xref: /freebsd/contrib/ldns/ldns/dnssec_sign.h (revision ee7b0571c2c18bdec848ed2044223cc88db29bd8)
1 /** dnssec_verify */
2 
3 #ifndef LDNS_DNSSEC_SIGN_H
4 #define LDNS_DNSSEC_SIGN_H
5 
6 #include <ldns/dnssec.h>
7 
8 #ifdef __cplusplus
9 extern "C" {
10 #endif
11 
12 /* sign functions */
13 
14 /** Sign flag that makes DNSKEY type signed by all keys, not only by SEP keys*/
15 #define LDNS_SIGN_DNSKEY_WITH_ZSK 1
16 
17 /**
18  * Create an empty RRSIG RR (i.e. without the actual signature data)
19  * \param[in] rrset The RRset to create the signature for
20  * \param[in] key The key that will create the signature
21  * \return signature rr
22  */
23 ldns_rr *
24 ldns_create_empty_rrsig(ldns_rr_list *rrset,
25                         ldns_key *key);
26 
27 /**
28  * Sign the buffer which contains the wiredata of an rrset, and the
29  * corresponding empty rrsig rr with the given key
30  * \param[in] sign_buf the buffer with data to sign
31  * \param[in] key the key to sign with
32  * \return an rdata field with the signature data
33  */
34 ldns_rdf *
35 ldns_sign_public_buffer(ldns_buffer *sign_buf, ldns_key *key);
36 
37 /**
38  * Sign an rrset
39  * \param[in] rrset the rrset
40  * \param[in] keys the keys to use
41  * \return a rr_list with the signatures
42  */
43 ldns_rr_list *ldns_sign_public(ldns_rr_list *rrset, ldns_key_list *keys);
44 
45 #if LDNS_BUILD_CONFIG_HAVE_SSL
46 /**
47  * Sign a buffer with the DSA key (hash with SHA1)
48  * \param[in] to_sign buffer with the data
49  * \param[in] key the key to use
50  * \return a ldns_rdf with the signed data
51  */
52 ldns_rdf *ldns_sign_public_dsa(ldns_buffer *to_sign, DSA *key);
53 
54 /**
55  * Sign data with EVP (general method for different algorithms)
56  *
57  * \param[in] to_sign The ldns_buffer containing raw data that is
58  *                    to be signed
59  * \param[in] key The EVP_PKEY key structure to sign with
60  * \param[in] digest_type The digest algorithm to use in the creation of
61  *                        the signature
62  * \return ldns_rdf for the RRSIG ldns_rr
63  */
64 ldns_rdf *ldns_sign_public_evp(ldns_buffer *to_sign,
65 						 EVP_PKEY *key,
66 						 const EVP_MD *digest_type);
67 
68 /**
69  * Sign a buffer with the RSA key (hash with SHA1)
70  * \param[in] to_sign buffer with the data
71  * \param[in] key the key to use
72  * \return a ldns_rdf with the signed data
73  */
74 ldns_rdf *ldns_sign_public_rsasha1(ldns_buffer *to_sign, RSA *key);
75 
76 /**
77  * Sign a buffer with the RSA key (hash with MD5)
78  * \param[in] to_sign buffer with the data
79  * \param[in] key the key to use
80  * \return a ldns_rdf with the signed data
81  */
82 ldns_rdf *ldns_sign_public_rsamd5(ldns_buffer *to_sign, RSA *key);
83 #endif /* LDNS_BUILD_CONFIG_HAVE_SSL */
84 
85 /**
86  * Marks the names in the zone that are occluded. Those names will be skipped
87  * when walking the tree with the ldns_dnssec_name_node_next_nonglue()
88  * function. But watch out! Names that are partially occluded (like glue with
89  * the same name as the delegation) will not be marked and should specifically
90  * be taken into account separately.
91  *
92  * When glue_list is given (not NULL), in the process of marking the names, all
93  * glue resource records will be pushed to that list, even glue at the delegation name.
94  *
95  * \param[in] zone the zone in which to mark the names
96  * \param[in] glue_list the list to which to push the glue rrs
97  * \return LDNS_STATUS_OK on success, an error code otherwise
98  */
99 ldns_status
100 ldns_dnssec_zone_mark_and_get_glue(
101 		ldns_dnssec_zone *zone, ldns_rr_list *glue_list);
102 
103 /**
104  * Marks the names in the zone that are occluded. Those names will be skipped
105  * when walking the tree with the ldns_dnssec_name_node_next_nonglue()
106  * function. But watch out! Names that are partially occluded (like glue with
107  * the same name as the delegation) will not be marked and should specifically
108  * be taken into account separately.
109  *
110  * \param[in] zone the zone in which to mark the names
111  * \return LDNS_STATUS_OK on succesful completion
112  */
113 ldns_status
114 ldns_dnssec_zone_mark_glue(ldns_dnssec_zone *zone);
115 
116 /**
117  * Finds the first dnssec_name node in the rbtree that is not occluded.
118  * It *does* return names that are partially occluded.
119  *
120  * \param[in] node the first node to check
121  * \return the first node that has not been marked as glue, or NULL
122  * if not found (TODO: make that LDNS_RBTREE_NULL?)
123  */
124 ldns_rbnode_t *ldns_dnssec_name_node_next_nonglue(ldns_rbnode_t *node);
125 
126 /**
127  * Adds NSEC records to the given dnssec_zone
128  *
129  * \param[in] zone the zone to add the records to
130  * \param[in] new_rrs ldns_rr's created by this function are
131  *            added to this rr list, so the caller can free them later
132  * \return LDNS_STATUS_OK on success, an error code otherwise
133  */
134 ldns_status ldns_dnssec_zone_create_nsecs(ldns_dnssec_zone *zone,
135 								  ldns_rr_list *new_rrs);
136 
137 /**
138  * Adds NSEC3 records to the zone
139  */
140 ldns_status
141 ldns_dnssec_zone_create_nsec3s(ldns_dnssec_zone *zone,
142 						 ldns_rr_list *new_rrs,
143 						 uint8_t algorithm,
144 						 uint8_t flags,
145 						 uint16_t iterations,
146 						 uint8_t salt_length,
147 						 uint8_t *salt);
148 
149 /**
150  * remove signatures if callback function tells to
151  *
152  * \param[in] signatures list of signatures to check, and
153  *            possibly remove, depending on the value of the
154  *            callback
155  * \param[in] key_list these are marked to be used or not,
156  *            on the return value of the callback
157  * \param[in] func this function is called to specify what to
158  *            do with each signature (and corresponding key)
159  * \param[in] arg Optional argument for the callback function
160  * \returns pointer to the new signatures rrs (the original
161  *          passed to this function may have been removed)
162  */
163 ldns_dnssec_rrs *ldns_dnssec_remove_signatures(ldns_dnssec_rrs *signatures,
164 									  ldns_key_list *key_list,
165 									  int (*func)(ldns_rr *, void *),
166 									  void *arg);
167 
168 /**
169  * Adds signatures to the zone
170  *
171  * \param[in] zone the zone to add RRSIG Resource Records to
172  * \param[in] new_rrs the RRSIG RRs that are created are also
173  *            added to this list, so the caller can free them
174  *            later
175  * \param[in] key_list list of keys to sign with.
176  * \param[in] func Callback function to decide what keys to
177  *            use and what to do with old signatures
178  * \param[in] arg Optional argument for the callback function
179  * \param[in] flags option flags for signing process. 0 makes DNSKEY
180  * RRset signed with the minimal key set, that is only SEP keys are used
181  * for signing. If there are no SEP keys available, non-SEP keys will
182  * be used. LDNS_SIGN_DNSKEY_WITH_ZSK makes DNSKEY type signed with all
183  * keys. 0 is the default.
184  * \return LDNS_STATUS_OK on success, error otherwise
185  */
186 ldns_status ldns_dnssec_zone_create_rrsigs_flg(ldns_dnssec_zone *zone,
187 					ldns_rr_list *new_rrs,
188 					ldns_key_list *key_list,
189 					int (*func)(ldns_rr *, void*),
190 					void *arg,
191 					int flags);
192 
193 /**
194  * Adds signatures to the zone
195  *
196  * \param[in] zone the zone to add RRSIG Resource Records to
197  * \param[in] new_rrs the RRSIG RRs that are created are also
198  *            added to this list, so the caller can free them
199  *            later
200  * \param[in] key_list list of keys to sign with.
201  * \param[in] func Callback function to decide what keys to
202  *            use and what to do with old signatures
203  * \param[in] arg Optional argument for the callback function
204  * \return LDNS_STATUS_OK on success, error otherwise
205  */
206 ldns_status ldns_dnssec_zone_create_rrsigs(ldns_dnssec_zone *zone,
207 								   ldns_rr_list *new_rrs,
208 								   ldns_key_list *key_list,
209 								   int (*func)(ldns_rr *, void*),
210 								   void *arg);
211 
212 /**
213  * signs the given zone with the given keys
214  *
215  * \param[in] zone the zone to sign
216  * \param[in] key_list the list of keys to sign the zone with
217  * \param[in] new_rrs newly created resource records are added to this list, to free them later
218  * \param[in] func callback function that decides what to do with old signatures
219  *            This function takes an ldns_rr* and an optional void *arg argument, and returns one of four values:
220  * LDNS_SIGNATURE_LEAVE_ADD_NEW:
221  * leave the signature and add a new one for the corresponding key
222  * LDNS_SIGNATURE_REMOVE_ADD_NEW:
223  * remove the signature and replace is with a new one from the same key
224  * LDNS_SIGNATURE_LEAVE_NO_ADD:
225  * leave the signature and do not add a new one with the corresponding key
226  * LDNS_SIGNATURE_REMOVE_NO_ADD:
227  * remove the signature and do not replace
228  *
229  * \param[in] arg optional argument for the callback function
230  * \param[in] flags option flags for signing process. 0 makes DNSKEY
231  * RRset signed with the minimal key set, that is only SEP keys are used
232  * for signing. If there are no SEP keys available, non-SEP keys will
233  * be used. LDNS_SIGN_DNSKEY_WITH_ZSK makes DNSKEY type signed with all
234  * keys. 0 is the default.
235  * \return LDNS_STATUS_OK on success, an error code otherwise
236  */
237 ldns_status ldns_dnssec_zone_sign_flg(ldns_dnssec_zone *zone,
238 					ldns_rr_list *new_rrs,
239 					ldns_key_list *key_list,
240 					int (*func)(ldns_rr *, void *),
241 					void *arg,
242 					int flags);
243 
244 /**
245  * signs the given zone with the given new zone, with NSEC3
246  *
247  * \param[in] zone the zone to sign
248  * \param[in] key_list the list of keys to sign the zone with
249  * \param[in] new_rrs newly created resource records are added to this list, to free them later
250  * \param[in] func callback function that decides what to do with old signatures
251  * \param[in] arg optional argument for the callback function
252  * \param[in] algorithm the NSEC3 hashing algorithm to use
253  * \param[in] flags NSEC3 flags
254  * \param[in] iterations the number of NSEC3 hash iterations to use
255  * \param[in] salt_length the length (in octets) of the NSEC3 salt
256  * \param[in] salt the NSEC3 salt data
257  * \param[in] signflags option flags for signing process. 0 is the default.
258  * \return LDNS_STATUS_OK on success, an error code otherwise
259  */
260 ldns_status ldns_dnssec_zone_sign_nsec3_flg(ldns_dnssec_zone *zone,
261 				ldns_rr_list *new_rrs,
262 				ldns_key_list *key_list,
263 				int (*func)(ldns_rr *, void *),
264 				void *arg,
265 				uint8_t algorithm,
266 				uint8_t flags,
267 				uint16_t iterations,
268 				uint8_t salt_length,
269 				uint8_t *salt,
270 				int signflags);
271 
272 /**
273  * signs the given zone with the given new zone, with NSEC3
274  *
275  * \param[in] zone the zone to sign
276  * \param[in] key_list the list of keys to sign the zone with
277  * \param[in] new_rrs newly created resource records are added to this list, to free them later
278  * \param[in] func callback function that decides what to do with old signatures
279  * \param[in] arg optional argument for the callback function
280  * \param[in] algorithm the NSEC3 hashing algorithm to use
281  * \param[in] flags NSEC3 flags
282  * \param[in] iterations the number of NSEC3 hash iterations to use
283  * \param[in] salt_length the length (in octets) of the NSEC3 salt
284  * \param[in] salt the NSEC3 salt data
285  * \param[in] signflags option flags for signing process. 0 is the default.
286  * \param[out] map a referenced rbtree pointer variable. The newly created
287  *                 rbtree will contain mappings from hashed owner names to the
288  *                 unhashed name.
289  * \return LDNS_STATUS_OK on success, an error code otherwise
290  */
291 ldns_status ldns_dnssec_zone_sign_nsec3_flg_mkmap(ldns_dnssec_zone *zone,
292 				ldns_rr_list *new_rrs,
293 				ldns_key_list *key_list,
294 				int (*func)(ldns_rr *, void *),
295 				void *arg,
296 				uint8_t algorithm,
297 				uint8_t flags,
298 				uint16_t iterations,
299 				uint8_t salt_length,
300 				uint8_t *salt,
301 				int signflags,
302 				ldns_rbtree_t **map
303 				);
304 
305 
306 /**
307  * signs the given zone with the given keys
308  *
309  * \param[in] zone the zone to sign
310  * \param[in] key_list the list of keys to sign the zone with
311  * \param[in] new_rrs newly created resource records are added to this list, to free them later
312  * \param[in] func callback function that decides what to do with old signatures
313  *            This function takes an ldns_rr* and an optional void *arg argument, and returns one of four values:
314  * LDNS_SIGNATURE_LEAVE_ADD_NEW:
315  * leave the signature and add a new one for the corresponding key
316  * LDNS_SIGNATURE_REMOVE_ADD_NEW:
317  * remove the signature and replace is with a new one from the same key
318  * LDNS_SIGNATURE_LEAVE_NO_ADD:
319  * leave the signature and do not add a new one with the corresponding key
320  * LDNS_SIGNATURE_REMOVE_NO_ADD:
321  * remove the signature and do not replace
322  *
323  * \param[in] arg optional argument for the callback function
324  * \return LDNS_STATUS_OK on success, an error code otherwise
325  */
326 ldns_status ldns_dnssec_zone_sign(ldns_dnssec_zone *zone,
327 						    ldns_rr_list *new_rrs,
328 						    ldns_key_list *key_list,
329 						    int (*func)(ldns_rr *, void *),
330 						    void *arg);
331 
332 /**
333  * signs the given zone with the given new zone, with NSEC3
334  *
335  * \param[in] zone the zone to sign
336  * \param[in] key_list the list of keys to sign the zone with
337  * \param[in] new_rrs newly created resource records are added to this list, to free them later
338  * \param[in] func callback function that decides what to do with old signatures
339  * \param[in] arg optional argument for the callback function
340  * \param[in] algorithm the NSEC3 hashing algorithm to use
341  * \param[in] flags NSEC3 flags
342  * \param[in] iterations the number of NSEC3 hash iterations to use
343  * \param[in] salt_length the length (in octets) of the NSEC3 salt
344  * \param[in] salt the NSEC3 salt data
345  * \return LDNS_STATUS_OK on success, an error code otherwise
346  */
347 ldns_status ldns_dnssec_zone_sign_nsec3(ldns_dnssec_zone *zone,
348 								ldns_rr_list *new_rrs,
349 								ldns_key_list *key_list,
350 								int (*func)(ldns_rr *, void *),
351 								void *arg,
352 								uint8_t algorithm,
353 								uint8_t flags,
354 								uint16_t iterations,
355 								uint8_t salt_length,
356 								uint8_t *salt);
357 
358 /**
359  * Signs the zone, and returns a newly allocated signed zone
360  * \param[in] zone the zone to sign
361  * \param[in] key_list list of keys to sign with
362  * \return signed zone
363  */
364 ldns_zone *ldns_zone_sign(const ldns_zone *zone, ldns_key_list *key_list);
365 
366 /**
367  * Signs the zone with NSEC3, and returns a newly allocated signed zone
368  * \param[in] zone the zone to sign
369  * \param[in] key_list list of keys to sign with
370  * \param[in] algorithm the NSEC3 hashing algorithm to use
371  * \param[in] flags NSEC3 flags
372  * \param[in] iterations the number of NSEC3 hash iterations to use
373  * \param[in] salt_length the length (in octets) of the NSEC3 salt
374  * \param[in] salt the NSEC3 salt data
375  * \return signed zone
376  */
377 ldns_zone *ldns_zone_sign_nsec3(ldns_zone *zone, ldns_key_list *key_list, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt);
378 
379 #ifdef __cplusplus
380 }
381 #endif
382 
383 #endif
384