1 /*------------------------------------------------------------------------------
2 *
3 * Copyright (c) 2011-2021, EURid vzw. All rights reserved.
4 * The YADIFA TM software product is provided under the BSD 3-clause license:
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * * Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * * Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * * Neither the name of EURid nor the names of its contributors may be
16 * used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
23 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
24 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29 * POSSIBILITY OF SUCH DAMAGE.
30 *
31 *------------------------------------------------------------------------------
32 *
33 */
34
35 /** @defgroup dnskey DNSSEC keys functions
36 * @ingroup dnscore
37 * @brief
38 *
39 *
40 * @{
41 */
42 #ifndef _DNSKEY_H
43 #define _DNSKEY_H
44
45 #include <arpa/inet.h>
46 #include <dnscore/sys_types.h>
47 #include <dnscore/rfc.h>
48 #include <dnscore/dnssec_errors.h>
49 #include <dnscore/u32_set.h>
50 #include <dnscore/digest.h>
51 #include <dnscore/mutex.h>
52 #include <dnscore/output_stream.h>
53 #include <dnscore/dns_resource_record.h>
54
55 #define DNSSEC_MINIMUM_KEY_SIZE 512 // bits
56 #define DNSSEC_MAXIMUM_KEY_SIZE (8192 + 128) // bits
57
58 #define DNSSEC_DEFAULT_KEYSTORE_PATH "."
59
60 #define DNSSEC_MINIMUM_KEY_SIZE_BYTES ((DNSSEC_MINIMUM_KEY_SIZE+7)/8)
61 #define DNSSEC_MAXIMUM_KEY_SIZE_BYTES ((DNSSEC_MAXIMUM_KEY_SIZE+7)/8)
62
63 #ifdef WORDS_BIGENDIAN
64 #define DNSKEY_FLAGS_KSK 0x0101 // NATIVE
65 #define DNSKEY_FLAGS_ZSK 0x0100 // NATIVE
66 #else
67 #define DNSKEY_FLAGS_KSK 0x0101 // NATIVE
68 #define DNSKEY_FLAGS_ZSK 0x0001 // NATIVE
69 #endif
70
71 /*
72 * Extract fields from a packed record
73 *
74 */
75
76 #define DNSKEY_FLAGS_FROM_RDATA(x__) (GET_U16_AT(((u8*)(x__))[0]))
77
78 #define DNSKEY_FLAGS(x__) (GET_U16_AT((x__).rdata_start[0]))
79 #define DNSKEY_PROTOCOL(x__) ((x__).rdata_start[2])
80 #define DNSKEY_ALGORITHM(x__) ((x__).rdata_start[3])
81
82 /*
83 * Computes the key tag from a packed record
84 */
85
86 #define DNSKEY_TAG(x__) (dnskey_get_tag_from_rdata(&(x__).rdata_start[0],(x__).rdata_size))
87
88 #ifdef __cplusplus
89 extern "C"
90 {
91 #endif
92
93 #define DNSKEY_RDATA_TAG 0x445259454b534e44 /* DNSKEYRD */
94
95 #define DNSKEY_FEATURE_NSEC_CAPABLE 1
96 #define DNSKEY_FEATURE_NSEC3_CAPABLE 2
97 #define DNSKEY_FEATURE_ZONE_SIGNATURE 16
98
99 #define DNSKEY_FEATURE_ZONE_NSEC (DNSKEY_FEATURE_NSEC_CAPABLE|DNSKEY_FEATURE_ZONE_SIGNATURE)
100 #define DNSKEY_FEATURE_ZONE_NSEC3 (DNSKEY_FEATURE_NSEC3_CAPABLE|DNSKEY_FEATURE_ZONE_SIGNATURE)
101 #define DNSKEY_FEATURE_ZONE_MODERN (DNSKEY_FEATURE_NSEC_CAPABLE|DNSKEY_FEATURE_NSEC3_CAPABLE|DNSKEY_FEATURE_ZONE_SIGNATURE)
102
103 struct dnskey_features
104 {
105 const char **names;
106 u16 size_bits_min;
107 u16 size_bits_max;
108 u16 size_bits_ksk_default;
109 u16 size_bits_zsk_default;
110 u16 size_multiple;
111 u8 algorithm;
112 u8 usage;
113 };
114
115 typedef struct dnskey_features dnskey_features;
116
117 struct dnskey_raw_field_s
118 {
119 u8 *buffer;
120 u32 size;
121 };
122
123 typedef struct dnskey_raw_field_s dnskey_raw_field_t;
124
125 #define STRUCTDESCRIPTOR_NONE 0
126 #define STRUCTDESCRIPTOR_BN 1
127 #define STRUCTDESCRIPTOR_U16 2
128 #define STRUCTDESCRIPTOR_RAW 3
129
130 struct dnskey_field_access
131 {
132 //const char* name;
133 const char name[24];
134 size_t relative;
135 int type;
136 };
137
138 typedef struct dnskey_field_access dnskey_field_access;
139
140 struct parser_s;
141
142 ya_result dnskey_field_access_parse(const struct dnskey_field_access *sd, void *base, struct parser_s *p);
143 ya_result dnskey_field_access_print(const struct dnskey_field_access *sd, const void *base, output_stream *os);
144
145 struct dnssec_key_vtbl;
146 typedef struct dnssec_key_vtbl dnssec_key_vtbl;
147
148 typedef struct dnssec_key_contextmethods dnssec_key_contextmethods;
149
150 #ifdef SSL_API
151
152 union dnssec_key_data
153 {
154 void* any;
155 RSA* rsa;
156 DSA* dsa;
157 #if HAS_ECDSA_SUPPORT
158 EC_KEY* ec;
159 #endif
160 #if HAS_EDDSA_SUPPORT
161 EVP_PKEY* ed;
162 #endif
163 };
164
165 #else
166 union dnssec_key_data
167 {
168 void* any;
169 };
170
171 #endif
172
173 typedef union dnssec_key_data dnssec_key_data;
174
175 typedef struct dnssec_key dnssec_key;
176
177 typedef ya_result dnskey_algorithm_newinstance(u32 size, u8 algorithm, u16 flags, const char* origin, dnssec_key** out_key);
178
179 #define DNSKEY_KEY_IS_PRIVATE 0x0001
180 #define DNSKEY_KEY_TAG_SET 0x0002 // not always needed
181 #define DNSKEY_KEY_IS_FROM_DISK 0x0004 // for generated keys
182 #define DNSKEY_KEY_IS_MARKED 0x0008 // for marking a key (key manager update algorithm)
183 #define DNSKEY_KEY_IS_VALID 0x0010 // the key is public with all its fields set
184 #define DNSKEY_KEY_IS_IN_ZONE 0x0020 // the key is at the apex of its zone
185 #define DNSKEY_KEY_IS_ACTIVE 0x0040 // the key is already used for signature
186 #define DNSKEY_KEY_PUBLISH_ARMED 0x0080
187 #define DNSKEY_KEY_ACTIVATE_ARMED 0x0100
188 #define DNSKEY_KEY_DEACTIVATE_ARMED 0x0200
189 #define DNSKEY_KEY_DELETE_ARMED 0x0400
190
191 #define DNSKEY_KEY_HAS_SMART_FIELD_CREATED 0x0800
192 #define DNSKEY_KEY_HAS_SMART_FIELD_PUBLISH 0x1000
193 #define DNSKEY_KEY_HAS_SMART_FIELD_ACTIVATE 0x2000
194 #define DNSKEY_KEY_HAS_SMART_FIELD_INACTIVE 0x4000
195 #define DNSKEY_KEY_HAS_SMART_FIELD_DELETE 0x8000
196
197 /* Hash should be tag<<8 | algorithm */
198 struct dnssec_key
199 {
200 struct dnssec_key *next;
201 const dnssec_key_vtbl *vtbl;
202 char *origin;
203 u8 *owner_name; // = zone origin
204
205 dnssec_key_data key; // RSA* or DSA* or any crypto-lib specific pointer
206 s64 timestamp; // the file modification time of the private key (to avoid reloading)
207 int nid; // NID_sha1, NID_md5
208 volatile int rc;
209
210 time_t epoch_created;
211 time_t epoch_publish; // if not published yet, at that time, it needs to be added in the zone
212 time_t epoch_activate; // if not activated yet, at that time, it needs to be used for signatures
213 time_t epoch_inactive; // if active, at that time, it needs to stop being used for signatures
214 time_t epoch_delete; // if still in the zone, at that time, it needs to be removed from the zone
215
216 u16 flags;
217 u16 tag;
218 u8 algorithm;
219 u32 status; // Is the key "private", has the tag been computed, ...
220
221 /*
222 * Later, add a list of (wannabe) signers and for each of these
223 * if said signature has been verified, not verified or is wrong
224 */
225 };
226
227 typedef struct dnssec_key_sll dnssec_key_sll;
228
229 struct dnssec_key_sll
230 {
231 struct dnssec_key_sll* next;
232 dnssec_key* key;
233 };
234
235 typedef void dnssec_key_free_method(dnssec_key *key);
236 typedef u32 dnssec_key_rdatasize_method(const dnssec_key *key);
237 typedef u32 dnssec_key_writerdata_method(const dnssec_key *key, u8 *output, size_t output_size);
238 typedef ya_result dnssec_key_sign_digest_method(const dnssec_key *key, const u8 *digest, u32 digest_len, u8 *output);
239 typedef bool dnssec_key_verify_digest_method(const dnssec_key *key, const u8 *digest, u32 digest_len, const u8 *signature, u32 signature_len);
240 typedef bool dnssec_key_equals_method(const dnssec_key *key_a, const dnssec_key *key_b);
241 typedef ya_result dnssec_key_private_print_fields_method(dnssec_key *key, output_stream *os);
242 typedef u32 dnssec_key_size_method(const dnssec_key *key);
243
244 struct dnssec_key_vtbl
245 {
246 dnssec_key_sign_digest_method *dnssec_key_sign_digest;
247 dnssec_key_verify_digest_method *dnssec_key_verify_digest;
248 dnssec_key_rdatasize_method *dnssec_key_rdatasize;
249 dnssec_key_writerdata_method *dnssec_key_writerdata;
250 dnssec_key_free_method *dnssec_key_free;
251 dnssec_key_equals_method *dnssec_key_equals;
252 dnssec_key_private_print_fields_method *dnssec_key_print_fields;
253 dnssec_key_size_method *dnssec_key_size;
254 const char *__class__;
255 };
256
257 struct dnskey_field_parser;
258
259 typedef ya_result dnskey_field_parser_parse_field_method(struct dnskey_field_parser *, struct parser_s *);
260 typedef ya_result dnskey_field_parser_set_key_method(struct dnskey_field_parser *, dnssec_key *);
261 typedef void dnskey_field_parser_finalize_method(struct dnskey_field_parser *);
262
263 struct dnskey_field_parser_vtbl
264 {
265 dnskey_field_parser_parse_field_method *parse_field;
266 dnskey_field_parser_set_key_method *set_key;
267 dnskey_field_parser_finalize_method *finalise;
268 const char *__class__;
269 };
270
271 struct dnskey_field_parser
272 {
273 void *data;
274 const struct dnskey_field_parser_vtbl *vtbl;
275 };
276
277 typedef struct dnskey_field_parser dnskey_field_parser;
278
279
280 /**
281 * Initialises internal structures
282 */
283
284 void dnskey_init();
285
286 /**
287 * Initialises an empty instance of a DNSKEY
288 * No cryptographic content is put in the key.
289 * Needs further setup.
290 *
291 * @param algorithm the algorithm of the key.
292 * @param flags the flags of the key
293 * @param origin the origin of the key
294 *
295 * @return a pointer to an empty instance (no real key attached) of a key.
296 */
297
298 dnssec_key *dnskey_newemptyinstance(u8 algorithm,u16 flags,const char *origin);
299
300 /**
301 * Generate a (public) key using the RDATA
302 *
303 * @param rdata
304 * @param rdata_size
305 * @param origin
306 * @param out_key points to a pointer for the instantiated key
307 *
308 * @return an error code (success or error)
309 */
310
311 ya_result dnskey_new_from_rdata(const u8 *rdata, u16 rdata_size, const u8 *origin, dnssec_key **out_key);
312
313 /**
314 * Increases the reference count on a dnssec_key
315 *
316 * @param key
317 */
318
319 void dnskey_acquire(dnssec_key *key);
320
321 /**
322 * Releases the reference count on a dnssec_key.
323 * Uses the tag, flags, algorithm, origin and key content.
324 *
325 * @param a
326 * @param b
327 */
328
329 void dnskey_release(dnssec_key *key);
330
331 /**
332 *
333 * Compares two keys for equality on a cryptographic point of view
334 * Uses the tag, flags, algorithm and origin.
335 *
336 * @param a
337 * @param b
338 *
339 * @return TRUE iff the keys are the same.
340 */
341
342 bool dnskey_equals(const dnssec_key *a, const dnssec_key *b);
343
344 /**
345 *
346 * Compares two keys for equality on a cryptographic point of view
347 * Uses the tag, flags, algorithm, origin and public key content.
348 *
349 * @param a
350 * @param b
351 *
352 * @return TRUE iff the keys are the same.
353 */
354
355 bool dnskey_public_equals(const dnssec_key *a, const dnssec_key *b);
356
357 /**
358 * Returns TRUE if the tag and algorithm of the rdata are matching the ones of the key.
359 *
360 * @param key
361 * @param rdata
362 * @param rdata_size
363 * @return
364 */
365
366 bool dnskey_matches_rdata(const dnssec_key *key, const u8 *rdata, u16 rdata_size);
367
368 /**
369 * Returns TRUE if an only if the tag has already been computed and
370 * stored in the dnssec key.
371 *
372 * @param key
373 * @return TRUE iff the tag is already known
374 */
375
dnssec_key_tag_field_set(const dnssec_key * key)376 static inline bool dnssec_key_tag_field_set(const dnssec_key *key)
377 {
378 return (key->status & DNSKEY_KEY_TAG_SET) != 0;
379 }
380
381 /**
382 * Returns the key tag.
383 * The key tag generated by this function is stored in the dnssec key to
384 * make further calls instant. This is why the parameter is not "const".
385 *
386 * @param key
387 * @return
388 */
389
390 u16 dnskey_get_tag(dnssec_key *key);
391
392 /**
393 * Returns the key tag.
394 * If the key tag is not cached in the key, computes it.
395 * The tag is not cached in the key after this call.
396 *
397 * @param key
398 * @return
399 */
400
401 u16 dnskey_get_tag_const(const dnssec_key *key);
402
403 /**
404 * Returns the algorithm of the key.
405 *
406 * @param key
407 * @param keyp
408 */
409
410 u8 dnskey_get_algorithm(const dnssec_key *key);
411
412 /**
413 * Returns a pointer to the domain of the key.
414 *
415 * @param key
416 * @return
417 */
418
419 const u8 *dnskey_get_domain(const dnssec_key *key);
420
421 /**
422 * Returns TRUE if and only if the key is a private key.
423 *
424 * @return TRUE iff the key is private.
425 */
426
427 bool dnskey_is_private(const dnssec_key *key);
428
429 /**
430 * Adds/Remove a key from a key chain.
431 * The 'next' field of the key is used.
432 * A key can only be in one chain at a time.
433 * This is meant to be used in the keystore.
434 *
435 * RC ok
436 *
437 * @param keyp
438 */
439
440 void dnskey_add_to_chain(dnssec_key *key, dnssec_key **keyp);
441
442 /**
443 * Adds/Remove a key from a key chain.
444 * The 'next' field of the key is used.
445 * A key can only be in one chain at a time.
446 * This is meant to be used in the keystore.
447 *
448 * RC ok
449 *
450 * @param keyp
451 */
452
453 void dnskey_remove_from_chain(dnssec_key *key, dnssec_key **keyp);
454
455 /**
456 * Generates a key tag from the DNSKEY RDATA wire
457 *
458 * @param dnskey_rdata
459 * @param dnskey_rdata_size
460 * @return
461 */
462
463 u16 dnskey_get_tag_from_rdata(const u8 *dnskey_rdata, u32 dnskey_rdata_size);
464
465 /**
466 * Returns the flag of a dnskey from its rdata
467 *
468 * @param dnskey rdata
469 *
470 * @return
471 */
472
dnskey_get_flags_from_rdata(const u8 * dnskey_rdata)473 static inline u16 dnskey_get_flags_from_rdata(const u8 *dnskey_rdata)
474 {
475 return GET_U16_AT_P(dnskey_rdata);
476 }
477
478 /**
479 * Returns the protocol of a dnskey from its rdata
480 *
481 * @param dnskey rdata
482 *
483 * @return
484 */
485
dnskey_get_protocol_from_rdata(const u8 * dnskey_rdata)486 static inline u8 dnskey_get_protocol_from_rdata(const u8 *dnskey_rdata)
487 {
488 return dnskey_rdata[2];
489 }
490
491 /**
492 * Returns the algorithm of a dnskey from its rdata
493 *
494 * @param dnskey rdata
495 *
496 * @return
497 */
498
dnskey_get_algorithm_from_rdata(const u8 * dnskey_rdata)499 static inline u8 dnskey_get_algorithm_from_rdata(const u8 *dnskey_rdata)
500 {
501 return dnskey_rdata[3];
502 }
503
504 /**
505 * Reference implementation function to generate a key tag from the DNSKEY RDATA wire
506 *
507 * @param dnskey_rdata
508 * @param dnskey_rdata_size
509 * @return
510 */
511
512 unsigned int dnskey_get_tag_from_rdata_reference(unsigned char key[], /* the RDATA part of the DNSKEY RR */
513 unsigned int keysize /* the RDLENGTH */
514 );
515
516 /**
517 * Generate the RDATA of a DS records using the RDATA from a DSNKEY record
518 *
519 * @param digest_type the type of DS
520 * @param dnskey_fqdn the domain of the record
521 * @param dnskey_rdata the rdata of the DNSKEY
522 * @param dnskey_rdata_size the size of the rdata of the DNSKEY
523 * @param out_rdata the output buffer that has to be the right size (known given digest_type)
524 * @return
525 */
526
527 ya_result dnskey_generate_ds_rdata(u8 digest_type, const u8 *dnskey_fqdn, const u8 *dnskey_rdata,u16 dnskey_rdata_size, u8 *out_rdata);
528
529 /**
530 * Initialises the context for a key algorithm.
531 *
532 * @param ctx
533 * @param algorithm
534 * @return
535 */
536
537 ya_result dnskey_digest_init(digest_s *ctx, u8 algorithm);
538
539 /**
540 *
541 * @param os output stream
542 * @param num the number to write
543 * @return
544 */
545
546 ya_result dnskey_write_bignum_as_base64_to_stream(const BIGNUM *num, output_stream *os);
547
548 void dnskey_set_created_epoch(dnssec_key *key, time_t t);
549
550 /**
551 * Returns the most relevant publication time.
552 *
553 * publish > activate > created > now
554 *
555 * @param key
556 * @return
557 */
558
559 time_t dnskey_get_publish_epoch(const dnssec_key *key);
560 void dnskey_set_publish_epoch(dnssec_key *key, time_t t);
561
562 /**
563 * Returns the most relevant activation time.
564 *
565 * activate > publish > created > now
566 *
567 * @param key
568 * @return
569 */
570
571 time_t dnskey_get_activate_epoch(const dnssec_key *key);
572 void dnskey_set_activate_epoch(dnssec_key *key, time_t t);
573
574 /**
575 * Returns the most relevant revocation time.
576 *
577 * revoke > never
578 *
579 * @param key
580 * @return
581 */
582
583 time_t dnskey_get_revoke_epoch(const dnssec_key *key);
584 void dnskey_set_revoke_epoch(dnssec_key *key, time_t t);
585
586 /**
587 * Returns the most relevant inactivation time.
588 *
589 * inactive > delete > never
590 *
591 * @param key
592 * @return
593 */
594
595 time_t dnskey_get_inactive_epoch(const dnssec_key *key);
596 void dnskey_set_inactive_epoch(dnssec_key *key, time_t t);
597
598 /**
599 * Returns the most relevant delete time.
600 *
601 * delete > inactive > never
602 *
603 * @param key
604 * @return
605 */
606
607 time_t dnskey_get_delete_epoch(const dnssec_key *key);
608 void dnskey_set_delete_epoch(dnssec_key *key, time_t t);
609
610 ya_result dnskey_new_public_key_from_stream(input_stream *is, dnssec_key** keyp);
611
612 /**
613 * Loads a public key from a file.
614 *
615 * ie: Keu.+007+12345.key
616 *
617 * RC ok
618 *
619 * @param filename
620 * @param keyp
621 * @return
622 */
623
624 ya_result dnskey_new_public_key_from_file(const char *filename, dnssec_key **keyp);
625
626 ya_result dnskey_add_private_key_from_stream(input_stream *is, dnssec_key *key, const char* path, u8 algorithm);
627
628 /**
629 * Loads a private key from a file.
630 *
631 * ie: Keu.+007+12345.private
632 *
633 * The public key must be in the same folder as the private key.
634 *
635 * ie: Keu.+007+12345.key
636 *
637 * RC ok
638 *
639 * @param filename
640 * @param keyp
641 * @return
642 */
643
644 ya_result dnskey_new_private_key_from_file(const char *filename, dnssec_key **keyp);
645
646 /**
647 * Returns the keytag from its DS rdata in network order
648 *
649 * @param rdata
650 * @return
651 */
652
ds_get_wire_keytag_from_rdata(const u8 * rdata)653 static inline u16 ds_get_wire_keytag_from_rdata(const u8 *rdata)
654 {
655 u16 ds_keytag = GET_U16_AT_P(rdata);
656 return ds_keytag;
657 }
658
659 /**
660 * Returns the keytag from its DS rdata
661 *
662 * @param rdata
663 * @return
664 */
665
ds_get_keytag_from_rdata(const u8 * rdata)666 static inline u16 ds_get_keytag_from_rdata(const u8 *rdata)
667 {
668 u16 ds_keytag = ntohs(ds_get_wire_keytag_from_rdata(rdata));
669 return ds_keytag;
670 }
671
672 /**
673 * Returns the algorithm from its DS rdata
674 *
675 * @param rdata
676 * @return
677 */
678
ds_get_algorithm_from_rdata(const u8 * rdata)679 static inline u8 ds_get_algorithm_from_rdata(const u8 *rdata)
680 {
681 u8 ds_algorithm = rdata[2];
682 return ds_algorithm;
683 }
684
685 /**
686 * Returns the digest algorithm from its DS rdata
687 *
688 * @param rdata
689 * @return
690 */
691
ds_get_digesttype_from_rdata(const u8 * rdata)692 static inline u8 ds_get_digesttype_from_rdata(const u8 *rdata)
693 {
694 u8 ds_digesttype = rdata[3];
695 return ds_digesttype;
696 }
697
698 /**
699 *
700 * Save the private part of a key to a stream
701 *
702 * @param key
703 * @param filename
704 * @return
705 */
706
707 void dnskey_store_private_key_to_stream(dnssec_key *key, output_stream *os);
708
709 /**
710 *
711 * Save the private part of a key to a file with the given name
712 *
713 * @param key
714 * @param filename
715 * @return
716 */
717
718 ya_result dnskey_store_private_key_to_file(dnssec_key *key, const char *filename);
719
720 /**
721 *
722 * Save the public part of a key to a stream
723 *
724 * @param key
725 * @param filename
726 * @return
727 */
728
729 ya_result dnskey_store_public_key_to_stream(dnssec_key *key, output_stream *os);
730
731 /**
732 *
733 * Save the public part of a key to a file with the given name
734 *
735 * @param key
736 * @param filename
737 * @return
738 */
739
740 ya_result dnskey_store_public_key_to_file(dnssec_key *key, const char *filename);
741
742 /**
743 * Save the private part of a key to a dir
744 *
745 * @param key
746 * @param dirname
747 * @return
748 */
749
750 ya_result dnskey_store_private_key_to_dir(dnssec_key *key, const char *dirname);
751
752 /**
753 *
754 * Saves the public part of the key in a dir
755 *
756 * @param key
757 * @param dirname
758 * @return
759 */
760
761 ya_result dnskey_store_public_key_to_dir(dnssec_key *key, const char *dirname);
762
763 /**
764 * Save both parts of the key to the directory.
765 *
766 * @param key
767 * @param dir
768 *
769 * @return an error code
770 */
771
772 ya_result dnskey_store_keypair_to_dir(dnssec_key *key, const char *dir);
773
774 ya_result dnskey_delete_public_key_from_dir(dnssec_key *key, const char *dirname);
775 ya_result dnskey_delete_private_key_from_dir(dnssec_key *key, const char *dirname);
776 ya_result dnskey_delete_keypair_from_dir(dnssec_key *key, const char *dirname);
777
778 bool dnskey_is_expired(const dnssec_key *key, time_t now);
779 bool dnskey_is_expired_now(const dnssec_key *key);
780 bool dnskey_is_revoked(const dnssec_key *key);
781 int dnskey_get_size(const dnssec_key *key);
782 u16 dnskey_get_flags(const dnssec_key *key);
783 void dnskey_state_enable(dnssec_key *key, u32 status);
784 void dnskey_state_disable(dnssec_key *key, u32 status);
785 u32 dnskey_state_get(const dnssec_key *key);
786
787 /**
788 * Returns true if the key is supposed to have been added in the zone at the chosen time already.
789 *
790 * @param key
791 * @param t
792 * @return
793 */
794
795 bool dnskey_is_published(const dnssec_key *key, time_t t);
796
797 /**
798 * Returns true if the key is supposed to have been removed from the zone at the chosen time already.
799 *
800 * @param key
801 * @param t
802 * @return
803 */
804
805 bool dnskey_is_unpublished(const dnssec_key *key, time_t t);
806
807 /**
808 * Returns true if the key is supposed to be used for signatures.
809 *
810 * @param key
811 * @param t
812 * @return
813 */
814
815 bool dnskey_is_activated(const dnssec_key *key, time_t t);
816
817 /**
818 * Assumes we are in 'leniency' seconds in the future for activation (and in the present for deactivation)
819 */
820
821 bool dnskey_is_activated_lenient(const dnssec_key *key, time_t t, u32 leniency);
822
823 /**
824 * Returns true if the key must not be used for signatures anymore.
825 *
826 * @param key
827 * @param t
828 * @return
829 */
830
831 bool dnskey_is_deactivated(const dnssec_key *key, time_t t);
832
dnskey_get_created_epoch(const dnssec_key * key)833 static inline time_t dnskey_get_created_epoch(const dnssec_key *key)
834 {
835 return key->epoch_created;
836 }
837
838 bool dnskey_has_explicit_publish(const dnssec_key *key);
839
840 bool dnskey_has_explicit_delete(const dnssec_key *key);
841
842 bool dnskey_has_explicit_activate(const dnssec_key *key);
843
844 bool dnskey_has_explicit_deactivate(const dnssec_key *key);
845
846 bool dnskey_has_explicit_publish_or_delete(const dnssec_key *key);
847
848 bool dnskey_has_explicit_publish_and_delete(const dnssec_key *key);
849
850 bool dnskey_has_activate_and_deactivate(const dnssec_key *key);
851
852 bool dnskey_has_explicit_publish_or_delete(const dnssec_key *key);
853
854 bool dnskey_has_activate_or_deactivate(const dnssec_key *key);
855
856 ya_result dnskey_newinstance(u32 size, u8 algorithm, u16 flags, const char* origin, dnssec_key** out_key);
857
858 u8 dnskey_supported_algorithm_count();
859
860 const dnskey_features* dnskey_supported_algorithm_by_index(u8 index);
861
862 const dnskey_features* dnskey_supported_algorithm(u8 algorithm);
863
864 void dnskey_init_dns_resource_record(dnssec_key *key, s32 ttl, dns_resource_record *rr);
865
866 #ifdef __cplusplus
867 }
868 #endif
869
870 #endif /* _DNSKEY_H */
871
872 /** @} */
873