1 /** dnssec_verify */ 2 3 #ifndef LDNS_DNSSEC_SIGN_H 4 #define LDNS_DNSSEC_SIGN_H 5 6 #include <ldns/dnssec.h> 7 8 #ifdef __cplusplus 9 extern "C" { 10 #endif 11 12 /* sign functions */ 13 14 /** Sign flag that makes DNSKEY type signed by all keys, not only by SEP keys*/ 15 #define LDNS_SIGN_DNSKEY_WITH_ZSK 1 16 #define LDNS_SIGN_WITH_ALL_ALGORITHMS 2 17 18 /** 19 * Create an empty RRSIG RR (i.e. without the actual signature data) 20 * \param[in] rrset The RRset to create the signature for 21 * \param[in] key The key that will create the signature 22 * \return signature rr 23 */ 24 ldns_rr * 25 ldns_create_empty_rrsig(const ldns_rr_list *rrset, 26 const ldns_key *key); 27 28 /** 29 * Sign the buffer which contains the wiredata of an rrset, and the 30 * corresponding empty rrsig rr with the given key 31 * \param[in] sign_buf the buffer with data to sign 32 * \param[in] key the key to sign with 33 * \return an rdata field with the signature data 34 */ 35 ldns_rdf * 36 ldns_sign_public_buffer(ldns_buffer *sign_buf, ldns_key *key); 37 38 /** 39 * Sign an rrset 40 * \param[in] rrset the rrset 41 * \param[in] keys the keys to use 42 * \return a rr_list with the signatures 43 */ 44 ldns_rr_list *ldns_sign_public(ldns_rr_list *rrset, ldns_key_list *keys); 45 46 #if LDNS_BUILD_CONFIG_HAVE_SSL 47 /** 48 * Sign a buffer with the DSA key (hash with SHA1) 49 * \param[in] to_sign buffer with the data 50 * \param[in] key the key to use 51 * \return a ldns_rdf with the signed data 52 */ 53 ldns_rdf *ldns_sign_public_dsa(ldns_buffer *to_sign, DSA *key); 54 55 /** 56 * Sign data with EVP (general method for different algorithms) 57 * 58 * \param[in] to_sign The ldns_buffer containing raw data that is 59 * to be signed 60 * \param[in] key The EVP_PKEY key structure to sign with 61 * \param[in] digest_type The digest algorithm to use in the creation of 62 * the signature 63 * \return ldns_rdf for the RRSIG ldns_rr 64 */ 65 ldns_rdf *ldns_sign_public_evp(ldns_buffer *to_sign, 66 EVP_PKEY *key, 67 const EVP_MD *digest_type); 68 69 /** 70 * Sign a buffer with the RSA key (hash with SHA1) 71 * \param[in] to_sign buffer with the data 72 * \param[in] key the key to use 73 * \return a ldns_rdf with the signed data 74 */ 75 ldns_rdf *ldns_sign_public_rsasha1(ldns_buffer *to_sign, RSA *key); 76 77 /** 78 * Sign a buffer with the RSA key (hash with MD5) 79 * \param[in] to_sign buffer with the data 80 * \param[in] key the key to use 81 * \return a ldns_rdf with the signed data 82 */ 83 ldns_rdf *ldns_sign_public_rsamd5(ldns_buffer *to_sign, RSA *key); 84 #endif /* LDNS_BUILD_CONFIG_HAVE_SSL */ 85 86 /** 87 * Marks the names in the zone that are occluded. Those names will be skipped 88 * when walking the tree with the ldns_dnssec_name_node_next_nonglue() 89 * function. But watch out! Names that are partially occluded (like glue with 90 * the same name as the delegation) will not be marked and should specifically 91 * be taken into account separately. 92 * 93 * When glue_list is given (not NULL), in the process of marking the names, all 94 * glue resource records will be pushed to that list, even glue at the delegation name. 95 * 96 * \param[in] zone the zone in which to mark the names 97 * \param[in] glue_list the list to which to push the glue rrs 98 * \return LDNS_STATUS_OK on success, an error code otherwise 99 */ 100 ldns_status 101 ldns_dnssec_zone_mark_and_get_glue( 102 ldns_dnssec_zone *zone, ldns_rr_list *glue_list); 103 104 /** 105 * Marks the names in the zone that are occluded. Those names will be skipped 106 * when walking the tree with the ldns_dnssec_name_node_next_nonglue() 107 * function. But watch out! Names that are partially occluded (like glue with 108 * the same name as the delegation) will not be marked and should specifically 109 * be taken into account separately. 110 * 111 * \param[in] zone the zone in which to mark the names 112 * \return LDNS_STATUS_OK on succesful completion 113 */ 114 ldns_status 115 ldns_dnssec_zone_mark_glue(ldns_dnssec_zone *zone); 116 117 /** 118 * Finds the first dnssec_name node in the rbtree that is not occluded. 119 * It *does* return names that are partially occluded. 120 * 121 * \param[in] node the first node to check 122 * \return the first node that has not been marked as glue, or NULL 123 * if not found (TODO: make that LDNS_RBTREE_NULL?) 124 */ 125 ldns_rbnode_t *ldns_dnssec_name_node_next_nonglue(ldns_rbnode_t *node); 126 127 /** 128 * Adds NSEC records to the given dnssec_zone 129 * 130 * \param[in] zone the zone to add the records to 131 * \param[in] new_rrs ldns_rr's created by this function are 132 * added to this rr list, so the caller can free them later 133 * \return LDNS_STATUS_OK on success, an error code otherwise 134 */ 135 ldns_status ldns_dnssec_zone_create_nsecs(ldns_dnssec_zone *zone, 136 ldns_rr_list *new_rrs); 137 138 /** 139 * Adds NSEC3 records to the zone 140 */ 141 ldns_status 142 ldns_dnssec_zone_create_nsec3s(ldns_dnssec_zone *zone, 143 ldns_rr_list *new_rrs, 144 uint8_t algorithm, 145 uint8_t flags, 146 uint16_t iterations, 147 uint8_t salt_length, 148 uint8_t *salt); 149 150 /** 151 * remove signatures if callback function tells to 152 * 153 * \param[in] signatures list of signatures to check, and 154 * possibly remove, depending on the value of the 155 * callback 156 * \param[in] key_list these are marked to be used or not, 157 * on the return value of the callback 158 * \param[in] func this function is called to specify what to 159 * do with each signature (and corresponding key) 160 * \param[in] arg Optional argument for the callback function 161 * \returns pointer to the new signatures rrs (the original 162 * passed to this function may have been removed) 163 */ 164 ldns_dnssec_rrs *ldns_dnssec_remove_signatures(ldns_dnssec_rrs *signatures, 165 ldns_key_list *key_list, 166 int (*func)(ldns_rr *, void *), 167 void *arg); 168 169 /** 170 * Adds signatures to the zone 171 * 172 * \param[in] zone the zone to add RRSIG Resource Records to 173 * \param[in] new_rrs the RRSIG RRs that are created are also 174 * added to this list, so the caller can free them 175 * later 176 * \param[in] key_list list of keys to sign with. 177 * \param[in] func Callback function to decide what keys to 178 * use and what to do with old signatures 179 * \param[in] arg Optional argument for the callback function 180 * \param[in] flags option flags for signing process. 0 makes DNSKEY 181 * RRset signed with the minimal key set, that is only SEP keys are used 182 * for signing. If there are no SEP keys available, non-SEP keys will 183 * be used. LDNS_SIGN_DNSKEY_WITH_ZSK makes DNSKEY type signed with all 184 * keys. 0 is the default. 185 * \return LDNS_STATUS_OK on success, error otherwise 186 */ 187 ldns_status ldns_dnssec_zone_create_rrsigs_flg(ldns_dnssec_zone *zone, 188 ldns_rr_list *new_rrs, 189 ldns_key_list *key_list, 190 int (*func)(ldns_rr *, void*), 191 void *arg, 192 int flags); 193 194 /** 195 * Adds signatures to the zone 196 * 197 * \param[in] zone the zone to add RRSIG Resource Records to 198 * \param[in] new_rrs the RRSIG RRs that are created are also 199 * added to this list, so the caller can free them 200 * later 201 * \param[in] key_list list of keys to sign with. 202 * \param[in] func Callback function to decide what keys to 203 * use and what to do with old signatures 204 * \param[in] arg Optional argument for the callback function 205 * \return LDNS_STATUS_OK on success, error otherwise 206 */ 207 ldns_status ldns_dnssec_zone_create_rrsigs(ldns_dnssec_zone *zone, 208 ldns_rr_list *new_rrs, 209 ldns_key_list *key_list, 210 int (*func)(ldns_rr *, void*), 211 void *arg); 212 213 /** 214 * signs the given zone with the given keys 215 * 216 * \param[in] zone the zone to sign 217 * \param[in] key_list the list of keys to sign the zone with 218 * \param[in] new_rrs newly created resource records are added to this list, to free them later 219 * \param[in] func callback function that decides what to do with old signatures 220 * This function takes an ldns_rr* and an optional void *arg argument, and returns one of four values: 221 * LDNS_SIGNATURE_LEAVE_ADD_NEW: 222 * leave the signature and add a new one for the corresponding key 223 * LDNS_SIGNATURE_REMOVE_ADD_NEW: 224 * remove the signature and replace is with a new one from the same key 225 * LDNS_SIGNATURE_LEAVE_NO_ADD: 226 * leave the signature and do not add a new one with the corresponding key 227 * LDNS_SIGNATURE_REMOVE_NO_ADD: 228 * remove the signature and do not replace 229 * 230 * \param[in] arg optional argument for the callback function 231 * \param[in] flags option flags for signing process. 0 makes DNSKEY 232 * RRset signed with the minimal key set, that is only SEP keys are used 233 * for signing. If there are no SEP keys available, non-SEP keys will 234 * be used. LDNS_SIGN_DNSKEY_WITH_ZSK makes DNSKEY type signed with all 235 * keys. 0 is the default. 236 * \return LDNS_STATUS_OK on success, an error code otherwise 237 */ 238 ldns_status ldns_dnssec_zone_sign_flg(ldns_dnssec_zone *zone, 239 ldns_rr_list *new_rrs, 240 ldns_key_list *key_list, 241 int (*func)(ldns_rr *, void *), 242 void *arg, 243 int flags); 244 245 /** 246 * signs the given zone with the given new zone, with NSEC3 247 * 248 * \param[in] zone the zone to sign 249 * \param[in] key_list the list of keys to sign the zone with 250 * \param[in] new_rrs newly created resource records are added to this list, to free them later 251 * \param[in] func callback function that decides what to do with old signatures 252 * \param[in] arg optional argument for the callback function 253 * \param[in] algorithm the NSEC3 hashing algorithm to use 254 * \param[in] flags NSEC3 flags 255 * \param[in] iterations the number of NSEC3 hash iterations to use 256 * \param[in] salt_length the length (in octets) of the NSEC3 salt 257 * \param[in] salt the NSEC3 salt data 258 * \param[in] signflags option flags for signing process. 0 is the default. 259 * \return LDNS_STATUS_OK on success, an error code otherwise 260 */ 261 ldns_status ldns_dnssec_zone_sign_nsec3_flg(ldns_dnssec_zone *zone, 262 ldns_rr_list *new_rrs, 263 ldns_key_list *key_list, 264 int (*func)(ldns_rr *, void *), 265 void *arg, 266 uint8_t algorithm, 267 uint8_t flags, 268 uint16_t iterations, 269 uint8_t salt_length, 270 uint8_t *salt, 271 int signflags); 272 273 /** 274 * signs the given zone with the given new zone, with NSEC3 275 * 276 * \param[in] zone the zone to sign 277 * \param[in] key_list the list of keys to sign the zone with 278 * \param[in] new_rrs newly created resource records are added to this list, to free them later 279 * \param[in] func callback function that decides what to do with old signatures 280 * \param[in] arg optional argument for the callback function 281 * \param[in] algorithm the NSEC3 hashing algorithm to use 282 * \param[in] flags NSEC3 flags 283 * \param[in] iterations the number of NSEC3 hash iterations to use 284 * \param[in] salt_length the length (in octets) of the NSEC3 salt 285 * \param[in] salt the NSEC3 salt data 286 * \param[in] signflags option flags for signing process. 0 is the default. 287 * \param[out] map a referenced rbtree pointer variable. The newly created 288 * rbtree will contain mappings from hashed owner names to the 289 * unhashed name. 290 * \return LDNS_STATUS_OK on success, an error code otherwise 291 */ 292 ldns_status ldns_dnssec_zone_sign_nsec3_flg_mkmap(ldns_dnssec_zone *zone, 293 ldns_rr_list *new_rrs, 294 ldns_key_list *key_list, 295 int (*func)(ldns_rr *, void *), 296 void *arg, 297 uint8_t algorithm, 298 uint8_t flags, 299 uint16_t iterations, 300 uint8_t salt_length, 301 uint8_t *salt, 302 int signflags, 303 ldns_rbtree_t **map 304 ); 305 306 307 /** 308 * signs the given zone with the given keys 309 * 310 * \param[in] zone the zone to sign 311 * \param[in] key_list the list of keys to sign the zone with 312 * \param[in] new_rrs newly created resource records are added to this list, to free them later 313 * \param[in] func callback function that decides what to do with old signatures 314 * This function takes an ldns_rr* and an optional void *arg argument, and returns one of four values: 315 * LDNS_SIGNATURE_LEAVE_ADD_NEW: 316 * leave the signature and add a new one for the corresponding key 317 * LDNS_SIGNATURE_REMOVE_ADD_NEW: 318 * remove the signature and replace is with a new one from the same key 319 * LDNS_SIGNATURE_LEAVE_NO_ADD: 320 * leave the signature and do not add a new one with the corresponding key 321 * LDNS_SIGNATURE_REMOVE_NO_ADD: 322 * remove the signature and do not replace 323 * 324 * \param[in] arg optional argument for the callback function 325 * \return LDNS_STATUS_OK on success, an error code otherwise 326 */ 327 ldns_status ldns_dnssec_zone_sign(ldns_dnssec_zone *zone, 328 ldns_rr_list *new_rrs, 329 ldns_key_list *key_list, 330 int (*func)(ldns_rr *, void *), 331 void *arg); 332 333 /** 334 * signs the given zone with the given new zone, with NSEC3 335 * 336 * \param[in] zone the zone to sign 337 * \param[in] key_list the list of keys to sign the zone with 338 * \param[in] new_rrs newly created resource records are added to this list, to free them later 339 * \param[in] func callback function that decides what to do with old signatures 340 * \param[in] arg optional argument for the callback function 341 * \param[in] algorithm the NSEC3 hashing algorithm to use 342 * \param[in] flags NSEC3 flags 343 * \param[in] iterations the number of NSEC3 hash iterations to use 344 * \param[in] salt_length the length (in octets) of the NSEC3 salt 345 * \param[in] salt the NSEC3 salt data 346 * \return LDNS_STATUS_OK on success, an error code otherwise 347 */ 348 ldns_status ldns_dnssec_zone_sign_nsec3(ldns_dnssec_zone *zone, 349 ldns_rr_list *new_rrs, 350 ldns_key_list *key_list, 351 int (*func)(ldns_rr *, void *), 352 void *arg, 353 uint8_t algorithm, 354 uint8_t flags, 355 uint16_t iterations, 356 uint8_t salt_length, 357 uint8_t *salt); 358 359 /** 360 * Signs the zone, and returns a newly allocated signed zone 361 * \param[in] zone the zone to sign 362 * \param[in] key_list list of keys to sign with 363 * \return signed zone 364 */ 365 ldns_zone *ldns_zone_sign(const ldns_zone *zone, ldns_key_list *key_list); 366 367 /** 368 * Signs the zone with NSEC3, and returns a newly allocated signed zone 369 * \param[in] zone the zone to sign 370 * \param[in] key_list list of keys to sign with 371 * \param[in] algorithm the NSEC3 hashing algorithm to use 372 * \param[in] flags NSEC3 flags 373 * \param[in] iterations the number of NSEC3 hash iterations to use 374 * \param[in] salt_length the length (in octets) of the NSEC3 salt 375 * \param[in] salt the NSEC3 salt data 376 * \return signed zone 377 */ 378 ldns_zone *ldns_zone_sign_nsec3(ldns_zone *zone, ldns_key_list *key_list, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt); 379 380 #ifdef __cplusplus 381 } 382 #endif 383 384 #endif 385