1 /*------------------------------------------------------------------------------
2  *
3  * Copyright (c) 2011-2021, EURid vzw. All rights reserved.
4  * The YADIFA TM software product is provided under the BSD 3-clause license:
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  *
10  *        * Redistributions of source code must retain the above copyright
11  *          notice, this list of conditions and the following disclaimer.
12  *        * Redistributions in binary form must reproduce the above copyright
13  *          notice, this list of conditions and the following disclaimer in the
14  *          documentation and/or other materials provided with the distribution.
15  *        * Neither the name of EURid nor the names of its contributors may be
16  *          used to endorse or promote products derived from this software
17  *          without specific prior written permission.
18  *
19  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
23  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
24  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29  * POSSIBILITY OF SUCH DAMAGE.
30  *
31  *------------------------------------------------------------------------------
32  *
33  */
34 
35 /** @defgroup dnskey DNSSEC keys functions
36  *  @ingroup dnsdbdnssec
37  *  @brief
38  *
39  *  The dnssec keystore handles loading and updating of keys system-wide.
40  *
41  *  It is required for an efficient key management and smart signing.
42  *
43  *  It has knowledge of how to find keys for a zone.
44  *  It has the responsibility to update the keys when asked.
45  *
46  *  Its responsibilities may be extended to notify the system about timings.
47  *
48  * @{
49  */
50 
51 #pragma once
52 
53 /*------------------------------------------------------------------------------
54  *
55  * USE INCLUDES */
56 #include <openssl/engine.h>
57 
58 #include <dnscore/sys_types.h>
59 #include <dnscore/dnskey.h>
60 #include <dnsdb/zdb_zone.h>
61 
62 #if !ZDB_HAS_DNSSEC_SUPPORT
63 #error "Please do not include dnssec_keystore.h if ZDB_HAS_DNSSEC_SUPPORT is 0 (Not NSEC3 nor NSEC)"
64 #endif
65 
66 
67 #ifdef	__cplusplus
68 extern "C" {
69 #endif
70 
71 struct dnssec_keystore;
72 
73 /**
74  *
75  * Initialises the keystore
76  *
77  * @param ks
78  */
79 
80 void dnssec_keystore_init();
81 
82 /**
83  * Adds the knowledge of domain<->path
84  * Set path to NULL to use the default value
85  *
86  * Can overwrite a previous value
87  *
88  * @param ks
89  * @param domain
90  * @param path
91  */
92 
93 void dnssec_keystore_add_domain(const u8 *domain, const char *path);
94 
95 /**
96  * Remove the knowledge of domain<->path
97  *
98  * @param ks
99  * @param domain
100  * @param path
101  */
102 
103 void dnssec_keystore_remove_domain(const u8 *domain, const char *path);
104 
105 /**
106  *
107  * Add a key to the keystore, do nothing if a key with the same tag and algorithm is
108  * in the keystore for that domain already
109  *
110  * RC ok
111  *
112  * @param ks
113  * @param key
114  *
115  * @return TRUE iff the key was added
116  */
117 
118 bool dnssec_keystore_add_key(dnssec_key *key);
119 
120 /**
121  *
122  * Replace a key from the keystore, release the replaced key
123  *
124  * RC ok
125  *
126  * @param ks
127  * @param key
128  *
129  * @return TRUE iff the key was added
130  */
131 
132 bool dnssec_keystore_replace_key(dnssec_key *key);
133 
134 /**
135  *
136  * Removes a key from the keystore
137  * Does not releases the key
138  *
139  * RC ok
140  *
141  * @param ks
142  * @param key
143  *
144  * @return the instance of the key from the keystore, or NULL if the key was not found
145  */
146 
147 dnssec_key *dnssec_keystore_remove_key(dnssec_key *key);
148 
149 /**
150  * Removes a key from the keystore, if possible.
151  * Renames both key files adding suffix of the creation time plus bak
152  * Does not return any error code as it's a best effort kind of thing.
153  *
154  * @param key
155  */
156 
157 void dnssec_keystore_delete_key(dnssec_key *key);
158 
159 /**
160  *
161  * Retrieves a key from the keystore
162  *
163  * RC ok
164  *
165  * @param ks
166  * @param domain
167  * @param tag
168  * @return the key or NULL if it does not exist
169  */
170 
171 dnssec_key *dnssec_keystore_acquire_key_from_fqdn_with_tag(const u8 *domain, u16 tag);
172 
173 /**
174  * Returns the nth key from the domain or NULL if no such key exist
175  *
176  * RC ok
177  *
178  * @return a dnskey
179  */
180 
181 dnssec_key *dnssec_keystore_acquire_key_from_fqdn_by_index(const u8 *domain, int idx);
182 
183 /**
184  * Returns TRUE iff the domain has an activaed KSK with its private part loaded.
185  */
186 
187 bool dnssec_keystore_has_usable_ksk(const u8 *domain, time_t attime);
188 
189 /**
190  * Returns true iff the key for theddomain+algorithm+tag is active at 'now'
191  *
192  * @param domain
193  * @param algorithm
194  * @param tag
195  * @param now
196  *
197  * @return
198  */
199 
200 bool dnssec_keystore_is_key_active(const u8 *domain, u8 algorithm, u16 tag, time_t now);
201 
202 /**
203  * Acquires all the currently activated keys and store them to the appropriate
204  * KSK or ZSK collection ptr_vector.
205  *
206  * @param domain
207  * @param ksks
208  * @param zsks
209  * @return
210  */
211 
212 int dnssec_keystore_acquire_activated_keys_from_fqdn_to_vectors(const u8 *domain, ptr_vector *ksks, ptr_vector *zsks);
213 
214 /**
215  * Acquires all the currently publishable keys and store them to the appropriate
216  * KSK or ZSK collection ptr_vector.
217  *
218  * If no publish/delete field is available, uses active/inactive fields instead.
219  * No fields means no action.
220  *
221  * @param domain
222  * @param ksks
223  * @param zsks
224  * @return
225  */
226 
227 int dnssec_keystore_acquire_published_keys_from_fqdn_to_vectors(const u8 *domain, ptr_vector *ksks, ptr_vector *zsks);
228 
229 /**
230  * Acquires all the keys that should be published and deleted and store them to the appropriate collection ptr_vector.
231  *
232  * If no publish/delete field is available, uses active/inactive fields instead.
233  * No fields means no action.
234  *
235  * @param domain
236  * @param ksks
237  * @param zsks
238  * @return
239  */
240 
241 int dnssec_keystore_acquire_publish_delete_keys_from_fqdn_to_vectors(const u8 *domain, ptr_vector *publish_keys, ptr_vector *delete_keys);
242 /**
243  * Releases all the keys from a vector.
244  *
245  * @param keys
246  */
247 
248 void dnssec_keystore_release_keys_from_vector(ptr_vector *keys);
249 
250 /**
251  *
252  * Retrieves a key from the keystore
253  *
254  * RC ok
255  *
256  * @param ks
257  * @param domain
258  * @param tag
259  * @return
260  */
261 
262 dnssec_key *dnssec_keystore_acquire_key_from_name(const char *domain, u16 tag);
263 
264 /**
265  * Returns the nth key from the domain or NULL if no such key exist
266  *
267  * RC ok
268  *
269  * @return a dnskey
270  */
271 
272 dnssec_key *dnssec_keystore_acquire_key_from_name_by_index(const char *domain, int idx);
273 
274 /**
275  *
276  * (Re)loads keys found in the paths of the keystore
277  *
278  * @param ks
279  * @return
280  */
281 
282 ya_result dnssec_keystore_reload();
283 
284 /**
285  *
286  * (Re)loads keys found in the path of the keystore for the specified domain
287  *
288  * @param fqdn
289  * @return
290  */
291 
292 ya_result dnssec_keystore_reload_domain(const u8 *fqdn);
293 
294 /**
295  * Adds all the valid keys of the domain in the keyring
296  *
297  * @param fqdn the domain name
298  * @param at_time the epoch at which the test is done ie: time(NULL)
299  * @param kr the target keyring
300  *
301  * @return the number of keys effectively added in the keyring
302  */
303 
304 u32 dnssec_keystore_add_valid_keys_from_fqdn(const u8 *fqdn, time_t at_time, struct dnskey_keyring *kr);
305 
306 ////////////////////////////////////////////////////////
307 
308 void dnssec_keystore_resetpath();
309 
310 const char *dnssec_keystore_getpath();
311 void dnssec_keystore_setpath(const char* path);
312 
313 /*
314 ya_result	dnssec_keystore_add(dnssec_key* key);
315 dnssec_key*	dnssec_keystore_get(u8 algorithm,u16 tag,u16 flags,const char *origin);
316 dnssec_key*	dnssec_keystore_remove(u8 algorithm,u16 tag,u16 flags,const char *origin);
317 */
318 void dnssec_keystore_destroy();
319 
320 /** Generates a private key, store in the keystore */
321 ya_result dnssec_keystore_new_key(u8 algorithm, u32 size, u16 flags, const char *origin, dnssec_key **out_key);
322 
323 
324 /**
325  * Loads a public key from the rdata, store in the keystore, then sets out_key to point to it
326  *
327  * RC ok
328  *
329  * @param rdata
330  * @param rdata_size
331  * @param origin
332  * @param out_key
333  * @return
334  */
335 
336 ya_result dnssec_keystore_load_public_key_from_rdata(const u8 *rdata, u16 rdata_size, const u8 *origin, dnssec_key **out_key);
337 
338 /**
339  *  Loads a private key from the disk or the keystore, then returns it.
340  *  NOTE: If the key already existed as a public-only key, the public version is released.
341  *
342  * RC ok
343  *
344  * @param algorithm
345  * @param tag
346  * @param flags
347  * @param origin
348  * @param out_key
349  * @return SUCCESS if a key was loaded, 1 if the key was already loaded, or an error code
350  */
351 
352 ya_result dnssec_keystore_load_private_key_from_rdata(const u8 *rdata, u16 rdata_size, const u8 *fqdn, dnssec_key **out_key);
353 
354 /**
355  *  Loads a private key from the disk or the keystore, then returns it.
356  *  NOTE: If the key already existed as a public-only key, the public version is released.
357  *
358  * RC ok
359  *
360  * @param algorithm
361  * @param tag
362  * @param flags
363  * @param origin
364  * @param out_key
365  * @return SUCCESS if a key was loaded, 1 if the key was already loaded, or an error code
366  */
367 
368 ya_result	dnssec_keystore_load_private_key_from_parameters(u8 algorithm, u16 tag, u16 flags, const u8 *fqdn, dnssec_key **out_key);
369 
370 /** Writes the key into g_keystore_path (which should be changed to whatever is the right path of the key */
371 ya_result	dnssec_keystore_store_private_key(dnssec_key *key);
372 
373 /** Writes the key into g_keystore_path (which should be changed to whatever is the right path of the key */
374 ya_result	dnssec_keystore_store_public_key(dnssec_key *key);
375 /*
376 void		dnssec_key_addrecord_to_zone(dnssec_key* key, zdb_zone* zone);
377 */
378 
379 dnssec_key     *dnssec_keystore_acquire_key_from_fqdn_at_index(const u8 *domain, int index);
380 
381 /**
382  * Returns all the active keys, chained in a single linked list whose nodes need to be freed,
383  *
384  * @param zone
385  * @param out_keys
386  * @param out_ksk_count
387  * @param out_zsk_count
388  * @return
389  */
390 
391 ya_result zdb_zone_get_active_keys(zdb_zone *zone, dnssec_key_sll **out_keys, int *out_ksk_count, int *out_zsk_count);
392 
393 /**
394  *
395  * @param keys
396  */
397 
398 void zdb_zone_release_active_keys(dnssec_key_sll *keys);
399 
400 #ifdef	__cplusplus
401 }
402 #endif
403 
404 /** @} */
405 
406