xref: /freebsd/contrib/ldns/ldns/dnssec_sign.h (revision 190cef3d52236565eb22e18b33e9e865ec634aa3)
1 /** dnssec_verify */
2 
3 #ifndef LDNS_DNSSEC_SIGN_H
4 #define LDNS_DNSSEC_SIGN_H
5 
6 #include <ldns/dnssec.h>
7 
8 #ifdef __cplusplus
9 extern "C" {
10 #endif
11 
12 /* sign functions */
13 
14 /** Sign flag that makes DNSKEY type signed by all keys, not only by SEP keys*/
15 #define LDNS_SIGN_DNSKEY_WITH_ZSK 1
16 #define LDNS_SIGN_WITH_ALL_ALGORITHMS 2
17 
18 /**
19  * Create an empty RRSIG RR (i.e. without the actual signature data)
20  * \param[in] rrset The RRset to create the signature for
21  * \param[in] key The key that will create the signature
22  * \return signature rr
23  */
24 ldns_rr *
25 ldns_create_empty_rrsig(const ldns_rr_list *rrset,
26                         const ldns_key *key);
27 
28 /**
29  * Sign the buffer which contains the wiredata of an rrset, and the
30  * corresponding empty rrsig rr with the given key
31  * \param[in] sign_buf the buffer with data to sign
32  * \param[in] key the key to sign with
33  * \return an rdata field with the signature data
34  */
35 ldns_rdf *
36 ldns_sign_public_buffer(ldns_buffer *sign_buf, ldns_key *key);
37 
38 /**
39  * Sign an rrset
40  * \param[in] rrset the rrset
41  * \param[in] keys the keys to use
42  * \return a rr_list with the signatures
43  */
44 ldns_rr_list *ldns_sign_public(ldns_rr_list *rrset, ldns_key_list *keys);
45 
46 #if LDNS_BUILD_CONFIG_HAVE_SSL
47 /**
48  * Sign a buffer with the DSA key (hash with SHA1)
49  * \param[in] to_sign buffer with the data
50  * \param[in] key the key to use
51  * \return a ldns_rdf with the signed data
52  */
53 ldns_rdf *ldns_sign_public_dsa(ldns_buffer *to_sign, DSA *key);
54 
55 /**
56  * Sign data with EVP (general method for different algorithms)
57  *
58  * \param[in] to_sign The ldns_buffer containing raw data that is
59  *                    to be signed
60  * \param[in] key The EVP_PKEY key structure to sign with
61  * \param[in] digest_type The digest algorithm to use in the creation of
62  *                        the signature
63  * \return ldns_rdf for the RRSIG ldns_rr
64  */
65 ldns_rdf *ldns_sign_public_evp(ldns_buffer *to_sign,
66 						 EVP_PKEY *key,
67 						 const EVP_MD *digest_type);
68 
69 /**
70  * Sign a buffer with the RSA key (hash with SHA1)
71  * \param[in] to_sign buffer with the data
72  * \param[in] key the key to use
73  * \return a ldns_rdf with the signed data
74  */
75 ldns_rdf *ldns_sign_public_rsasha1(ldns_buffer *to_sign, RSA *key);
76 
77 /**
78  * Sign a buffer with the RSA key (hash with MD5)
79  * \param[in] to_sign buffer with the data
80  * \param[in] key the key to use
81  * \return a ldns_rdf with the signed data
82  */
83 ldns_rdf *ldns_sign_public_rsamd5(ldns_buffer *to_sign, RSA *key);
84 #endif /* LDNS_BUILD_CONFIG_HAVE_SSL */
85 
86 /**
87  * Marks the names in the zone that are occluded. Those names will be skipped
88  * when walking the tree with the ldns_dnssec_name_node_next_nonglue()
89  * function. But watch out! Names that are partially occluded (like glue with
90  * the same name as the delegation) will not be marked and should specifically
91  * be taken into account separately.
92  *
93  * When glue_list is given (not NULL), in the process of marking the names, all
94  * glue resource records will be pushed to that list, even glue at the delegation name.
95  *
96  * \param[in] zone the zone in which to mark the names
97  * \param[in] glue_list the list to which to push the glue rrs
98  * \return LDNS_STATUS_OK on success, an error code otherwise
99  */
100 ldns_status
101 ldns_dnssec_zone_mark_and_get_glue(
102 		ldns_dnssec_zone *zone, ldns_rr_list *glue_list);
103 
104 /**
105  * Marks the names in the zone that are occluded. Those names will be skipped
106  * when walking the tree with the ldns_dnssec_name_node_next_nonglue()
107  * function. But watch out! Names that are partially occluded (like glue with
108  * the same name as the delegation) will not be marked and should specifically
109  * be taken into account separately.
110  *
111  * \param[in] zone the zone in which to mark the names
112  * \return LDNS_STATUS_OK on succesful completion
113  */
114 ldns_status
115 ldns_dnssec_zone_mark_glue(ldns_dnssec_zone *zone);
116 
117 /**
118  * Finds the first dnssec_name node in the rbtree that is not occluded.
119  * It *does* return names that are partially occluded.
120  *
121  * \param[in] node the first node to check
122  * \return the first node that has not been marked as glue, or NULL
123  * if not found (TODO: make that LDNS_RBTREE_NULL?)
124  */
125 ldns_rbnode_t *ldns_dnssec_name_node_next_nonglue(ldns_rbnode_t *node);
126 
127 /**
128  * Adds NSEC records to the given dnssec_zone
129  *
130  * \param[in] zone the zone to add the records to
131  * \param[in] new_rrs ldns_rr's created by this function are
132  *            added to this rr list, so the caller can free them later
133  * \return LDNS_STATUS_OK on success, an error code otherwise
134  */
135 ldns_status ldns_dnssec_zone_create_nsecs(ldns_dnssec_zone *zone,
136 								  ldns_rr_list *new_rrs);
137 
138 /**
139  * Adds NSEC3 records to the zone
140  */
141 ldns_status
142 ldns_dnssec_zone_create_nsec3s(ldns_dnssec_zone *zone,
143 						 ldns_rr_list *new_rrs,
144 						 uint8_t algorithm,
145 						 uint8_t flags,
146 						 uint16_t iterations,
147 						 uint8_t salt_length,
148 						 uint8_t *salt);
149 
150 /**
151  * remove signatures if callback function tells to
152  *
153  * \param[in] signatures list of signatures to check, and
154  *            possibly remove, depending on the value of the
155  *            callback
156  * \param[in] key_list these are marked to be used or not,
157  *            on the return value of the callback
158  * \param[in] func this function is called to specify what to
159  *            do with each signature (and corresponding key)
160  * \param[in] arg Optional argument for the callback function
161  * \returns pointer to the new signatures rrs (the original
162  *          passed to this function may have been removed)
163  */
164 ldns_dnssec_rrs *ldns_dnssec_remove_signatures(ldns_dnssec_rrs *signatures,
165 									  ldns_key_list *key_list,
166 									  int (*func)(ldns_rr *, void *),
167 									  void *arg);
168 
169 /**
170  * Adds signatures to the zone
171  *
172  * \param[in] zone the zone to add RRSIG Resource Records to
173  * \param[in] new_rrs the RRSIG RRs that are created are also
174  *            added to this list, so the caller can free them
175  *            later
176  * \param[in] key_list list of keys to sign with.
177  * \param[in] func Callback function to decide what keys to
178  *            use and what to do with old signatures
179  * \param[in] arg Optional argument for the callback function
180  * \param[in] flags option flags for signing process. 0 makes DNSKEY
181  * RRset signed with the minimal key set, that is only SEP keys are used
182  * for signing. If there are no SEP keys available, non-SEP keys will
183  * be used. LDNS_SIGN_DNSKEY_WITH_ZSK makes DNSKEY type signed with all
184  * keys. 0 is the default.
185  * \return LDNS_STATUS_OK on success, error otherwise
186  */
187 ldns_status ldns_dnssec_zone_create_rrsigs_flg(ldns_dnssec_zone *zone,
188 					ldns_rr_list *new_rrs,
189 					ldns_key_list *key_list,
190 					int (*func)(ldns_rr *, void*),
191 					void *arg,
192 					int flags);
193 
194 /**
195  * Adds signatures to the zone
196  *
197  * \param[in] zone the zone to add RRSIG Resource Records to
198  * \param[in] new_rrs the RRSIG RRs that are created are also
199  *            added to this list, so the caller can free them
200  *            later
201  * \param[in] key_list list of keys to sign with.
202  * \param[in] func Callback function to decide what keys to
203  *            use and what to do with old signatures
204  * \param[in] arg Optional argument for the callback function
205  * \return LDNS_STATUS_OK on success, error otherwise
206  */
207 ldns_status ldns_dnssec_zone_create_rrsigs(ldns_dnssec_zone *zone,
208 								   ldns_rr_list *new_rrs,
209 								   ldns_key_list *key_list,
210 								   int (*func)(ldns_rr *, void*),
211 								   void *arg);
212 
213 /**
214  * signs the given zone with the given keys
215  *
216  * \param[in] zone the zone to sign
217  * \param[in] key_list the list of keys to sign the zone with
218  * \param[in] new_rrs newly created resource records are added to this list, to free them later
219  * \param[in] func callback function that decides what to do with old signatures
220  *            This function takes an ldns_rr* and an optional void *arg argument, and returns one of four values:
221  * LDNS_SIGNATURE_LEAVE_ADD_NEW:
222  * leave the signature and add a new one for the corresponding key
223  * LDNS_SIGNATURE_REMOVE_ADD_NEW:
224  * remove the signature and replace is with a new one from the same key
225  * LDNS_SIGNATURE_LEAVE_NO_ADD:
226  * leave the signature and do not add a new one with the corresponding key
227  * LDNS_SIGNATURE_REMOVE_NO_ADD:
228  * remove the signature and do not replace
229  *
230  * \param[in] arg optional argument for the callback function
231  * \param[in] flags option flags for signing process. 0 makes DNSKEY
232  * RRset signed with the minimal key set, that is only SEP keys are used
233  * for signing. If there are no SEP keys available, non-SEP keys will
234  * be used. LDNS_SIGN_DNSKEY_WITH_ZSK makes DNSKEY type signed with all
235  * keys. 0 is the default.
236  * \return LDNS_STATUS_OK on success, an error code otherwise
237  */
238 ldns_status ldns_dnssec_zone_sign_flg(ldns_dnssec_zone *zone,
239 					ldns_rr_list *new_rrs,
240 					ldns_key_list *key_list,
241 					int (*func)(ldns_rr *, void *),
242 					void *arg,
243 					int flags);
244 
245 /**
246  * signs the given zone with the given new zone, with NSEC3
247  *
248  * \param[in] zone the zone to sign
249  * \param[in] key_list the list of keys to sign the zone with
250  * \param[in] new_rrs newly created resource records are added to this list, to free them later
251  * \param[in] func callback function that decides what to do with old signatures
252  * \param[in] arg optional argument for the callback function
253  * \param[in] algorithm the NSEC3 hashing algorithm to use
254  * \param[in] flags NSEC3 flags
255  * \param[in] iterations the number of NSEC3 hash iterations to use
256  * \param[in] salt_length the length (in octets) of the NSEC3 salt
257  * \param[in] salt the NSEC3 salt data
258  * \param[in] signflags option flags for signing process. 0 is the default.
259  * \return LDNS_STATUS_OK on success, an error code otherwise
260  */
261 ldns_status ldns_dnssec_zone_sign_nsec3_flg(ldns_dnssec_zone *zone,
262 				ldns_rr_list *new_rrs,
263 				ldns_key_list *key_list,
264 				int (*func)(ldns_rr *, void *),
265 				void *arg,
266 				uint8_t algorithm,
267 				uint8_t flags,
268 				uint16_t iterations,
269 				uint8_t salt_length,
270 				uint8_t *salt,
271 				int signflags);
272 
273 /**
274  * signs the given zone with the given new zone, with NSEC3
275  *
276  * \param[in] zone the zone to sign
277  * \param[in] key_list the list of keys to sign the zone with
278  * \param[in] new_rrs newly created resource records are added to this list, to free them later
279  * \param[in] func callback function that decides what to do with old signatures
280  * \param[in] arg optional argument for the callback function
281  * \param[in] algorithm the NSEC3 hashing algorithm to use
282  * \param[in] flags NSEC3 flags
283  * \param[in] iterations the number of NSEC3 hash iterations to use
284  * \param[in] salt_length the length (in octets) of the NSEC3 salt
285  * \param[in] salt the NSEC3 salt data
286  * \param[in] signflags option flags for signing process. 0 is the default.
287  * \param[out] map a referenced rbtree pointer variable. The newly created
288  *                 rbtree will contain mappings from hashed owner names to the
289  *                 unhashed name.
290  * \return LDNS_STATUS_OK on success, an error code otherwise
291  */
292 ldns_status ldns_dnssec_zone_sign_nsec3_flg_mkmap(ldns_dnssec_zone *zone,
293 				ldns_rr_list *new_rrs,
294 				ldns_key_list *key_list,
295 				int (*func)(ldns_rr *, void *),
296 				void *arg,
297 				uint8_t algorithm,
298 				uint8_t flags,
299 				uint16_t iterations,
300 				uint8_t salt_length,
301 				uint8_t *salt,
302 				int signflags,
303 				ldns_rbtree_t **map
304 				);
305 
306 
307 /**
308  * signs the given zone with the given keys
309  *
310  * \param[in] zone the zone to sign
311  * \param[in] key_list the list of keys to sign the zone with
312  * \param[in] new_rrs newly created resource records are added to this list, to free them later
313  * \param[in] func callback function that decides what to do with old signatures
314  *            This function takes an ldns_rr* and an optional void *arg argument, and returns one of four values:
315  * LDNS_SIGNATURE_LEAVE_ADD_NEW:
316  * leave the signature and add a new one for the corresponding key
317  * LDNS_SIGNATURE_REMOVE_ADD_NEW:
318  * remove the signature and replace is with a new one from the same key
319  * LDNS_SIGNATURE_LEAVE_NO_ADD:
320  * leave the signature and do not add a new one with the corresponding key
321  * LDNS_SIGNATURE_REMOVE_NO_ADD:
322  * remove the signature and do not replace
323  *
324  * \param[in] arg optional argument for the callback function
325  * \return LDNS_STATUS_OK on success, an error code otherwise
326  */
327 ldns_status ldns_dnssec_zone_sign(ldns_dnssec_zone *zone,
328 						    ldns_rr_list *new_rrs,
329 						    ldns_key_list *key_list,
330 						    int (*func)(ldns_rr *, void *),
331 						    void *arg);
332 
333 /**
334  * signs the given zone with the given new zone, with NSEC3
335  *
336  * \param[in] zone the zone to sign
337  * \param[in] key_list the list of keys to sign the zone with
338  * \param[in] new_rrs newly created resource records are added to this list, to free them later
339  * \param[in] func callback function that decides what to do with old signatures
340  * \param[in] arg optional argument for the callback function
341  * \param[in] algorithm the NSEC3 hashing algorithm to use
342  * \param[in] flags NSEC3 flags
343  * \param[in] iterations the number of NSEC3 hash iterations to use
344  * \param[in] salt_length the length (in octets) of the NSEC3 salt
345  * \param[in] salt the NSEC3 salt data
346  * \return LDNS_STATUS_OK on success, an error code otherwise
347  */
348 ldns_status ldns_dnssec_zone_sign_nsec3(ldns_dnssec_zone *zone,
349 								ldns_rr_list *new_rrs,
350 								ldns_key_list *key_list,
351 								int (*func)(ldns_rr *, void *),
352 								void *arg,
353 								uint8_t algorithm,
354 								uint8_t flags,
355 								uint16_t iterations,
356 								uint8_t salt_length,
357 								uint8_t *salt);
358 
359 /**
360  * Signs the zone, and returns a newly allocated signed zone
361  * \param[in] zone the zone to sign
362  * \param[in] key_list list of keys to sign with
363  * \return signed zone
364  */
365 ldns_zone *ldns_zone_sign(const ldns_zone *zone, ldns_key_list *key_list);
366 
367 /**
368  * Signs the zone with NSEC3, and returns a newly allocated signed zone
369  * \param[in] zone the zone to sign
370  * \param[in] key_list list of keys to sign with
371  * \param[in] algorithm the NSEC3 hashing algorithm to use
372  * \param[in] flags NSEC3 flags
373  * \param[in] iterations the number of NSEC3 hash iterations to use
374  * \param[in] salt_length the length (in octets) of the NSEC3 salt
375  * \param[in] salt the NSEC3 salt data
376  * \return signed zone
377  */
378 ldns_zone *ldns_zone_sign_nsec3(ldns_zone *zone, ldns_key_list *key_list, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt);
379 
380 #ifdef __cplusplus
381 }
382 #endif
383 
384 #endif
385