1 /*------------------------------------------------------------------------------ 2 * 3 * Copyright (c) 2011-2021, EURid vzw. All rights reserved. 4 * The YADIFA TM software product is provided under the BSD 3-clause license: 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * * Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * * Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * * Neither the name of EURid nor the names of its contributors may be 16 * used to endorse or promote products derived from this software 17 * without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 20 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 23 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 24 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 * 31 *------------------------------------------------------------------------------ 32 * 33 */ 34 35 /** @defgroup dnskey DNSSEC keys functions 36 * @ingroup dnsdbdnssec 37 * @brief 38 * 39 * The dnssec keystore handles loading and updating of keys system-wide. 40 * 41 * It is required for an efficient key management and smart signing. 42 * 43 * It has knowledge of how to find keys for a zone. 44 * It has the responsibility to update the keys when asked. 45 * 46 * Its responsibilities may be extended to notify the system about timings. 47 * 48 * @{ 49 */ 50 51 #pragma once 52 53 /*------------------------------------------------------------------------------ 54 * 55 * USE INCLUDES */ 56 #include <openssl/engine.h> 57 58 #include <dnscore/sys_types.h> 59 #include <dnscore/dnskey.h> 60 #include <dnsdb/zdb_zone.h> 61 62 #if !ZDB_HAS_DNSSEC_SUPPORT 63 #error "Please do not include dnssec_keystore.h if ZDB_HAS_DNSSEC_SUPPORT is 0 (Not NSEC3 nor NSEC)" 64 #endif 65 66 67 #ifdef __cplusplus 68 extern "C" { 69 #endif 70 71 struct dnssec_keystore; 72 73 /** 74 * 75 * Initialises the keystore 76 * 77 * @param ks 78 */ 79 80 void dnssec_keystore_init(); 81 82 /** 83 * Adds the knowledge of domain<->path 84 * Set path to NULL to use the default value 85 * 86 * Can overwrite a previous value 87 * 88 * @param ks 89 * @param domain 90 * @param path 91 */ 92 93 void dnssec_keystore_add_domain(const u8 *domain, const char *path); 94 95 /** 96 * Remove the knowledge of domain<->path 97 * 98 * @param ks 99 * @param domain 100 * @param path 101 */ 102 103 void dnssec_keystore_remove_domain(const u8 *domain, const char *path); 104 105 /** 106 * 107 * Add a key to the keystore, do nothing if a key with the same tag and algorithm is 108 * in the keystore for that domain already 109 * 110 * RC ok 111 * 112 * @param ks 113 * @param key 114 * 115 * @return TRUE iff the key was added 116 */ 117 118 bool dnssec_keystore_add_key(dnssec_key *key); 119 120 /** 121 * 122 * Replace a key from the keystore, release the replaced key 123 * 124 * RC ok 125 * 126 * @param ks 127 * @param key 128 * 129 * @return TRUE iff the key was added 130 */ 131 132 bool dnssec_keystore_replace_key(dnssec_key *key); 133 134 /** 135 * 136 * Removes a key from the keystore 137 * Does not releases the key 138 * 139 * RC ok 140 * 141 * @param ks 142 * @param key 143 * 144 * @return the instance of the key from the keystore, or NULL if the key was not found 145 */ 146 147 dnssec_key *dnssec_keystore_remove_key(dnssec_key *key); 148 149 /** 150 * Removes a key from the keystore, if possible. 151 * Renames both key files adding suffix of the creation time plus bak 152 * Does not return any error code as it's a best effort kind of thing. 153 * 154 * @param key 155 */ 156 157 void dnssec_keystore_delete_key(dnssec_key *key); 158 159 /** 160 * 161 * Retrieves a key from the keystore 162 * 163 * RC ok 164 * 165 * @param ks 166 * @param domain 167 * @param tag 168 * @return the key or NULL if it does not exist 169 */ 170 171 dnssec_key *dnssec_keystore_acquire_key_from_fqdn_with_tag(const u8 *domain, u16 tag); 172 173 /** 174 * Returns the nth key from the domain or NULL if no such key exist 175 * 176 * RC ok 177 * 178 * @return a dnskey 179 */ 180 181 dnssec_key *dnssec_keystore_acquire_key_from_fqdn_by_index(const u8 *domain, int idx); 182 183 /** 184 * Returns TRUE iff the domain has an activaed KSK with its private part loaded. 185 */ 186 187 bool dnssec_keystore_has_usable_ksk(const u8 *domain, time_t attime); 188 189 /** 190 * Returns true iff the key for theddomain+algorithm+tag is active at 'now' 191 * 192 * @param domain 193 * @param algorithm 194 * @param tag 195 * @param now 196 * 197 * @return 198 */ 199 200 bool dnssec_keystore_is_key_active(const u8 *domain, u8 algorithm, u16 tag, time_t now); 201 202 /** 203 * Acquires all the currently activated keys and store them to the appropriate 204 * KSK or ZSK collection ptr_vector. 205 * 206 * @param domain 207 * @param ksks 208 * @param zsks 209 * @return 210 */ 211 212 int dnssec_keystore_acquire_activated_keys_from_fqdn_to_vectors(const u8 *domain, ptr_vector *ksks, ptr_vector *zsks); 213 214 /** 215 * Acquires all the currently publishable keys and store them to the appropriate 216 * KSK or ZSK collection ptr_vector. 217 * 218 * If no publish/delete field is available, uses active/inactive fields instead. 219 * No fields means no action. 220 * 221 * @param domain 222 * @param ksks 223 * @param zsks 224 * @return 225 */ 226 227 int dnssec_keystore_acquire_published_keys_from_fqdn_to_vectors(const u8 *domain, ptr_vector *ksks, ptr_vector *zsks); 228 229 /** 230 * Acquires all the keys that should be published and deleted and store them to the appropriate collection ptr_vector. 231 * 232 * If no publish/delete field is available, uses active/inactive fields instead. 233 * No fields means no action. 234 * 235 * @param domain 236 * @param ksks 237 * @param zsks 238 * @return 239 */ 240 241 int dnssec_keystore_acquire_publish_delete_keys_from_fqdn_to_vectors(const u8 *domain, ptr_vector *publish_keys, ptr_vector *delete_keys); 242 /** 243 * Releases all the keys from a vector. 244 * 245 * @param keys 246 */ 247 248 void dnssec_keystore_release_keys_from_vector(ptr_vector *keys); 249 250 /** 251 * 252 * Retrieves a key from the keystore 253 * 254 * RC ok 255 * 256 * @param ks 257 * @param domain 258 * @param tag 259 * @return 260 */ 261 262 dnssec_key *dnssec_keystore_acquire_key_from_name(const char *domain, u16 tag); 263 264 /** 265 * Returns the nth key from the domain or NULL if no such key exist 266 * 267 * RC ok 268 * 269 * @return a dnskey 270 */ 271 272 dnssec_key *dnssec_keystore_acquire_key_from_name_by_index(const char *domain, int idx); 273 274 /** 275 * 276 * (Re)loads keys found in the paths of the keystore 277 * 278 * @param ks 279 * @return 280 */ 281 282 ya_result dnssec_keystore_reload(); 283 284 /** 285 * 286 * (Re)loads keys found in the path of the keystore for the specified domain 287 * 288 * @param fqdn 289 * @return 290 */ 291 292 ya_result dnssec_keystore_reload_domain(const u8 *fqdn); 293 294 /** 295 * Adds all the valid keys of the domain in the keyring 296 * 297 * @param fqdn the domain name 298 * @param at_time the epoch at which the test is done ie: time(NULL) 299 * @param kr the target keyring 300 * 301 * @return the number of keys effectively added in the keyring 302 */ 303 304 u32 dnssec_keystore_add_valid_keys_from_fqdn(const u8 *fqdn, time_t at_time, struct dnskey_keyring *kr); 305 306 //////////////////////////////////////////////////////// 307 308 void dnssec_keystore_resetpath(); 309 310 const char *dnssec_keystore_getpath(); 311 void dnssec_keystore_setpath(const char* path); 312 313 /* 314 ya_result dnssec_keystore_add(dnssec_key* key); 315 dnssec_key* dnssec_keystore_get(u8 algorithm,u16 tag,u16 flags,const char *origin); 316 dnssec_key* dnssec_keystore_remove(u8 algorithm,u16 tag,u16 flags,const char *origin); 317 */ 318 void dnssec_keystore_destroy(); 319 320 /** Generates a private key, store in the keystore */ 321 ya_result dnssec_keystore_new_key(u8 algorithm, u32 size, u16 flags, const char *origin, dnssec_key **out_key); 322 323 324 /** 325 * Loads a public key from the rdata, store in the keystore, then sets out_key to point to it 326 * 327 * RC ok 328 * 329 * @param rdata 330 * @param rdata_size 331 * @param origin 332 * @param out_key 333 * @return 334 */ 335 336 ya_result dnssec_keystore_load_public_key_from_rdata(const u8 *rdata, u16 rdata_size, const u8 *origin, dnssec_key **out_key); 337 338 /** 339 * Loads a private key from the disk or the keystore, then returns it. 340 * NOTE: If the key already existed as a public-only key, the public version is released. 341 * 342 * RC ok 343 * 344 * @param algorithm 345 * @param tag 346 * @param flags 347 * @param origin 348 * @param out_key 349 * @return SUCCESS if a key was loaded, 1 if the key was already loaded, or an error code 350 */ 351 352 ya_result dnssec_keystore_load_private_key_from_rdata(const u8 *rdata, u16 rdata_size, const u8 *fqdn, dnssec_key **out_key); 353 354 /** 355 * Loads a private key from the disk or the keystore, then returns it. 356 * NOTE: If the key already existed as a public-only key, the public version is released. 357 * 358 * RC ok 359 * 360 * @param algorithm 361 * @param tag 362 * @param flags 363 * @param origin 364 * @param out_key 365 * @return SUCCESS if a key was loaded, 1 if the key was already loaded, or an error code 366 */ 367 368 ya_result dnssec_keystore_load_private_key_from_parameters(u8 algorithm, u16 tag, u16 flags, const u8 *fqdn, dnssec_key **out_key); 369 370 /** Writes the key into g_keystore_path (which should be changed to whatever is the right path of the key */ 371 ya_result dnssec_keystore_store_private_key(dnssec_key *key); 372 373 /** Writes the key into g_keystore_path (which should be changed to whatever is the right path of the key */ 374 ya_result dnssec_keystore_store_public_key(dnssec_key *key); 375 /* 376 void dnssec_key_addrecord_to_zone(dnssec_key* key, zdb_zone* zone); 377 */ 378 379 dnssec_key *dnssec_keystore_acquire_key_from_fqdn_at_index(const u8 *domain, int index); 380 381 /** 382 * Returns all the active keys, chained in a single linked list whose nodes need to be freed, 383 * 384 * @param zone 385 * @param out_keys 386 * @param out_ksk_count 387 * @param out_zsk_count 388 * @return 389 */ 390 391 ya_result zdb_zone_get_active_keys(zdb_zone *zone, dnssec_key_sll **out_keys, int *out_ksk_count, int *out_zsk_count); 392 393 /** 394 * 395 * @param keys 396 */ 397 398 void zdb_zone_release_active_keys(dnssec_key_sll *keys); 399 400 #ifdef __cplusplus 401 } 402 #endif 403 404 /** @} */ 405 406