xref: /freebsd/contrib/ldns/ldns/dnssec_sign.h (revision e0c4386e7e71d93b0edc0c8fa156263fc4a8b0b6)
1 /** dnssec_verify */
2 
3 #ifndef LDNS_DNSSEC_SIGN_H
4 #define LDNS_DNSSEC_SIGN_H
5 
6 #include <ldns/dnssec.h>
7 
8 #ifdef __cplusplus
9 extern "C" {
10 #endif
11 
12 /* sign functions */
13 
14 /** Sign flag that makes DNSKEY type signed by all keys, not only by SEP keys*/
15 #define LDNS_SIGN_DNSKEY_WITH_ZSK            1
16 #define LDNS_SIGN_WITH_ALL_ALGORITHMS        2
17 #define LDNS_SIGN_NO_KEYS_NO_NSECS           4
18 #define LDNS_SIGN_WITH_ZONEMD_SIMPLE_SHA384  8
19 #define LDNS_SIGN_WITH_ZONEMD_SIMPLE_SHA512 16
20 
21 /**
22  * Create an empty RRSIG RR (i.e. without the actual signature data)
23  * \param[in] rrset The RRset to create the signature for
24  * \param[in] key The key that will create the signature
25  * \return signature rr
26  */
27 ldns_rr *
28 ldns_create_empty_rrsig(const ldns_rr_list *rrset,
29                         const ldns_key *key);
30 
31 /**
32  * Sign the buffer which contains the wiredata of an rrset, and the
33  * corresponding empty rrsig rr with the given key
34  * \param[in] sign_buf the buffer with data to sign
35  * \param[in] key the key to sign with
36  * \return an rdata field with the signature data
37  */
38 ldns_rdf *
39 ldns_sign_public_buffer(ldns_buffer *sign_buf, ldns_key *key);
40 
41 /**
42  * Sign an rrset
43  * \param[in] rrset the rrset
44  * \param[in] keys the keys to use
45  * \return a rr_list with the signatures
46  */
47 ldns_rr_list *ldns_sign_public(ldns_rr_list *rrset, ldns_key_list *keys);
48 
49 #if LDNS_BUILD_CONFIG_HAVE_SSL
50 /**
51  * Sign a buffer with the DSA key (hash with SHA1)
52  *
53  * \param[in] to_sign The ldns_buffer containing raw data that is to be signed
54  * \param[in] key The DSA key structure to sign with
55  * \return a ldns_rdf for the RRSIG ldns_rr
56  */
57 ldns_rdf *ldns_sign_public_dsa(ldns_buffer *to_sign, DSA *key);
58 
59 /**
60  * Sign data with EVP (general method for different algorithms)
61  *
62  * \param[in] to_sign The ldns_buffer containing raw data that is
63  *                    to be signed
64  * \param[in] key The EVP_PKEY key structure to sign with
65  * \param[in] digest_type The digest algorithm to use in the creation of
66  *                        the signature
67  * \return ldns_rdf for the RRSIG ldns_rr
68  */
69 ldns_rdf *ldns_sign_public_evp(ldns_buffer *to_sign,
70 						 EVP_PKEY *key,
71 						 const EVP_MD *digest_type);
72 
73 /**
74  * Sign a buffer with the RSA key (hash with SHA1)
75  * \param[in] to_sign buffer with the data
76  * \param[in] key the key to use
77  * \return a ldns_rdf with the signed data
78  */
79 ldns_rdf *ldns_sign_public_rsasha1(ldns_buffer *to_sign, RSA *key);
80 
81 /**
82  * Sign a buffer with the RSA key (hash with MD5)
83  * \param[in] to_sign buffer with the data
84  * \param[in] key the key to use
85  * \return a ldns_rdf with the signed data
86  */
87 ldns_rdf *ldns_sign_public_rsamd5(ldns_buffer *to_sign, RSA *key);
88 #endif /* LDNS_BUILD_CONFIG_HAVE_SSL */
89 
90 /**
91  * Marks the names in the zone that are occluded. Those names will be skipped
92  * when walking the tree with the ldns_dnssec_name_node_next_nonglue()
93  * function. But watch out! Names that are partially occluded (like glue with
94  * the same name as the delegation) will not be marked and should specifically
95  * be taken into account separately.
96  *
97  * When glue_list is given (not NULL), in the process of marking the names, all
98  * glue resource records will be pushed to that list, even glue at the delegation name.
99  *
100  * \param[in] zone the zone in which to mark the names
101  * \param[in] glue_list the list to which to push the glue rrs
102  * \return LDNS_STATUS_OK on success, an error code otherwise
103  */
104 ldns_status
105 ldns_dnssec_zone_mark_and_get_glue(
106 		ldns_dnssec_zone *zone, ldns_rr_list *glue_list);
107 
108 /**
109  * Marks the names in the zone that are occluded. Those names will be skipped
110  * when walking the tree with the ldns_dnssec_name_node_next_nonglue()
111  * function. But watch out! Names that are partially occluded (like glue with
112  * the same name as the delegation) will not be marked and should specifically
113  * be taken into account separately.
114  *
115  * \param[in] zone the zone in which to mark the names
116  * \return LDNS_STATUS_OK on successful completion, an error code otherwise
117  */
118 ldns_status
119 ldns_dnssec_zone_mark_glue(ldns_dnssec_zone *zone);
120 
121 /**
122  * Finds the first dnssec_name node in the rbtree that is not occluded.
123  * It *does* return names that are partially occluded.
124  *
125  * \param[in] node the first node to check
126  * \return the first node that has not been marked as glue, or NULL
127  * if not found (TODO: make that LDNS_RBTREE_NULL?)
128  */
129 ldns_rbnode_t *ldns_dnssec_name_node_next_nonglue(ldns_rbnode_t *node);
130 
131 /**
132  * Adds NSEC records to the given dnssec_zone
133  *
134  * \param[in] zone the zone to add the records to
135  * \param[in] new_rrs ldns_rr's created by this function are
136  *            added to this rr list, so the caller can free them later
137  * \return LDNS_STATUS_OK on success, an error code otherwise
138  */
139 ldns_status ldns_dnssec_zone_create_nsecs(ldns_dnssec_zone *zone,
140 								  ldns_rr_list *new_rrs);
141 
142 /**
143  * Adds NSEC3 records to the zone
144  */
145 ldns_status
146 ldns_dnssec_zone_create_nsec3s(ldns_dnssec_zone *zone,
147 						 ldns_rr_list *new_rrs,
148 						 uint8_t algorithm,
149 						 uint8_t flags,
150 						 uint16_t iterations,
151 						 uint8_t salt_length,
152 						 uint8_t *salt);
153 
154 /**
155  * remove signatures if callback function tells to
156  *
157  * \param[in] signatures list of signatures to check, and
158  *            possibly remove, depending on the value of the
159  *            callback
160  * \param[in] key_list these are marked to be used or not,
161  *            on the return value of the callback
162  * \param[in] func this function is called to specify what to
163  *            do with each signature (and corresponding key)
164  * \param[in] arg Optional argument for the callback function
165  * \returns pointer to the new signatures rrs (the original
166  *          passed to this function may have been removed)
167  */
168 ldns_dnssec_rrs *ldns_dnssec_remove_signatures(ldns_dnssec_rrs *signatures,
169 									  ldns_key_list *key_list,
170 									  int (*func)(ldns_rr *, void *),
171 									  void *arg);
172 
173 /**
174  * Adds signatures to the zone
175  *
176  * \param[in] zone the zone to add RRSIG Resource Records to
177  * \param[in] new_rrs the RRSIG RRs that are created are also
178  *            added to this list, so the caller can free them
179  *            later
180  * \param[in] key_list list of keys to sign with.
181  * \param[in] func Callback function to decide what keys to
182  *            use and what to do with old signatures
183  * \param[in] arg Optional argument for the callback function
184  * \param[in] flags option flags for signing process. 0 makes DNSKEY
185  * RRset signed with the minimal key set, that is only SEP keys are used
186  * for signing. If there are no SEP keys available, non-SEP keys will
187  * be used. LDNS_SIGN_DNSKEY_WITH_ZSK makes DNSKEY type signed with all
188  * keys. 0 is the default.
189  * \return LDNS_STATUS_OK on success, error otherwise
190  */
191 ldns_status ldns_dnssec_zone_create_rrsigs_flg(ldns_dnssec_zone *zone,
192 					ldns_rr_list *new_rrs,
193 					ldns_key_list *key_list,
194 					int (*func)(ldns_rr *, void*),
195 					void *arg,
196 					int flags);
197 
198 /**
199  * Adds signatures to the zone
200  *
201  * \param[in] zone the zone to add RRSIG Resource Records to
202  * \param[in] new_rrs the RRSIG RRs that are created are also
203  *            added to this list, so the caller can free them
204  *            later
205  * \param[in] key_list list of keys to sign with.
206  * \param[in] func Callback function to decide what keys to
207  *            use and what to do with old signatures
208  * \param[in] arg Optional argument for the callback function
209  * \return LDNS_STATUS_OK on success, error otherwise
210  */
211 ldns_status ldns_dnssec_zone_create_rrsigs(ldns_dnssec_zone *zone,
212 								   ldns_rr_list *new_rrs,
213 								   ldns_key_list *key_list,
214 								   int (*func)(ldns_rr *, void*),
215 								   void *arg);
216 
217 /**
218  * signs the given zone with the given keys
219  *
220  * \param[in] zone the zone to sign
221  * \param[in] key_list the list of keys to sign the zone with
222  * \param[in] new_rrs newly created resource records are added to this list, to free them later
223  * \param[in] func callback function that decides what to do with old signatures
224  *            This function takes an ldns_rr* and an optional void *arg argument, and returns one of four values:
225  * LDNS_SIGNATURE_LEAVE_ADD_NEW:
226  * leave the signature and add a new one for the corresponding key
227  * LDNS_SIGNATURE_REMOVE_ADD_NEW:
228  * remove the signature and replace is with a new one from the same key
229  * LDNS_SIGNATURE_LEAVE_NO_ADD:
230  * leave the signature and do not add a new one with the corresponding key
231  * LDNS_SIGNATURE_REMOVE_NO_ADD:
232  * remove the signature and do not replace
233  *
234  * \param[in] arg optional argument for the callback function
235  * \param[in] flags option flags for signing process. 0 makes DNSKEY
236  * RRset signed with the minimal key set, that is only SEP keys are used
237  * for signing. If there are no SEP keys available, non-SEP keys will
238  * be used. LDNS_SIGN_DNSKEY_WITH_ZSK makes DNSKEY type signed with all
239  * keys. 0 is the default.
240  * \return LDNS_STATUS_OK on success, an error code otherwise
241  */
242 ldns_status ldns_dnssec_zone_sign_flg(ldns_dnssec_zone *zone,
243 					ldns_rr_list *new_rrs,
244 					ldns_key_list *key_list,
245 					int (*func)(ldns_rr *, void *),
246 					void *arg,
247 					int flags);
248 
249 /**
250  * signs the given zone with the given new zone, with NSEC3
251  *
252  * \param[in] zone the zone to sign
253  * \param[in] key_list the list of keys to sign the zone with
254  * \param[in] new_rrs newly created resource records are added to this list, to free them later
255  * \param[in] func callback function that decides what to do with old signatures
256  * \param[in] arg optional argument for the callback function
257  * \param[in] algorithm the NSEC3 hashing algorithm to use
258  * \param[in] flags NSEC3 flags
259  * \param[in] iterations the number of NSEC3 hash iterations to use
260  * \param[in] salt_length the length (in octets) of the NSEC3 salt
261  * \param[in] salt the NSEC3 salt data
262  * \param[in] signflags option flags for signing process. 0 is the default.
263  * \return LDNS_STATUS_OK on success, an error code otherwise
264  */
265 ldns_status ldns_dnssec_zone_sign_nsec3_flg(ldns_dnssec_zone *zone,
266 				ldns_rr_list *new_rrs,
267 				ldns_key_list *key_list,
268 				int (*func)(ldns_rr *, void *),
269 				void *arg,
270 				uint8_t algorithm,
271 				uint8_t flags,
272 				uint16_t iterations,
273 				uint8_t salt_length,
274 				uint8_t *salt,
275 				int signflags);
276 
277 /**
278  * signs the given zone with the given new zone, with NSEC3
279  *
280  * \param[in] zone the zone to sign
281  * \param[in] key_list the list of keys to sign the zone with
282  * \param[in] new_rrs newly created resource records are added to this list, to free them later
283  * \param[in] func callback function that decides what to do with old signatures
284  * \param[in] arg optional argument for the callback function
285  * \param[in] algorithm the NSEC3 hashing algorithm to use
286  * \param[in] flags NSEC3 flags
287  * \param[in] iterations the number of NSEC3 hash iterations to use
288  * \param[in] salt_length the length (in octets) of the NSEC3 salt
289  * \param[in] salt the NSEC3 salt data
290  * \param[in] signflags option flags for signing process. 0 is the default.
291  * \param[out] map a referenced rbtree pointer variable. The newly created
292  *                 rbtree will contain mappings from hashed owner names to the
293  *                 unhashed name.
294  * \return LDNS_STATUS_OK on success, an error code otherwise
295  */
296 ldns_status ldns_dnssec_zone_sign_nsec3_flg_mkmap(ldns_dnssec_zone *zone,
297 				ldns_rr_list *new_rrs,
298 				ldns_key_list *key_list,
299 				int (*func)(ldns_rr *, void *),
300 				void *arg,
301 				uint8_t algorithm,
302 				uint8_t flags,
303 				uint16_t iterations,
304 				uint8_t salt_length,
305 				uint8_t *salt,
306 				int signflags,
307 				ldns_rbtree_t **map
308 				);
309 
310 
311 /**
312  * signs the given zone with the given keys
313  *
314  * \param[in] zone the zone to sign
315  * \param[in] key_list the list of keys to sign the zone with
316  * \param[in] new_rrs newly created resource records are added to this list, to free them later
317  * \param[in] func callback function that decides what to do with old signatures
318  *            This function takes an ldns_rr* and an optional void *arg argument, and returns one of four values:
319  * LDNS_SIGNATURE_LEAVE_ADD_NEW:
320  * leave the signature and add a new one for the corresponding key
321  * LDNS_SIGNATURE_REMOVE_ADD_NEW:
322  * remove the signature and replace is with a new one from the same key
323  * LDNS_SIGNATURE_LEAVE_NO_ADD:
324  * leave the signature and do not add a new one with the corresponding key
325  * LDNS_SIGNATURE_REMOVE_NO_ADD:
326  * remove the signature and do not replace
327  *
328  * \param[in] arg optional argument for the callback function
329  * \return LDNS_STATUS_OK on success, an error code otherwise
330  */
331 ldns_status ldns_dnssec_zone_sign(ldns_dnssec_zone *zone,
332 						    ldns_rr_list *new_rrs,
333 						    ldns_key_list *key_list,
334 						    int (*func)(ldns_rr *, void *),
335 						    void *arg);
336 
337 /**
338  * signs the given zone with the given new zone, with NSEC3
339  *
340  * \param[in] zone the zone to sign
341  * \param[in] key_list the list of keys to sign the zone with
342  * \param[in] new_rrs newly created resource records are added to this list, to free them later
343  * \param[in] func callback function that decides what to do with old signatures
344  * \param[in] arg optional argument for the callback function
345  * \param[in] algorithm the NSEC3 hashing algorithm to use
346  * \param[in] flags NSEC3 flags
347  * \param[in] iterations the number of NSEC3 hash iterations to use
348  * \param[in] salt_length the length (in octets) of the NSEC3 salt
349  * \param[in] salt the NSEC3 salt data
350  * \return LDNS_STATUS_OK on success, an error code otherwise
351  */
352 ldns_status ldns_dnssec_zone_sign_nsec3(ldns_dnssec_zone *zone,
353 								ldns_rr_list *new_rrs,
354 								ldns_key_list *key_list,
355 								int (*func)(ldns_rr *, void *),
356 								void *arg,
357 								uint8_t algorithm,
358 								uint8_t flags,
359 								uint16_t iterations,
360 								uint8_t salt_length,
361 								uint8_t *salt);
362 
363 /**
364  * Signs the zone, and returns a newly allocated signed zone
365  * \param[in] zone the zone to sign
366  * \param[in] key_list list of keys to sign with
367  * \return signed zone
368  */
369 ldns_zone *ldns_zone_sign(const ldns_zone *zone, ldns_key_list *key_list);
370 
371 /**
372  * Signs the zone with NSEC3, and returns a newly allocated signed zone
373  * \param[in] zone the zone to sign
374  * \param[in] key_list list of keys to sign with
375  * \param[in] algorithm the NSEC3 hashing algorithm to use
376  * \param[in] flags NSEC3 flags
377  * \param[in] iterations the number of NSEC3 hash iterations to use
378  * \param[in] salt_length the length (in octets) of the NSEC3 salt
379  * \param[in] salt the NSEC3 salt data
380  * \return signed zone
381  */
382 ldns_zone *ldns_zone_sign_nsec3(ldns_zone *zone, ldns_key_list *key_list, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt);
383 
384 #ifdef __cplusplus
385 }
386 #endif
387 
388 #endif
389