5038d7SDag-Erling Smørgrav */ 2967b5038d7SDag-Erling Smørgrav ldns_status ldns_dnssec_zone_sign_nsec3_flg_mkmap(ldns_dnssec_zone *zone, 2977b5038d7SDag-Erling Smørgrav ldns_rr_list *new_rrs, 2987b5038d7SDag-Erling Smørgrav ldns_key_list *key_list, 2997b5038d7SDag-Erling Smørgrav int (*func)(ldns_rr *, void *), 3007b5038d7SDag-Erling Smørgrav void *arg, 3017b5038d7SDag-Erling Smørgrav uint8_t algorithm, 3027b5038d7SDag-Erling Smørgrav uint8_t flags, 3037b5038d7SDag-Erling Smørgrav uint16_t iterations, 3047b5038d7SDag-Erling Smørgrav uint8_t salt_length, 3057b5038d7SDag-Erling Smørgrav uint8_t *salt, 3067b5038d7SDag-Erling Smørgrav int signflags, 3077b5038d7SDag-Erling Smørgrav ldns_rbtree_t **map 3087b5038d7SDag-Erling Smørgrav ); 3097b5038d7SDag-Erling Smørgrav 3107b5038d7SDag-Erling Smørgrav 3117b5038d7SDag-Erling Smørgrav /** 3127b5038d7SDag-Erling Smørgrav * signs the given zone with the given keys 3137b5038d7SDag-Erling Smørgrav * 3147b5038d7SDag-Erling Smørgrav * \param[in] zone the zone to sign 3157b5038d7SDag-Erling Smørgrav * \param[in] key_list the list of keys to sign the zone with 3167b5038d7SDag-Erling Smørgrav * \param[in] new_rrs newly created resource records are added to this list, to free them later 3177b5038d7SDag-Erling Smørgrav * \param[in] func callback function that decides what to do with old signatures 3187b5038d7SDag-Erling Smørgrav * This function takes an ldns_rr* and an optional void *arg argument, and returns one of four values: 3197b5038d7SDag-Erling Smørgrav * LDNS_SIGNATURE_LEAVE_ADD_NEW: 3207b5038d7SDag-Erling Smørgrav * leave the signature and add a new one for the corresponding key 3217b5038d7SDag-Erling Smørgrav * LDNS_SIGNATURE_REMOVE_ADD_NEW: 3227b5038d7SDag-Erling Smørgrav * remove the signature and replace is with a new one from the same key 3237b5038d7SDag-Erling Smørgrav * LDNS_SIGNATURE_LEAVE_NO_ADD: 3247b5038d7SDag-Erling Smørgrav * leave the signature and do not add a new one with the corresponding key 3257b5038d7SDag-Erling Smørgrav * LDNS_SIGNATURE_REMOVE_NO_ADD: 3267b5038d7SDag-Erling Smørgrav * remove the signature and do not replace 3277b5038d7SDag-Erling Smørgrav * 3287b5038d7SDag-Erling Smørgrav * \param[in] arg optional argument for the callback function 3297b5038d7SDag-Erling Smørgrav * \return LDNS_STATUS_OK on success, an error code otherwise 3307b5038d7SDag-Erling Smørgrav */ 3317b5038d7SDag-Erling Smørgrav ldns_status ldns_dnssec_zone_sign(ldns_dnssec_zone *zone, 3327b5038d7SDag-Erling Smørgrav ldns_rr_list *new_rrs, 3337b5038d7SDag-Erling Smørgrav ldns_key_list *key_list, 3347b5038d7SDag-Erling Smørgrav int (*func)(ldns_rr *, void *), 3357b5038d7SDag-Erling Smørgrav void *arg); 3367b5038d7SDag-Erling Smørgrav 3377b5038d7SDag-Erling Smørgrav /** 3387b5038d7SDag-Erling Smørgrav * signs the given zone with the given new zone, with NSEC3 3397b5038d7SDag-Erling Smørgrav * 3407b5038d7SDag-Erling Smørgrav * \param[in] zone the zone to sign 3417b5038d7SDag-Erling Smørgrav * \param[in] key_list the list of keys to sign the zone with 3427b5038d7SDag-Erling Smørgrav * \param[in] new_rrs newly created resource records are added to this list, to free them later 3437b5038d7SDag-Erling Smørgrav * \param[in] func callback function that decides what to do with old signatures 3447b5038d7SDag-Erling Smørgrav * \param[in] arg optional argument for the callback function 3457b5038d7SDag-Erling Smørgrav * \param[in] algorithm the NSEC3 hashing algorithm to use 3467b5038d7SDag-Erling Smørgrav * \param[in] flags NSEC3 flags 3477b5038d7SDag-Erling Smørgrav * \param[in] iterations the number of NSEC3 hash iterations to use 3487b5038d7SDag-Erling Smørgrav * \param[in] salt_length the length (in octets) of the NSEC3 salt 3497b5038d7SDag-Erling Smørgrav * \param[in] salt the NSEC3 salt data 3507b5038d7SDag-Erling Smørgrav * \return LDNS_STATUS_OK on success, an error code otherwise 3517b5038d7SDag-Erling Smørgrav */ 3527b5038d7SDag-Erling Smørgrav ldns_status ldns_dnssec_zone_sign_nsec3(ldns_dnssec_zone *zone, 3537b5038d7SDag-Erling Smørgrav ldns_rr_list *new_rrs, 3547b5038d7SDag-Erling Smørgrav ldns_key_list *key_list, 3557b5038d7SDag-Erling Smørgrav int (*func)(ldns_rr *, void *), 3567b5038d7SDag-Erling Smørgrav void *arg, 3577b5038d7SDag-Erling Smørgrav uint8_t algorithm, 3587b5038d7SDag-Erling Smørgrav uint8_t flags, 3597b5038d7SDag-Erling Smørgrav uint16_t iterations, 3607b5038d7SDag-Erling Smørgrav uint8_t salt_length, 3617b5038d7SDag-Erling Smørgrav uint8_t *salt); 3627b5038d7SDag-Erling Smørgrav 3637b5038d7SDag-Erling Smørgrav /** 3647b5038d7SDag-Erling Smørgrav * Signs the zone, and returns a newly allocated signed zone 3657b5038d7SDag-Erling Smørgrav * \param[in] zone the zone to sign 3667b5038d7SDag-Erling Smørgrav * \param[in] key_list list of keys to sign with 3677b5038d7SDag-Erling Smørgrav * \return signed zone 3687b5038d7SDag-Erling Smørgrav */ 3697b5038d7SDag-Erling Smørgrav ldns_zone *ldns_zone_sign(const ldns_zone *zone, ldns_key_list *key_list); 3707b5038d7SDag-Erling Smørgrav 3717b5038d7SDag-Erling Smørgrav /** 3727b5038d7SDag-Erling Smørgrav * Signs the zone with NSEC3, and returns a newly allocated signed zone 3737b5038d7SDag-Erling Smørgrav * \param[in] zone the zone to sign 3747b5038d7SDag-Erling Smørgrav * \param[in] key_list list of keys to sign with 3757b5038d7SDag-Erling Smørgrav * \param[in] algorithm the NSEC3 hashing algorithm to use 3767b5038d7SDag-Erling Smørgrav * \param[in] flags NSEC3 flags 3777b5038d7SDag-Erling Smørgrav * \param[in] iterations the number of NSEC3 hash iterations to use 3787b5038d7SDag-Erling Smørgrav * \param[in] salt_length the length (in octets) of the NSEC3 salt 3797b5038d7SDag-Erling Smørgrav * \param[in] salt the NSEC3 salt data 3807b5038d7SDag-Erling Smørgrav * \return signed zone 3817b5038d7SDag-Erling Smørgrav */ 3827b5038d7SDag-Erling Smørgrav ldns_zone *ldns_zone_sign_nsec3(ldns_zone *zone, ldns_key_list *key_list, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt); 3837b5038d7SDag-Erling Smørgrav 3847b5038d7SDag-Erling Smørgrav #ifdef __cplusplus 3857b5038d7SDag-Erling Smørgrav } 3867b5038d7SDag-Erling Smørgrav #endif 3877b5038d7SDag-Erling Smørgrav 3887b5038d7SDag-Erling Smørgrav #endif 389