1 /** dnssec_verify */ 2 3 #ifndef LDNS_DNSSEC_SIGN_H 4 #define LDNS_DNSSEC_SIGN_H 5 6 #include <ldns/dnssec.h> 7 8 #ifdef __cplusplus 9 extern "C" { 10 #endif 11 12 /* sign functions */ 13 14 /** Sign flag that makes DNSKEY type signed by all keys, not only by SEP keys*/ 15 #define LDNS_SIGN_DNSKEY_WITH_ZSK 1 16 17 /** 18 * Create an empty RRSIG RR (i.e. without the actual signature data) 19 * \param[in] rrset The RRset to create the signature for 20 * \param[in] key The key that will create the signature 21 * \return signature rr 22 */ 23 ldns_rr * 24 ldns_create_empty_rrsig(ldns_rr_list *rrset, 25 ldns_key *key); 26 27 /** 28 * Sign the buffer which contains the wiredata of an rrset, and the 29 * corresponding empty rrsig rr with the given key 30 * \param[in] sign_buf the buffer with data to sign 31 * \param[in] key the key to sign with 32 * \return an rdata field with the signature data 33 */ 34 ldns_rdf * 35 ldns_sign_public_buffer(ldns_buffer *sign_buf, ldns_key *key); 36 37 /** 38 * Sign an rrset 39 * \param[in] rrset the rrset 40 * \param[in] keys the keys to use 41 * \return a rr_list with the signatures 42 */ 43 ldns_rr_list *ldns_sign_public(ldns_rr_list *rrset, ldns_key_list *keys); 44 45 #if LDNS_BUILD_CONFIG_HAVE_SSL 46 /** 47 * Sign a buffer with the DSA key (hash with SHA1) 48 * \param[in] to_sign buffer with the data 49 * \param[in] key the key to use 50 * \return a ldns_rdf with the signed data 51 */ 52 ldns_rdf *ldns_sign_public_dsa(ldns_buffer *to_sign, DSA *key); 53 54 /** 55 * Sign data with EVP (general method for different algorithms) 56 * 57 * \param[in] to_sign The ldns_buffer containing raw data that is 58 * to be signed 59 * \param[in] key The EVP_PKEY key structure to sign with 60 * \param[in] digest_type The digest algorithm to use in the creation of 61 * the signature 62 * \return ldns_rdf for the RRSIG ldns_rr 63 */ 64 ldns_rdf *ldns_sign_public_evp(ldns_buffer *to_sign, 65 EVP_PKEY *key, 66 const EVP_MD *digest_type); 67 68 /** 69 * Sign a buffer with the RSA key (hash with SHA1) 70 * \param[in] to_sign buffer with the data 71 * \param[in] key the key to use 72 * \return a ldns_rdf with the signed data 73 */ 74 ldns_rdf *ldns_sign_public_rsasha1(ldns_buffer *to_sign, RSA *key); 75 76 /** 77 * Sign a buffer with the RSA key (hash with MD5) 78 * \param[in] to_sign buffer with the data 79 * \param[in] key the key to use 80 * \return a ldns_rdf with the signed data 81 */ 82 ldns_rdf *ldns_sign_public_rsamd5(ldns_buffer *to_sign, RSA *key); 83 #endif /* LDNS_BUILD_CONFIG_HAVE_SSL */ 84 85 /** 86 * Marks the names in the zone that are occluded. Those names will be skipped 87 * when walking the tree with the ldns_dnssec_name_node_next_nonglue() 88 * function. But watch out! Names that are partially occluded (like glue with 89 * the same name as the delegation) will not be marked and should specifically 90 * be taken into account separately. 91 * 92 * When glue_list is given (not NULL), in the process of marking the names, all 93 * glue resource records will be pushed to that list, even glue at the delegation name. 94 * 95 * \param[in] zone the zone in which to mark the names 96 * \param[in] glue_list the list to which to push the glue rrs 97 * \return LDNS_STATUS_OK on success, an error code otherwise 98 */ 99 ldns_status 100 ldns_dnssec_zone_mark_and_get_glue( 101 ldns_dnssec_zone *zone, ldns_rr_list *glue_list); 102 103 /** 104 * Marks the names in the zone that are occluded. Those names will be skipped 105 * when walking the tree with the ldns_dnssec_name_node_next_nonglue() 106 * function. But watch out! Names that are partially occluded (like glue with 107 * the same name as the delegation) will not be marked and should specifically 108 * be taken into account separately. 109 * 110 * \param[in] zone the zone in which to mark the names 111 * \return LDNS_STATUS_OK on succesful completion 112 */ 113 ldns_status 114 ldns_dnssec_zone_mark_glue(ldns_dnssec_zone *zone); 115 116 /** 117 * Finds the first dnssec_name node in the rbtree that is not occluded. 118 * It *does* return names that are partially occluded. 119 * 120 * \param[in] node the first node to check 121 * \return the first node that has not been marked as glue, or NULL 122 * if not found (TODO: make that LDNS_RBTREE_NULL?) 123 */ 124 ldns_rbnode_t *ldns_dnssec_name_node_next_nonglue(ldns_rbnode_t *node); 125 126 /** 127 * Adds NSEC records to the given dnssec_zone 128 * 129 * \param[in] zone the zone to add the records to 130 * \param[in] new_rrs ldns_rr's created by this function are 131 * added to this rr list, so the caller can free them later 132 * \return LDNS_STATUS_OK on success, an error code otherwise 133 */ 134 ldns_status ldns_dnssec_zone_create_nsecs(ldns_dnssec_zone *zone, 135 ldns_rr_list *new_rrs); 136 137 /** 138 * Adds NSEC3 records to the zone 139 */ 140 ldns_status 141 ldns_dnssec_zone_create_nsec3s(ldns_dnssec_zone *zone, 142 ldns_rr_list *new_rrs, 143 uint8_t algorithm, 144 uint8_t flags, 145 uint16_t iterations, 146 uint8_t salt_length, 147 uint8_t *salt); 148 149 /** 150 * remove signatures if callback function tells to 151 * 152 * \param[in] signatures list of signatures to check, and 153 * possibly remove, depending on the value of the 154 * callback 155 * \param[in] key_list these are marked to be used or not, 156 * on the return value of the callback 157 * \param[in] func this function is called to specify what to 158 * do with each signature (and corresponding key) 159 * \param[in] arg Optional argument for the callback function 160 * \returns pointer to the new signatures rrs (the original 161 * passed to this function may have been removed) 162 */ 163 ldns_dnssec_rrs *ldns_dnssec_remove_signatures(ldns_dnssec_rrs *signatures, 164 ldns_key_list *key_list, 165 int (*func)(ldns_rr *, void *), 166 void *arg); 167 168 /** 169 * Adds signatures to the zone 170 * 171 * \param[in] zone the zone to add RRSIG Resource Records to 172 * \param[in] new_rrs the RRSIG RRs that are created are also 173 * added to this list, so the caller can free them 174 * later 175 * \param[in] key_list list of keys to sign with. 176 * \param[in] func Callback function to decide what keys to 177 * use and what to do with old signatures 178 * \param[in] arg Optional argument for the callback function 179 * \param[in] flags option flags for signing process. 0 makes DNSKEY 180 * RRset signed with the minimal key set, that is only SEP keys are used 181 * for signing. If there are no SEP keys available, non-SEP keys will 182 * be used. LDNS_SIGN_DNSKEY_WITH_ZSK makes DNSKEY type signed with all 183 * keys. 0 is the default. 184 * \return LDNS_STATUS_OK on success, error otherwise 185 */ 186 ldns_status ldns_dnssec_zone_create_rrsigs_flg(ldns_dnssec_zone *zone, 187 ldns_rr_list *new_rrs, 188 ldns_key_list *key_list, 189 int (*func)(ldns_rr *, void*), 190 void *arg, 191 int flags); 192 193 /** 194 * Adds signatures to the zone 195 * 196 * \param[in] zone the zone to add RRSIG Resource Records to 197 * \param[in] new_rrs the RRSIG RRs that are created are also 198 * added to this list, so the caller can free them 199 * later 200 * \param[in] key_list list of keys to sign with. 201 * \param[in] func Callback function to decide what keys to 202 * use and what to do with old signatures 203 * \param[in] arg Optional argument for the callback function 204 * \return LDNS_STATUS_OK on success, error otherwise 205 */ 206 ldns_status ldns_dnssec_zone_create_rrsigs(ldns_dnssec_zone *zone, 207 ldns_rr_list *new_rrs, 208 ldns_key_list *key_list, 209 int (*func)(ldns_rr *, void*), 210 void *arg); 211 212 /** 213 * signs the given zone with the given keys 214 * 215 * \param[in] zone the zone to sign 216 * \param[in] key_list the list of keys to sign the zone with 217 * \param[in] new_rrs newly created resource records are added to this list, to free them later 218 * \param[in] func callback function that decides what to do with old signatures 219 * This function takes an ldns_rr* and an optional void *arg argument, and returns one of four values: 220 * LDNS_SIGNATURE_LEAVE_ADD_NEW: 221 * leave the signature and add a new one for the corresponding key 222 * LDNS_SIGNATURE_REMOVE_ADD_NEW: 223 * remove the signature and replace is with a new one from the same key 224 * LDNS_SIGNATURE_LEAVE_NO_ADD: 225 * leave the signature and do not add a new one with the corresponding key 226 * LDNS_SIGNATURE_REMOVE_NO_ADD: 227 * remove the signature and do not replace 228 * 229 * \param[in] arg optional argument for the callback function 230 * \param[in] flags option flags for signing process. 0 makes DNSKEY 231 * RRset signed with the minimal key set, that is only SEP keys are used 232 * for signing. If there are no SEP keys available, non-SEP keys will 233 * be used. LDNS_SIGN_DNSKEY_WITH_ZSK makes DNSKEY type signed with all 234 * keys. 0 is the default. 235 * \return LDNS_STATUS_OK on success, an error code otherwise 236 */ 237 ldns_status ldns_dnssec_zone_sign_flg(ldns_dnssec_zone *zone, 238 ldns_rr_list *new_rrs, 239 ldns_key_list *key_list, 240 int (*func)(ldns_rr *, void *), 241 void *arg, 242 int flags); 243 244 /** 245 * signs the given zone with the given new zone, with NSEC3 246 * 247 * \param[in] zone the zone to sign 248 * \param[in] key_list the list of keys to sign the zone with 249 * \param[in] new_rrs newly created resource records are added to this list, to free them later 250 * \param[in] func callback function that decides what to do with old signatures 251 * \param[in] arg optional argument for the callback function 252 * \param[in] algorithm the NSEC3 hashing algorithm to use 253 * \param[in] flags NSEC3 flags 254 * \param[in] iterations the number of NSEC3 hash iterations to use 255 * \param[in] salt_length the length (in octets) of the NSEC3 salt 256 * \param[in] salt the NSEC3 salt data 257 * \param[in] signflags option flags for signing process. 0 is the default. 258 * \return LDNS_STATUS_OK on success, an error code otherwise 259 */ 260 ldns_status ldns_dnssec_zone_sign_nsec3_flg(ldns_dnssec_zone *zone, 261 ldns_rr_list *new_rrs, 262 ldns_key_list *key_list, 263 int (*func)(ldns_rr *, void *), 264 void *arg, 265 uint8_t algorithm, 266 uint8_t flags, 267 uint16_t iterations, 268 uint8_t salt_length, 269 uint8_t *salt, 270 int signflags); 271 272 /** 273 * signs the given zone with the given new zone, with NSEC3 274 * 275 * \param[in] zone the zone to sign 276 * \param[in] key_list the list of keys to sign the zone with 277 * \param[in] new_rrs newly created resource records are added to this list, to free them later 278 * \param[in] func callback function that decides what to do with old signatures 279 * \param[in] arg optional argument for the callback function 280 * \param[in] algorithm the NSEC3 hashing algorithm to use 281 * \param[in] flags NSEC3 flags 282 * \param[in] iterations the number of NSEC3 hash iterations to use 283 * \param[in] salt_length the length (in octets) of the NSEC3 salt 284 * \param[in] salt the NSEC3 salt data 285 * \param[in] signflags option flags for signing process. 0 is the default. 286 * \param[out] map a referenced rbtree pointer variable. The newly created 287 * rbtree will contain mappings from hashed owner names to the 288 * unhashed name. 289 * \return LDNS_STATUS_OK on success, an error code otherwise 290 */ 291 ldns_status ldns_dnssec_zone_sign_nsec3_flg_mkmap(ldns_dnssec_zone *zone, 292 ldns_rr_list *new_rrs, 293 ldns_key_list *key_list, 294 int (*func)(ldns_rr *, void *), 295 void *arg, 296 uint8_t algorithm, 297 uint8_t flags, 298 uint16_t iterations, 299 uint8_t salt_length, 300 uint8_t *salt, 301 int signflags, 302 ldns_rbtree_t **map 303 ); 304 305 306 /** 307 * signs the given zone with the given keys 308 * 309 * \param[in] zone the zone to sign 310 * \param[in] key_list the list of keys to sign the zone with 311 * \param[in] new_rrs newly created resource records are added to this list, to free them later 312 * \param[in] func callback function that decides what to do with old signatures 313 * This function takes an ldns_rr* and an optional void *arg argument, and returns one of four values: 314 * LDNS_SIGNATURE_LEAVE_ADD_NEW: 315 * leave the signature and add a new one for the corresponding key 316 * LDNS_SIGNATURE_REMOVE_ADD_NEW: 317 * remove the signature and replace is with a new one from the same key 318 * LDNS_SIGNATURE_LEAVE_NO_ADD: 319 * leave the signature and do not add a new one with the corresponding key 320 * LDNS_SIGNATURE_REMOVE_NO_ADD: 321 * remove the signature and do not replace 322 * 323 * \param[in] arg optional argument for the callback function 324 * \return LDNS_STATUS_OK on success, an error code otherwise 325 */ 326 ldns_status ldns_dnssec_zone_sign(ldns_dnssec_zone *zone, 327 ldns_rr_list *new_rrs, 328 ldns_key_list *key_list, 329 int (*func)(ldns_rr *, void *), 330 void *arg); 331 332 /** 333 * signs the given zone with the given new zone, with NSEC3 334 * 335 * \param[in] zone the zone to sign 336 * \param[in] key_list the list of keys to sign the zone with 337 * \param[in] new_rrs newly created resource records are added to this list, to free them later 338 * \param[in] func callback function that decides what to do with old signatures 339 * \param[in] arg optional argument for the callback function 340 * \param[in] algorithm the NSEC3 hashing algorithm to use 341 * \param[in] flags NSEC3 flags 342 * \param[in] iterations the number of NSEC3 hash iterations to use 343 * \param[in] salt_length the length (in octets) of the NSEC3 salt 344 * \param[in] salt the NSEC3 salt data 345 * \return LDNS_STATUS_OK on success, an error code otherwise 346 */ 347 ldns_status ldns_dnssec_zone_sign_nsec3(ldns_dnssec_zone *zone, 348 ldns_rr_list *new_rrs, 349 ldns_key_list *key_list, 350 int (*func)(ldns_rr *, void *), 351 void *arg, 352 uint8_t algorithm, 353 uint8_t flags, 354 uint16_t iterations, 355 uint8_t salt_length, 356 uint8_t *salt); 357 358 /** 359 * Signs the zone, and returns a newly allocated signed zone 360 * \param[in] zone the zone to sign 361 * \param[in] key_list list of keys to sign with 362 * \return signed zone 363 */ 364 ldns_zone *ldns_zone_sign(const ldns_zone *zone, ldns_key_list *key_list); 365 366 /** 367 * Signs the zone with NSEC3, and returns a newly allocated signed zone 368 * \param[in] zone the zone to sign 369 * \param[in] key_list list of keys to sign with 370 * \param[in] algorithm the NSEC3 hashing algorithm to use 371 * \param[in] flags NSEC3 flags 372 * \param[in] iterations the number of NSEC3 hash iterations to use 373 * \param[in] salt_length the length (in octets) of the NSEC3 salt 374 * \param[in] salt the NSEC3 salt data 375 * \return signed zone 376 */ 377 ldns_zone *ldns_zone_sign_nsec3(ldns_zone *zone, ldns_key_list *key_list, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt); 378 379 #ifdef __cplusplus 380 } 381 #endif 382 383 #endif 384