1 /* 2 * keys.c handle private keys for use in DNSSEC 3 * 4 * This module should hide some of the openSSL complexities 5 * and give a general interface for private keys and hmac 6 * handling 7 * 8 * (c) NLnet Labs, 2004-2006 9 * 10 * See the file LICENSE for the license 11 */ 12 13 #include <ldns/config.h> 14 15 #include <ldns/ldns.h> 16 17 #ifdef HAVE_SSL 18 #include <openssl/ssl.h> 19 #ifndef OPENSSL_NO_ENGINE 20 #include <openssl/engine.h> 21 #endif 22 #include <openssl/rand.h> 23 #endif /* HAVE_SSL */ 24 25 ldns_lookup_table ldns_signing_algorithms[] = { 26 { LDNS_SIGN_RSAMD5, "RSAMD5" }, 27 { LDNS_SIGN_RSASHA1, "RSASHA1" }, 28 { LDNS_SIGN_RSASHA1_NSEC3, "RSASHA1-NSEC3-SHA1" }, 29 #ifdef USE_SHA2 30 { LDNS_SIGN_RSASHA256, "RSASHA256" }, 31 { LDNS_SIGN_RSASHA512, "RSASHA512" }, 32 #endif 33 #ifdef USE_GOST 34 { LDNS_SIGN_ECC_GOST, "ECC-GOST" }, 35 #endif 36 #ifdef USE_ECDSA 37 { LDNS_SIGN_ECDSAP256SHA256, "ECDSAP256SHA256" }, 38 { LDNS_SIGN_ECDSAP384SHA384, "ECDSAP384SHA384" }, 39 #endif 40 { LDNS_SIGN_DSA, "DSA" }, 41 { LDNS_SIGN_DSA_NSEC3, "DSA-NSEC3-SHA1" }, 42 { LDNS_SIGN_HMACMD5, "hmac-md5.sig-alg.reg.int" }, 43 { LDNS_SIGN_HMACSHA1, "hmac-sha1" }, 44 { LDNS_SIGN_HMACSHA256, "hmac-sha256" }, 45 { 0, NULL } 46 }; 47 48 ldns_key_list * 49 ldns_key_list_new() 50 { 51 ldns_key_list *key_list = LDNS_MALLOC(ldns_key_list); 52 if (!key_list) { 53 return NULL; 54 } else { 55 key_list->_key_count = 0; 56 key_list->_keys = NULL; 57 return key_list; 58 } 59 } 60 61 ldns_key * 62 ldns_key_new() 63 { 64 ldns_key *newkey; 65 66 newkey = LDNS_MALLOC(ldns_key); 67 if (!newkey) { 68 return NULL; 69 } else { 70 /* some defaults - not sure wether to do this */ 71 ldns_key_set_use(newkey, true); 72 ldns_key_set_flags(newkey, LDNS_KEY_ZONE_KEY); 73 ldns_key_set_origttl(newkey, 0); 74 ldns_key_set_keytag(newkey, 0); 75 ldns_key_set_inception(newkey, 0); 76 ldns_key_set_expiration(newkey, 0); 77 ldns_key_set_pubkey_owner(newkey, NULL); 78 #ifdef HAVE_SSL 79 ldns_key_set_evp_key(newkey, NULL); 80 #endif /* HAVE_SSL */ 81 ldns_key_set_hmac_key(newkey, NULL); 82 ldns_key_set_external_key(newkey, NULL); 83 return newkey; 84 } 85 } 86 87 ldns_status 88 ldns_key_new_frm_fp(ldns_key **k, FILE *fp) 89 { 90 return ldns_key_new_frm_fp_l(k, fp, NULL); 91 } 92 93 #if defined(HAVE_SSL) && !defined(OPENSSL_NO_ENGINE) 94 ldns_status 95 ldns_key_new_frm_engine(ldns_key **key, ENGINE *e, char *key_id, ldns_algorithm alg) 96 { 97 ldns_key *k; 98 99 k = ldns_key_new(); 100 if(!k) return LDNS_STATUS_MEM_ERR; 101 #ifndef S_SPLINT_S 102 k->_key.key = ENGINE_load_private_key(e, key_id, UI_OpenSSL(), NULL); 103 if(!k->_key.key) { 104 ldns_key_free(k); 105 return LDNS_STATUS_ERR; 106 } 107 ldns_key_set_algorithm(k, (ldns_signing_algorithm) alg); 108 if (!k->_key.key) { 109 ldns_key_free(k); 110 return LDNS_STATUS_ENGINE_KEY_NOT_LOADED; 111 } 112 #endif /* splint */ 113 *key = k; 114 return LDNS_STATUS_OK; 115 } 116 #endif 117 118 #ifdef USE_GOST 119 /** store GOST engine reference loaded into OpenSSL library */ 120 ENGINE* ldns_gost_engine = NULL; 121 122 int 123 ldns_key_EVP_load_gost_id(void) 124 { 125 static int gost_id = 0; 126 const EVP_PKEY_ASN1_METHOD* meth; 127 ENGINE* e; 128 129 if(gost_id) return gost_id; 130 131 /* see if configuration loaded gost implementation from other engine*/ 132 meth = EVP_PKEY_asn1_find_str(NULL, "gost2001", -1); 133 if(meth) { 134 EVP_PKEY_asn1_get0_info(&gost_id, NULL, NULL, NULL, NULL, meth); 135 return gost_id; 136 } 137 138 /* see if engine can be loaded already */ 139 e = ENGINE_by_id("gost"); 140 if(!e) { 141 /* load it ourself, in case statically linked */ 142 ENGINE_load_builtin_engines(); 143 ENGINE_load_dynamic(); 144 e = ENGINE_by_id("gost"); 145 } 146 if(!e) { 147 /* no gost engine in openssl */ 148 return 0; 149 } 150 if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) { 151 ENGINE_finish(e); 152 ENGINE_free(e); 153 return 0; 154 } 155 156 meth = EVP_PKEY_asn1_find_str(&e, "gost2001", -1); 157 if(!meth) { 158 /* algo not found */ 159 ENGINE_finish(e); 160 ENGINE_free(e); 161 return 0; 162 } 163 /* Note: do not ENGINE_finish and ENGINE_free the acquired engine 164 * on some platforms this frees up the meth and unloads gost stuff */ 165 ldns_gost_engine = e; 166 167 EVP_PKEY_asn1_get0_info(&gost_id, NULL, NULL, NULL, NULL, meth); 168 return gost_id; 169 } 170 171 void ldns_key_EVP_unload_gost(void) 172 { 173 if(ldns_gost_engine) { 174 ENGINE_finish(ldns_gost_engine); 175 ENGINE_free(ldns_gost_engine); 176 ldns_gost_engine = NULL; 177 } 178 } 179 180 /** read GOST private key */ 181 static EVP_PKEY* 182 ldns_key_new_frm_fp_gost_l(FILE* fp, int* line_nr) 183 { 184 char token[16384]; 185 const unsigned char* pp; 186 int gost_id; 187 EVP_PKEY* pkey; 188 ldns_rdf* b64rdf = NULL; 189 190 gost_id = ldns_key_EVP_load_gost_id(); 191 if(!gost_id) 192 return NULL; 193 194 if (ldns_fget_keyword_data_l(fp, "GostAsn1", ": ", token, "\n", 195 sizeof(token), line_nr) == -1) 196 return NULL; 197 while(strlen(token) < 96) { 198 /* read more b64 from the file, b64 split on multiple lines */ 199 if(ldns_fget_token_l(fp, token+strlen(token), "\n", 200 sizeof(token)-strlen(token), line_nr) == -1) 201 return NULL; 202 } 203 if(ldns_str2rdf_b64(&b64rdf, token) != LDNS_STATUS_OK) 204 return NULL; 205 pp = (unsigned char*)ldns_rdf_data(b64rdf); 206 pkey = d2i_PrivateKey(gost_id, NULL, &pp, (int)ldns_rdf_size(b64rdf)); 207 ldns_rdf_deep_free(b64rdf); 208 return pkey; 209 } 210 #endif 211 212 #ifdef USE_ECDSA 213 /** calculate public key from private key */ 214 static int 215 ldns_EC_KEY_calc_public(EC_KEY* ec) 216 { 217 EC_POINT* pub_key; 218 const EC_GROUP* group; 219 group = EC_KEY_get0_group(ec); 220 pub_key = EC_POINT_new(group); 221 if(!pub_key) return 0; 222 if(!EC_POINT_copy(pub_key, EC_GROUP_get0_generator(group))) { 223 EC_POINT_free(pub_key); 224 return 0; 225 } 226 if(!EC_POINT_mul(group, pub_key, EC_KEY_get0_private_key(ec), 227 NULL, NULL, NULL)) { 228 EC_POINT_free(pub_key); 229 return 0; 230 } 231 if(EC_KEY_set_public_key(ec, pub_key) == 0) { 232 EC_POINT_free(pub_key); 233 return 0; 234 } 235 EC_POINT_free(pub_key); 236 return 1; 237 } 238 239 /** read ECDSA private key */ 240 static EVP_PKEY* 241 ldns_key_new_frm_fp_ecdsa_l(FILE* fp, ldns_algorithm alg, int* line_nr) 242 { 243 char token[16384]; 244 ldns_rdf* b64rdf = NULL; 245 unsigned char* pp; 246 BIGNUM* bn; 247 EVP_PKEY* evp_key; 248 EC_KEY* ec; 249 if (ldns_fget_keyword_data_l(fp, "PrivateKey", ": ", token, "\n", 250 sizeof(token), line_nr) == -1) 251 return NULL; 252 if(ldns_str2rdf_b64(&b64rdf, token) != LDNS_STATUS_OK) 253 return NULL; 254 pp = (unsigned char*)ldns_rdf_data(b64rdf); 255 256 if(alg == LDNS_ECDSAP256SHA256) 257 ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); 258 else if(alg == LDNS_ECDSAP384SHA384) 259 ec = EC_KEY_new_by_curve_name(NID_secp384r1); 260 else ec = NULL; 261 if(!ec) { 262 ldns_rdf_deep_free(b64rdf); 263 return NULL; 264 } 265 bn = BN_bin2bn(pp, (int)ldns_rdf_size(b64rdf), NULL); 266 ldns_rdf_deep_free(b64rdf); 267 if(!bn) { 268 EC_KEY_free(ec); 269 return NULL; 270 } 271 EC_KEY_set_private_key(ec, bn); 272 BN_free(bn); 273 if(!ldns_EC_KEY_calc_public(ec)) { 274 EC_KEY_free(ec); 275 return NULL; 276 } 277 278 evp_key = EVP_PKEY_new(); 279 if(!evp_key) { 280 EC_KEY_free(ec); 281 return NULL; 282 } 283 if (!EVP_PKEY_assign_EC_KEY(evp_key, ec)) { 284 EVP_PKEY_free(evp_key); 285 EC_KEY_free(ec); 286 return NULL; 287 } 288 return evp_key; 289 } 290 #endif 291 292 ldns_status 293 ldns_key_new_frm_fp_l(ldns_key **key, FILE *fp, int *line_nr) 294 { 295 ldns_key *k; 296 char *d; 297 ldns_signing_algorithm alg; 298 ldns_rr *key_rr; 299 #ifdef HAVE_SSL 300 RSA *rsa; 301 DSA *dsa; 302 unsigned char *hmac; 303 size_t hmac_size; 304 #endif /* HAVE_SSL */ 305 306 k = ldns_key_new(); 307 308 d = LDNS_XMALLOC(char, LDNS_MAX_LINELEN); 309 if (!k || !d) { 310 ldns_key_free(k); 311 LDNS_FREE(d); 312 return LDNS_STATUS_MEM_ERR; 313 } 314 315 alg = 0; 316 317 /* the file is highly structured. Do this in sequence */ 318 /* RSA: 319 * Private-key-format: v1.x. 320 * Algorithm: 1 (RSA) 321 322 */ 323 /* get the key format version number */ 324 if (ldns_fget_keyword_data_l(fp, "Private-key-format", ": ", d, "\n", 325 LDNS_MAX_LINELEN, line_nr) == -1) { 326 /* no version information */ 327 ldns_key_free(k); 328 LDNS_FREE(d); 329 return LDNS_STATUS_SYNTAX_ERR; 330 } 331 if (strncmp(d, "v1.", 3) != 0) { 332 ldns_key_free(k); 333 LDNS_FREE(d); 334 return LDNS_STATUS_SYNTAX_VERSION_ERR; 335 } 336 337 /* get the algorithm type, our file function strip ( ) so there are 338 * not in the return string! */ 339 if (ldns_fget_keyword_data_l(fp, "Algorithm", ": ", d, "\n", 340 LDNS_MAX_LINELEN, line_nr) == -1) { 341 /* no alg information */ 342 ldns_key_free(k); 343 LDNS_FREE(d); 344 return LDNS_STATUS_SYNTAX_ALG_ERR; 345 } 346 347 if (strncmp(d, "1 RSA", 2) == 0) { 348 alg = LDNS_SIGN_RSAMD5; 349 } 350 if (strncmp(d, "2 DH", 2) == 0) { 351 alg = (ldns_signing_algorithm)LDNS_DH; 352 } 353 if (strncmp(d, "3 DSA", 2) == 0) { 354 alg = LDNS_SIGN_DSA; 355 } 356 if (strncmp(d, "4 ECC", 2) == 0) { 357 alg = (ldns_signing_algorithm)LDNS_ECC; 358 } 359 if (strncmp(d, "5 RSASHA1", 2) == 0) { 360 alg = LDNS_SIGN_RSASHA1; 361 } 362 if (strncmp(d, "6 DSA", 2) == 0) { 363 alg = LDNS_SIGN_DSA_NSEC3; 364 } 365 if (strncmp(d, "7 RSASHA1", 2) == 0) { 366 alg = LDNS_SIGN_RSASHA1_NSEC3; 367 } 368 369 if (strncmp(d, "8 RSASHA256", 2) == 0) { 370 #ifdef USE_SHA2 371 alg = LDNS_SIGN_RSASHA256; 372 #else 373 fprintf(stderr, "Warning: SHA256 not compiled into this "); 374 fprintf(stderr, "version of ldns\n"); 375 #endif 376 } 377 if (strncmp(d, "10 RSASHA512", 3) == 0) { 378 #ifdef USE_SHA2 379 alg = LDNS_SIGN_RSASHA512; 380 #else 381 fprintf(stderr, "Warning: SHA512 not compiled into this "); 382 fprintf(stderr, "version of ldns\n"); 383 #endif 384 } 385 if (strncmp(d, "12 ECC-GOST", 3) == 0) { 386 #ifdef USE_GOST 387 alg = LDNS_SIGN_ECC_GOST; 388 #else 389 fprintf(stderr, "Warning: ECC-GOST not compiled into this "); 390 fprintf(stderr, "version of ldns, use --enable-gost\n"); 391 #endif 392 } 393 if (strncmp(d, "13 ECDSAP256SHA256", 3) == 0) { 394 #ifdef USE_ECDSA 395 alg = LDNS_SIGN_ECDSAP256SHA256; 396 #else 397 fprintf(stderr, "Warning: ECDSA not compiled into this "); 398 fprintf(stderr, "version of ldns, use --enable-ecdsa\n"); 399 #endif 400 } 401 if (strncmp(d, "14 ECDSAP384SHA384", 3) == 0) { 402 #ifdef USE_ECDSA 403 alg = LDNS_SIGN_ECDSAP384SHA384; 404 #else 405 fprintf(stderr, "Warning: ECDSA not compiled into this "); 406 fprintf(stderr, "version of ldns, use --enable-ecdsa\n"); 407 #endif 408 } 409 if (strncmp(d, "157 HMAC-MD5", 4) == 0) { 410 alg = LDNS_SIGN_HMACMD5; 411 } 412 if (strncmp(d, "158 HMAC-SHA1", 4) == 0) { 413 alg = LDNS_SIGN_HMACSHA1; 414 } 415 if (strncmp(d, "159 HMAC-SHA256", 4) == 0) { 416 alg = LDNS_SIGN_HMACSHA256; 417 } 418 419 LDNS_FREE(d); 420 421 switch(alg) { 422 case LDNS_SIGN_RSAMD5: 423 case LDNS_SIGN_RSASHA1: 424 case LDNS_SIGN_RSASHA1_NSEC3: 425 #ifdef USE_SHA2 426 case LDNS_SIGN_RSASHA256: 427 case LDNS_SIGN_RSASHA512: 428 #endif 429 ldns_key_set_algorithm(k, alg); 430 #ifdef HAVE_SSL 431 rsa = ldns_key_new_frm_fp_rsa_l(fp, line_nr); 432 if (!rsa) { 433 ldns_key_free(k); 434 return LDNS_STATUS_ERR; 435 } 436 ldns_key_assign_rsa_key(k, rsa); 437 #endif /* HAVE_SSL */ 438 break; 439 case LDNS_SIGN_DSA: 440 case LDNS_SIGN_DSA_NSEC3: 441 ldns_key_set_algorithm(k, alg); 442 #ifdef HAVE_SSL 443 dsa = ldns_key_new_frm_fp_dsa_l(fp, line_nr); 444 if (!dsa) { 445 ldns_key_free(k); 446 return LDNS_STATUS_ERR; 447 } 448 ldns_key_assign_dsa_key(k, dsa); 449 #endif /* HAVE_SSL */ 450 break; 451 case LDNS_SIGN_HMACMD5: 452 case LDNS_SIGN_HMACSHA1: 453 case LDNS_SIGN_HMACSHA256: 454 ldns_key_set_algorithm(k, alg); 455 #ifdef HAVE_SSL 456 hmac = ldns_key_new_frm_fp_hmac_l(fp, line_nr, &hmac_size); 457 if (!hmac) { 458 ldns_key_free(k); 459 return LDNS_STATUS_ERR; 460 } 461 ldns_key_set_hmac_size(k, hmac_size); 462 ldns_key_set_hmac_key(k, hmac); 463 #endif /* HAVE_SSL */ 464 break; 465 case LDNS_SIGN_ECC_GOST: 466 ldns_key_set_algorithm(k, alg); 467 #if defined(HAVE_SSL) && defined(USE_GOST) 468 if(!ldns_key_EVP_load_gost_id()) { 469 ldns_key_free(k); 470 return LDNS_STATUS_CRYPTO_ALGO_NOT_IMPL; 471 } 472 ldns_key_set_evp_key(k, 473 ldns_key_new_frm_fp_gost_l(fp, line_nr)); 474 #ifndef S_SPLINT_S 475 if(!k->_key.key) { 476 ldns_key_free(k); 477 return LDNS_STATUS_ERR; 478 } 479 #endif /* splint */ 480 #endif 481 break; 482 #ifdef USE_ECDSA 483 case LDNS_SIGN_ECDSAP256SHA256: 484 case LDNS_SIGN_ECDSAP384SHA384: 485 ldns_key_set_algorithm(k, alg); 486 ldns_key_set_evp_key(k, 487 ldns_key_new_frm_fp_ecdsa_l(fp, (ldns_algorithm)alg, line_nr)); 488 #ifndef S_SPLINT_S 489 if(!k->_key.key) { 490 ldns_key_free(k); 491 return LDNS_STATUS_ERR; 492 } 493 #endif /* splint */ 494 break; 495 #endif 496 default: 497 ldns_key_free(k); 498 return LDNS_STATUS_SYNTAX_ALG_ERR; 499 } 500 key_rr = ldns_key2rr(k); 501 ldns_key_set_keytag(k, ldns_calc_keytag(key_rr)); 502 ldns_rr_free(key_rr); 503 504 if (key) { 505 *key = k; 506 return LDNS_STATUS_OK; 507 } 508 ldns_key_free(k); 509 return LDNS_STATUS_ERR; 510 } 511 512 #ifdef HAVE_SSL 513 RSA * 514 ldns_key_new_frm_fp_rsa(FILE *f) 515 { 516 return ldns_key_new_frm_fp_rsa_l(f, NULL); 517 } 518 519 RSA * 520 ldns_key_new_frm_fp_rsa_l(FILE *f, int *line_nr) 521 { 522 /* we parse 523 * Modulus: 524 * PublicExponent: 525 * PrivateExponent: 526 * Prime1: 527 * Prime2: 528 * Exponent1: 529 * Exponent2: 530 * Coefficient: 531 * 532 * man 3 RSA: 533 * 534 * struct 535 * { 536 * BIGNUM *n; // public modulus 537 * BIGNUM *e; // public exponent 538 * BIGNUM *d; // private exponent 539 * BIGNUM *p; // secret prime factor 540 * BIGNUM *q; // secret prime factor 541 * BIGNUM *dmp1; // d mod (p-1) 542 * BIGNUM *dmq1; // d mod (q-1) 543 * BIGNUM *iqmp; // q^-1 mod p 544 * // ... 545 * 546 */ 547 char *d; 548 RSA *rsa; 549 uint8_t *buf; 550 int i; 551 552 d = LDNS_XMALLOC(char, LDNS_MAX_LINELEN); 553 buf = LDNS_XMALLOC(uint8_t, LDNS_MAX_LINELEN); 554 rsa = RSA_new(); 555 if (!d || !rsa || !buf) { 556 goto error; 557 } 558 559 /* I could use functions again, but that seems an overkill, 560 * allthough this also looks tedious 561 */ 562 563 /* Modules, rsa->n */ 564 if (ldns_fget_keyword_data_l(f, "Modulus", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 565 goto error; 566 } 567 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); 568 #ifndef S_SPLINT_S 569 rsa->n = BN_bin2bn((const char unsigned*)buf, i, NULL); 570 if (!rsa->n) { 571 goto error; 572 } 573 574 /* PublicExponent, rsa->e */ 575 if (ldns_fget_keyword_data_l(f, "PublicExponent", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 576 goto error; 577 } 578 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); 579 rsa->e = BN_bin2bn((const char unsigned*)buf, i, NULL); 580 if (!rsa->e) { 581 goto error; 582 } 583 584 /* PrivateExponent, rsa->d */ 585 if (ldns_fget_keyword_data_l(f, "PrivateExponent", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 586 goto error; 587 } 588 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); 589 rsa->d = BN_bin2bn((const char unsigned*)buf, i, NULL); 590 if (!rsa->d) { 591 goto error; 592 } 593 594 /* Prime1, rsa->p */ 595 if (ldns_fget_keyword_data_l(f, "Prime1", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 596 goto error; 597 } 598 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); 599 rsa->p = BN_bin2bn((const char unsigned*)buf, i, NULL); 600 if (!rsa->p) { 601 goto error; 602 } 603 604 /* Prime2, rsa->q */ 605 if (ldns_fget_keyword_data_l(f, "Prime2", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 606 goto error; 607 } 608 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); 609 rsa->q = BN_bin2bn((const char unsigned*)buf, i, NULL); 610 if (!rsa->q) { 611 goto error; 612 } 613 614 /* Exponent1, rsa->dmp1 */ 615 if (ldns_fget_keyword_data_l(f, "Exponent1", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 616 goto error; 617 } 618 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); 619 rsa->dmp1 = BN_bin2bn((const char unsigned*)buf, i, NULL); 620 if (!rsa->dmp1) { 621 goto error; 622 } 623 624 /* Exponent2, rsa->dmq1 */ 625 if (ldns_fget_keyword_data_l(f, "Exponent2", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 626 goto error; 627 } 628 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); 629 rsa->dmq1 = BN_bin2bn((const char unsigned*)buf, i, NULL); 630 if (!rsa->dmq1) { 631 goto error; 632 } 633 634 /* Coefficient, rsa->iqmp */ 635 if (ldns_fget_keyword_data_l(f, "Coefficient", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 636 goto error; 637 } 638 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); 639 rsa->iqmp = BN_bin2bn((const char unsigned*)buf, i, NULL); 640 if (!rsa->iqmp) { 641 goto error; 642 } 643 #endif /* splint */ 644 645 LDNS_FREE(buf); 646 LDNS_FREE(d); 647 return rsa; 648 649 error: 650 RSA_free(rsa); 651 LDNS_FREE(d); 652 LDNS_FREE(buf); 653 return NULL; 654 } 655 656 DSA * 657 ldns_key_new_frm_fp_dsa(FILE *f) 658 { 659 return ldns_key_new_frm_fp_dsa_l(f, NULL); 660 } 661 662 DSA * 663 ldns_key_new_frm_fp_dsa_l(FILE *f, ATTR_UNUSED(int *line_nr)) 664 { 665 int i; 666 char *d; 667 DSA *dsa; 668 uint8_t *buf; 669 670 d = LDNS_XMALLOC(char, LDNS_MAX_LINELEN); 671 buf = LDNS_XMALLOC(uint8_t, LDNS_MAX_LINELEN); 672 dsa = DSA_new(); 673 if (!d || !dsa || !buf) { 674 goto error; 675 } 676 677 /* the line parser removes the () from the input... */ 678 679 /* Prime, dsa->p */ 680 if (ldns_fget_keyword_data_l(f, "Primep", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 681 goto error; 682 } 683 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); 684 #ifndef S_SPLINT_S 685 dsa->p = BN_bin2bn((const char unsigned*)buf, i, NULL); 686 if (!dsa->p) { 687 goto error; 688 } 689 690 /* Subprime, dsa->q */ 691 if (ldns_fget_keyword_data_l(f, "Subprimeq", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 692 goto error; 693 } 694 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); 695 dsa->q = BN_bin2bn((const char unsigned*)buf, i, NULL); 696 if (!dsa->q) { 697 goto error; 698 } 699 700 /* Base, dsa->g */ 701 if (ldns_fget_keyword_data_l(f, "Baseg", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 702 goto error; 703 } 704 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); 705 dsa->g = BN_bin2bn((const char unsigned*)buf, i, NULL); 706 if (!dsa->g) { 707 goto error; 708 } 709 710 /* Private key, dsa->priv_key */ 711 if (ldns_fget_keyword_data_l(f, "Private_valuex", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 712 goto error; 713 } 714 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); 715 dsa->priv_key = BN_bin2bn((const char unsigned*)buf, i, NULL); 716 if (!dsa->priv_key) { 717 goto error; 718 } 719 720 /* Public key, dsa->priv_key */ 721 if (ldns_fget_keyword_data_l(f, "Public_valuey", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 722 goto error; 723 } 724 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); 725 dsa->pub_key = BN_bin2bn((const char unsigned*)buf, i, NULL); 726 if (!dsa->pub_key) { 727 goto error; 728 } 729 #endif /* splint */ 730 731 LDNS_FREE(buf); 732 LDNS_FREE(d); 733 734 return dsa; 735 736 error: 737 LDNS_FREE(d); 738 LDNS_FREE(buf); 739 DSA_free(dsa); 740 return NULL; 741 } 742 743 unsigned char * 744 ldns_key_new_frm_fp_hmac(FILE *f, size_t *hmac_size) 745 { 746 return ldns_key_new_frm_fp_hmac_l(f, NULL, hmac_size); 747 } 748 749 unsigned char * 750 ldns_key_new_frm_fp_hmac_l( FILE *f 751 , ATTR_UNUSED(int *line_nr) 752 , size_t *hmac_size 753 ) 754 { 755 size_t i, bufsz; 756 char d[LDNS_MAX_LINELEN]; 757 unsigned char *buf = NULL; 758 759 if (ldns_fget_keyword_data_l(f, "Key", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 760 goto error; 761 } 762 bufsz = ldns_b64_ntop_calculate_size(strlen(d)); 763 buf = LDNS_XMALLOC(unsigned char, bufsz); 764 i = (size_t) ldns_b64_pton((const char*)d, buf, bufsz); 765 766 *hmac_size = i; 767 return buf; 768 769 error: 770 LDNS_FREE(buf); 771 *hmac_size = 0; 772 return NULL; 773 } 774 #endif /* HAVE_SSL */ 775 776 #ifdef USE_GOST 777 static EVP_PKEY* 778 ldns_gen_gost_key(void) 779 { 780 EVP_PKEY_CTX* ctx; 781 EVP_PKEY* p = NULL; 782 int gost_id = ldns_key_EVP_load_gost_id(); 783 if(!gost_id) 784 return NULL; 785 ctx = EVP_PKEY_CTX_new_id(gost_id, NULL); 786 if(!ctx) { 787 /* the id should be available now */ 788 return NULL; 789 } 790 if(EVP_PKEY_CTX_ctrl_str(ctx, "paramset", "A") <= 0) { 791 /* cannot set paramset */ 792 EVP_PKEY_CTX_free(ctx); 793 return NULL; 794 } 795 796 if(EVP_PKEY_keygen_init(ctx) <= 0) { 797 EVP_PKEY_CTX_free(ctx); 798 return NULL; 799 } 800 if(EVP_PKEY_keygen(ctx, &p) <= 0) { 801 EVP_PKEY_free(p); 802 EVP_PKEY_CTX_free(ctx); 803 return NULL; 804 } 805 EVP_PKEY_CTX_free(ctx); 806 return p; 807 } 808 #endif 809 810 ldns_key * 811 ldns_key_new_frm_algorithm(ldns_signing_algorithm alg, uint16_t size) 812 { 813 ldns_key *k; 814 #ifdef HAVE_SSL 815 DSA *d; 816 RSA *r; 817 # ifdef USE_ECDSA 818 EC_KEY *ec = NULL; 819 # endif 820 #else 821 int i; 822 uint16_t offset = 0; 823 #endif 824 unsigned char *hmac; 825 826 k = ldns_key_new(); 827 if (!k) { 828 return NULL; 829 } 830 switch(alg) { 831 case LDNS_SIGN_RSAMD5: 832 case LDNS_SIGN_RSASHA1: 833 case LDNS_SIGN_RSASHA1_NSEC3: 834 case LDNS_SIGN_RSASHA256: 835 case LDNS_SIGN_RSASHA512: 836 #ifdef HAVE_SSL 837 r = RSA_generate_key((int)size, RSA_F4, NULL, NULL); 838 if(!r) { 839 ldns_key_free(k); 840 return NULL; 841 } 842 if (RSA_check_key(r) != 1) { 843 ldns_key_free(k); 844 return NULL; 845 } 846 ldns_key_set_rsa_key(k, r); 847 RSA_free(r); 848 #endif /* HAVE_SSL */ 849 break; 850 case LDNS_SIGN_DSA: 851 case LDNS_SIGN_DSA_NSEC3: 852 #ifdef HAVE_SSL 853 d = DSA_generate_parameters((int)size, NULL, 0, NULL, NULL, NULL, NULL); 854 if (!d) { 855 ldns_key_free(k); 856 return NULL; 857 } 858 if (DSA_generate_key(d) != 1) { 859 ldns_key_free(k); 860 return NULL; 861 } 862 ldns_key_set_dsa_key(k, d); 863 DSA_free(d); 864 #endif /* HAVE_SSL */ 865 break; 866 case LDNS_SIGN_HMACMD5: 867 case LDNS_SIGN_HMACSHA1: 868 case LDNS_SIGN_HMACSHA256: 869 #ifdef HAVE_SSL 870 #ifndef S_SPLINT_S 871 k->_key.key = NULL; 872 #endif /* splint */ 873 #endif /* HAVE_SSL */ 874 size = size / 8; 875 ldns_key_set_hmac_size(k, size); 876 877 hmac = LDNS_XMALLOC(unsigned char, size); 878 if(!hmac) { 879 ldns_key_free(k); 880 return NULL; 881 } 882 #ifdef HAVE_SSL 883 if (RAND_bytes(hmac, (int) size) != 1) { 884 LDNS_FREE(hmac); 885 ldns_key_free(k); 886 return NULL; 887 } 888 #else 889 while (offset + sizeof(i) < size) { 890 i = random(); 891 memcpy(&hmac[offset], &i, sizeof(i)); 892 offset += sizeof(i); 893 } 894 if (offset < size) { 895 i = random(); 896 memcpy(&hmac[offset], &i, size - offset); 897 } 898 #endif /* HAVE_SSL */ 899 ldns_key_set_hmac_key(k, hmac); 900 901 ldns_key_set_flags(k, 0); 902 break; 903 case LDNS_SIGN_ECC_GOST: 904 #if defined(HAVE_SSL) && defined(USE_GOST) 905 ldns_key_set_evp_key(k, ldns_gen_gost_key()); 906 #ifndef S_SPLINT_S 907 if(!k->_key.key) { 908 ldns_key_free(k); 909 return NULL; 910 } 911 #endif /* splint */ 912 #else 913 ldns_key_free(k); 914 return NULL; 915 #endif /* HAVE_SSL and USE_GOST */ 916 break; 917 case LDNS_SIGN_ECDSAP256SHA256: 918 case LDNS_SIGN_ECDSAP384SHA384: 919 #ifdef USE_ECDSA 920 if(alg == LDNS_SIGN_ECDSAP256SHA256) 921 ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); 922 else if(alg == LDNS_SIGN_ECDSAP384SHA384) 923 ec = EC_KEY_new_by_curve_name(NID_secp384r1); 924 if(!ec) { 925 ldns_key_free(k); 926 return NULL; 927 } 928 if(!EC_KEY_generate_key(ec)) { 929 ldns_key_free(k); 930 EC_KEY_free(ec); 931 return NULL; 932 } 933 #ifndef S_SPLINT_S 934 k->_key.key = EVP_PKEY_new(); 935 if(!k->_key.key) { 936 ldns_key_free(k); 937 EC_KEY_free(ec); 938 return NULL; 939 } 940 if (!EVP_PKEY_assign_EC_KEY(k->_key.key, ec)) { 941 ldns_key_free(k); 942 EC_KEY_free(ec); 943 return NULL; 944 } 945 #endif /* splint */ 946 #else 947 ldns_key_free(k); 948 return NULL; 949 #endif /* ECDSA */ 950 break; 951 } 952 ldns_key_set_algorithm(k, alg); 953 return k; 954 } 955 956 void 957 ldns_key_print(FILE *output, const ldns_key *k) 958 { 959 char *str = ldns_key2str(k); 960 if (str) { 961 fprintf(output, "%s", str); 962 } else { 963 fprintf(output, "Unable to convert private key to string\n"); 964 } 965 LDNS_FREE(str); 966 } 967 968 969 void 970 ldns_key_set_algorithm(ldns_key *k, ldns_signing_algorithm l) 971 { 972 k->_alg = l; 973 } 974 975 void 976 ldns_key_set_flags(ldns_key *k, uint16_t f) 977 { 978 k->_extra.dnssec.flags = f; 979 } 980 981 #ifdef HAVE_SSL 982 #ifndef S_SPLINT_S 983 void 984 ldns_key_set_evp_key(ldns_key *k, EVP_PKEY *e) 985 { 986 k->_key.key = e; 987 } 988 989 void 990 ldns_key_set_rsa_key(ldns_key *k, RSA *r) 991 { 992 EVP_PKEY *key = EVP_PKEY_new(); 993 EVP_PKEY_set1_RSA(key, r); 994 k->_key.key = key; 995 } 996 997 void 998 ldns_key_set_dsa_key(ldns_key *k, DSA *d) 999 { 1000 EVP_PKEY *key = EVP_PKEY_new(); 1001 EVP_PKEY_set1_DSA(key, d); 1002 k->_key.key = key; 1003 } 1004 1005 void 1006 ldns_key_assign_rsa_key(ldns_key *k, RSA *r) 1007 { 1008 EVP_PKEY *key = EVP_PKEY_new(); 1009 EVP_PKEY_assign_RSA(key, r); 1010 k->_key.key = key; 1011 } 1012 1013 void 1014 ldns_key_assign_dsa_key(ldns_key *k, DSA *d) 1015 { 1016 EVP_PKEY *key = EVP_PKEY_new(); 1017 EVP_PKEY_assign_DSA(key, d); 1018 k->_key.key = key; 1019 } 1020 #endif /* splint */ 1021 #endif /* HAVE_SSL */ 1022 1023 void 1024 ldns_key_set_hmac_key(ldns_key *k, unsigned char *hmac) 1025 { 1026 k->_key.hmac.key = hmac; 1027 } 1028 1029 void 1030 ldns_key_set_hmac_size(ldns_key *k, size_t hmac_size) 1031 { 1032 k->_key.hmac.size = hmac_size; 1033 } 1034 1035 void 1036 ldns_key_set_external_key(ldns_key *k, void *external_key) 1037 { 1038 k->_key.external_key = external_key; 1039 } 1040 1041 void 1042 ldns_key_set_origttl(ldns_key *k, uint32_t t) 1043 { 1044 k->_extra.dnssec.orig_ttl = t; 1045 } 1046 1047 void 1048 ldns_key_set_inception(ldns_key *k, uint32_t i) 1049 { 1050 k->_extra.dnssec.inception = i; 1051 } 1052 1053 void 1054 ldns_key_set_expiration(ldns_key *k, uint32_t e) 1055 { 1056 k->_extra.dnssec.expiration = e; 1057 } 1058 1059 void 1060 ldns_key_set_pubkey_owner(ldns_key *k, ldns_rdf *r) 1061 { 1062 k->_pubkey_owner = r; 1063 } 1064 1065 void 1066 ldns_key_set_keytag(ldns_key *k, uint16_t tag) 1067 { 1068 k->_extra.dnssec.keytag = tag; 1069 } 1070 1071 /* read */ 1072 size_t 1073 ldns_key_list_key_count(const ldns_key_list *key_list) 1074 { 1075 return key_list->_key_count; 1076 } 1077 1078 ldns_key * 1079 ldns_key_list_key(const ldns_key_list *key, size_t nr) 1080 { 1081 if (nr < ldns_key_list_key_count(key)) { 1082 return key->_keys[nr]; 1083 } else { 1084 return NULL; 1085 } 1086 } 1087 1088 ldns_signing_algorithm 1089 ldns_key_algorithm(const ldns_key *k) 1090 { 1091 return k->_alg; 1092 } 1093 1094 void 1095 ldns_key_set_use(ldns_key *k, bool v) 1096 { 1097 if (k) { 1098 k->_use = v; 1099 } 1100 } 1101 1102 bool 1103 ldns_key_use(const ldns_key *k) 1104 { 1105 if (k) { 1106 return k->_use; 1107 } 1108 return false; 1109 } 1110 1111 #ifdef HAVE_SSL 1112 #ifndef S_SPLINT_S 1113 EVP_PKEY * 1114 ldns_key_evp_key(const ldns_key *k) 1115 { 1116 return k->_key.key; 1117 } 1118 1119 RSA * 1120 ldns_key_rsa_key(const ldns_key *k) 1121 { 1122 if (k->_key.key) { 1123 return EVP_PKEY_get1_RSA(k->_key.key); 1124 } else { 1125 return NULL; 1126 } 1127 } 1128 1129 DSA * 1130 ldns_key_dsa_key(const ldns_key *k) 1131 { 1132 if (k->_key.key) { 1133 return EVP_PKEY_get1_DSA(k->_key.key); 1134 } else { 1135 return NULL; 1136 } 1137 } 1138 #endif /* splint */ 1139 #endif /* HAVE_SSL */ 1140 1141 unsigned char * 1142 ldns_key_hmac_key(const ldns_key *k) 1143 { 1144 if (k->_key.hmac.key) { 1145 return k->_key.hmac.key; 1146 } else { 1147 return NULL; 1148 } 1149 } 1150 1151 size_t 1152 ldns_key_hmac_size(const ldns_key *k) 1153 { 1154 if (k->_key.hmac.size) { 1155 return k->_key.hmac.size; 1156 } else { 1157 return 0; 1158 } 1159 } 1160 1161 void * 1162 ldns_key_external_key(const ldns_key *k) 1163 { 1164 return k->_key.external_key; 1165 } 1166 1167 uint32_t 1168 ldns_key_origttl(const ldns_key *k) 1169 { 1170 return k->_extra.dnssec.orig_ttl; 1171 } 1172 1173 uint16_t 1174 ldns_key_flags(const ldns_key *k) 1175 { 1176 return k->_extra.dnssec.flags; 1177 } 1178 1179 uint32_t 1180 ldns_key_inception(const ldns_key *k) 1181 { 1182 return k->_extra.dnssec.inception; 1183 } 1184 1185 uint32_t 1186 ldns_key_expiration(const ldns_key *k) 1187 { 1188 return k->_extra.dnssec.expiration; 1189 } 1190 1191 uint16_t 1192 ldns_key_keytag(const ldns_key *k) 1193 { 1194 return k->_extra.dnssec.keytag; 1195 } 1196 1197 ldns_rdf * 1198 ldns_key_pubkey_owner(const ldns_key *k) 1199 { 1200 return k->_pubkey_owner; 1201 } 1202 1203 /* write */ 1204 void 1205 ldns_key_list_set_use(ldns_key_list *keys, bool v) 1206 { 1207 size_t i; 1208 1209 for (i = 0; i < ldns_key_list_key_count(keys); i++) { 1210 ldns_key_set_use(ldns_key_list_key(keys, i), v); 1211 } 1212 } 1213 1214 void 1215 ldns_key_list_set_key_count(ldns_key_list *key, size_t count) 1216 { 1217 key->_key_count = count; 1218 } 1219 1220 bool 1221 ldns_key_list_push_key(ldns_key_list *key_list, ldns_key *key) 1222 { 1223 size_t key_count; 1224 ldns_key **keys; 1225 1226 key_count = ldns_key_list_key_count(key_list); 1227 1228 /* grow the array */ 1229 keys = LDNS_XREALLOC( 1230 key_list->_keys, ldns_key *, key_count + 1); 1231 if (!keys) { 1232 return false; 1233 } 1234 1235 /* add the new member */ 1236 key_list->_keys = keys; 1237 key_list->_keys[key_count] = key; 1238 1239 ldns_key_list_set_key_count(key_list, key_count + 1); 1240 return true; 1241 } 1242 1243 ldns_key * 1244 ldns_key_list_pop_key(ldns_key_list *key_list) 1245 { 1246 size_t key_count; 1247 ldns_key** a; 1248 ldns_key *pop; 1249 1250 if (!key_list) { 1251 return NULL; 1252 } 1253 1254 key_count = ldns_key_list_key_count(key_list); 1255 if (key_count == 0) { 1256 return NULL; 1257 } 1258 1259 pop = ldns_key_list_key(key_list, key_count); 1260 1261 /* shrink the array */ 1262 a = LDNS_XREALLOC(key_list->_keys, ldns_key *, key_count - 1); 1263 if(a) { 1264 key_list->_keys = a; 1265 } 1266 1267 ldns_key_list_set_key_count(key_list, key_count - 1); 1268 1269 return pop; 1270 } 1271 1272 #ifdef HAVE_SSL 1273 #ifndef S_SPLINT_S 1274 /* data pointer must be large enough (LDNS_MAX_KEYLEN) */ 1275 static bool 1276 ldns_key_rsa2bin(unsigned char *data, RSA *k, uint16_t *size) 1277 { 1278 int i,j; 1279 1280 if (!k) { 1281 return false; 1282 } 1283 1284 if (BN_num_bytes(k->e) <= 256) { 1285 /* normally only this path is executed (small factors are 1286 * more common 1287 */ 1288 data[0] = (unsigned char) BN_num_bytes(k->e); 1289 i = BN_bn2bin(k->e, data + 1); 1290 j = BN_bn2bin(k->n, data + i + 1); 1291 *size = (uint16_t) i + j; 1292 } else if (BN_num_bytes(k->e) <= 65536) { 1293 data[0] = 0; 1294 /* BN_bn2bin does bigendian, _uint16 also */ 1295 ldns_write_uint16(data + 1, (uint16_t) BN_num_bytes(k->e)); 1296 1297 BN_bn2bin(k->e, data + 3); 1298 BN_bn2bin(k->n, data + 4 + BN_num_bytes(k->e)); 1299 *size = (uint16_t) BN_num_bytes(k->n) + 6; 1300 } else { 1301 return false; 1302 } 1303 return true; 1304 } 1305 1306 /* data pointer must be large enough (LDNS_MAX_KEYLEN) */ 1307 static bool 1308 ldns_key_dsa2bin(unsigned char *data, DSA *k, uint16_t *size) 1309 { 1310 uint8_t T; 1311 1312 if (!k) { 1313 return false; 1314 } 1315 1316 /* See RFC2536 */ 1317 *size = (uint16_t)BN_num_bytes(k->p); 1318 T = (*size - 64) / 8; 1319 memcpy(data, &T, 1); 1320 1321 if (T > 8) { 1322 fprintf(stderr, "DSA key with T > 8 (ie. > 1024 bits)"); 1323 fprintf(stderr, " not implemented\n"); 1324 return false; 1325 } 1326 1327 /* size = 64 + (T * 8); */ 1328 data[0] = (unsigned char)T; 1329 BN_bn2bin(k->q, data + 1 ); /* 20 octects */ 1330 BN_bn2bin(k->p, data + 21 ); /* offset octects */ 1331 BN_bn2bin(k->g, data + 21 + *size); /* offset octets */ 1332 BN_bn2bin(k->pub_key, data + 21 + *size + *size); /* offset octets */ 1333 *size = 21 + (*size * 3); 1334 return true; 1335 } 1336 1337 #ifdef USE_GOST 1338 static bool 1339 ldns_key_gost2bin(unsigned char* data, EVP_PKEY* k, uint16_t* size) 1340 { 1341 int i; 1342 unsigned char* pp = NULL; 1343 if(i2d_PUBKEY(k, &pp) != 37 + 64) { 1344 /* expect 37 byte(ASN header) and 64 byte(X and Y) */ 1345 CRYPTO_free(pp); 1346 return false; 1347 } 1348 /* omit ASN header */ 1349 for(i=0; i<64; i++) 1350 data[i] = pp[i+37]; 1351 CRYPTO_free(pp); 1352 *size = 64; 1353 return true; 1354 } 1355 #endif /* USE_GOST */ 1356 #endif /* splint */ 1357 #endif /* HAVE_SSL */ 1358 1359 ldns_rr * 1360 ldns_key2rr(const ldns_key *k) 1361 { 1362 /* this function will convert a the keydata contained in 1363 * rsa/dsa pointers to a DNSKEY rr. It will fill in as 1364 * much as it can, but it does not know about key-flags 1365 * for instance 1366 */ 1367 ldns_rr *pubkey; 1368 ldns_rdf *keybin; 1369 unsigned char *bin = NULL; 1370 uint16_t size = 0; 1371 #ifdef HAVE_SSL 1372 RSA *rsa = NULL; 1373 DSA *dsa = NULL; 1374 #endif /* HAVE_SSL */ 1375 #ifdef USE_ECDSA 1376 EC_KEY* ec; 1377 #endif 1378 int internal_data = 0; 1379 1380 if (!k) { 1381 return NULL; 1382 } 1383 pubkey = ldns_rr_new(); 1384 1385 switch (ldns_key_algorithm(k)) { 1386 case LDNS_SIGN_HMACMD5: 1387 case LDNS_SIGN_HMACSHA1: 1388 case LDNS_SIGN_HMACSHA256: 1389 ldns_rr_set_type(pubkey, LDNS_RR_TYPE_KEY); 1390 break; 1391 default: 1392 ldns_rr_set_type(pubkey, LDNS_RR_TYPE_DNSKEY); 1393 break; 1394 } 1395 /* zero-th rdf - flags */ 1396 ldns_rr_push_rdf(pubkey, 1397 ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16, 1398 ldns_key_flags(k))); 1399 /* first - proto */ 1400 ldns_rr_push_rdf(pubkey, 1401 ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8, LDNS_DNSSEC_KEYPROTO)); 1402 1403 if (ldns_key_pubkey_owner(k)) { 1404 ldns_rr_set_owner(pubkey, ldns_rdf_clone(ldns_key_pubkey_owner(k))); 1405 } 1406 1407 /* third - da algorithm */ 1408 switch(ldns_key_algorithm(k)) { 1409 case LDNS_SIGN_RSAMD5: 1410 case LDNS_SIGN_RSASHA1: 1411 case LDNS_SIGN_RSASHA1_NSEC3: 1412 case LDNS_SIGN_RSASHA256: 1413 case LDNS_SIGN_RSASHA512: 1414 ldns_rr_push_rdf(pubkey, 1415 ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG, ldns_key_algorithm(k))); 1416 #ifdef HAVE_SSL 1417 rsa = ldns_key_rsa_key(k); 1418 if (rsa) { 1419 bin = LDNS_XMALLOC(unsigned char, LDNS_MAX_KEYLEN); 1420 if (!bin) { 1421 ldns_rr_free(pubkey); 1422 return NULL; 1423 } 1424 if (!ldns_key_rsa2bin(bin, rsa, &size)) { 1425 LDNS_FREE(bin); 1426 ldns_rr_free(pubkey); 1427 return NULL; 1428 } 1429 RSA_free(rsa); 1430 internal_data = 1; 1431 } 1432 #endif 1433 size++; 1434 break; 1435 case LDNS_SIGN_DSA: 1436 ldns_rr_push_rdf(pubkey, 1437 ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG, LDNS_DSA)); 1438 #ifdef HAVE_SSL 1439 dsa = ldns_key_dsa_key(k); 1440 if (dsa) { 1441 bin = LDNS_XMALLOC(unsigned char, LDNS_MAX_KEYLEN); 1442 if (!bin) { 1443 ldns_rr_free(pubkey); 1444 return NULL; 1445 } 1446 if (!ldns_key_dsa2bin(bin, dsa, &size)) { 1447 LDNS_FREE(bin); 1448 ldns_rr_free(pubkey); 1449 return NULL; 1450 } 1451 DSA_free(dsa); 1452 internal_data = 1; 1453 } 1454 #endif /* HAVE_SSL */ 1455 break; 1456 case LDNS_SIGN_DSA_NSEC3: 1457 ldns_rr_push_rdf(pubkey, 1458 ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG, LDNS_DSA_NSEC3)); 1459 #ifdef HAVE_SSL 1460 dsa = ldns_key_dsa_key(k); 1461 if (dsa) { 1462 bin = LDNS_XMALLOC(unsigned char, LDNS_MAX_KEYLEN); 1463 if (!bin) { 1464 ldns_rr_free(pubkey); 1465 return NULL; 1466 } 1467 if (!ldns_key_dsa2bin(bin, dsa, &size)) { 1468 LDNS_FREE(bin); 1469 ldns_rr_free(pubkey); 1470 return NULL; 1471 } 1472 DSA_free(dsa); 1473 internal_data = 1; 1474 } 1475 #endif /* HAVE_SSL */ 1476 break; 1477 case LDNS_SIGN_ECC_GOST: 1478 ldns_rr_push_rdf(pubkey, ldns_native2rdf_int8( 1479 LDNS_RDF_TYPE_ALG, ldns_key_algorithm(k))); 1480 #if defined(HAVE_SSL) && defined(USE_GOST) 1481 bin = LDNS_XMALLOC(unsigned char, LDNS_MAX_KEYLEN); 1482 if (!bin) { 1483 ldns_rr_free(pubkey); 1484 return NULL; 1485 } 1486 #ifndef S_SPLINT_S 1487 if (!ldns_key_gost2bin(bin, k->_key.key, &size)) { 1488 LDNS_FREE(bin); 1489 ldns_rr_free(pubkey); 1490 return NULL; 1491 } 1492 #endif /* splint */ 1493 internal_data = 1; 1494 #else 1495 ldns_rr_free(pubkey); 1496 return NULL; 1497 #endif /* HAVE_SSL and USE_GOST */ 1498 break; 1499 case LDNS_SIGN_ECDSAP256SHA256: 1500 case LDNS_SIGN_ECDSAP384SHA384: 1501 #ifdef USE_ECDSA 1502 ldns_rr_push_rdf(pubkey, ldns_native2rdf_int8( 1503 LDNS_RDF_TYPE_ALG, ldns_key_algorithm(k))); 1504 bin = NULL; 1505 #ifndef S_SPLINT_S 1506 ec = EVP_PKEY_get1_EC_KEY(k->_key.key); 1507 #endif 1508 EC_KEY_set_conv_form(ec, POINT_CONVERSION_UNCOMPRESSED); 1509 size = (uint16_t)i2o_ECPublicKey(ec, NULL); 1510 if(!i2o_ECPublicKey(ec, &bin)) { 1511 EC_KEY_free(ec); 1512 ldns_rr_free(pubkey); 1513 return NULL; 1514 } 1515 if(size > 1) { 1516 /* move back one byte to shave off the 0x02 1517 * 'uncompressed' indicator that openssl made 1518 * Actually its 0x04 (from implementation). 1519 */ 1520 assert(bin[0] == POINT_CONVERSION_UNCOMPRESSED); 1521 size -= 1; 1522 memmove(bin, bin+1, size); 1523 } 1524 /* down the reference count for ec, its still assigned 1525 * to the pkey */ 1526 EC_KEY_free(ec); 1527 internal_data = 1; 1528 #else 1529 ldns_rr_free(pubkey); 1530 return NULL; 1531 #endif /* ECDSA */ 1532 break; 1533 case LDNS_SIGN_HMACMD5: 1534 case LDNS_SIGN_HMACSHA1: 1535 case LDNS_SIGN_HMACSHA256: 1536 bin = LDNS_XMALLOC(unsigned char, ldns_key_hmac_size(k)); 1537 if (!bin) { 1538 ldns_rr_free(pubkey); 1539 return NULL; 1540 } 1541 ldns_rr_push_rdf(pubkey, 1542 ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG, 1543 ldns_key_algorithm(k))); 1544 size = ldns_key_hmac_size(k); 1545 memcpy(bin, ldns_key_hmac_key(k), size); 1546 internal_data = 1; 1547 break; 1548 } 1549 /* fourth the key bin material */ 1550 if (internal_data) { 1551 keybin = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, size, bin); 1552 LDNS_FREE(bin); 1553 ldns_rr_push_rdf(pubkey, keybin); 1554 } 1555 return pubkey; 1556 } 1557 1558 void 1559 ldns_key_free(ldns_key *key) 1560 { 1561 LDNS_FREE(key); 1562 } 1563 1564 void 1565 ldns_key_deep_free(ldns_key *key) 1566 { 1567 unsigned char* hmac; 1568 if (ldns_key_pubkey_owner(key)) { 1569 ldns_rdf_deep_free(ldns_key_pubkey_owner(key)); 1570 } 1571 #ifdef HAVE_SSL 1572 if (ldns_key_evp_key(key)) { 1573 EVP_PKEY_free(ldns_key_evp_key(key)); 1574 } 1575 #endif /* HAVE_SSL */ 1576 if (ldns_key_hmac_key(key)) { 1577 hmac = ldns_key_hmac_key(key); 1578 LDNS_FREE(hmac); 1579 } 1580 LDNS_FREE(key); 1581 } 1582 1583 void 1584 ldns_key_list_free(ldns_key_list *key_list) 1585 { 1586 size_t i; 1587 for (i = 0; i < ldns_key_list_key_count(key_list); i++) { 1588 ldns_key_deep_free(ldns_key_list_key(key_list, i)); 1589 } 1590 LDNS_FREE(key_list->_keys); 1591 LDNS_FREE(key_list); 1592 } 1593 1594 ldns_rr * 1595 ldns_read_anchor_file(const char *filename) 1596 { 1597 FILE *fp; 1598 /*char line[LDNS_MAX_PACKETLEN];*/ 1599 char *line = LDNS_XMALLOC(char, LDNS_MAX_PACKETLEN); 1600 int c; 1601 size_t i = 0; 1602 ldns_rr *r; 1603 ldns_status status; 1604 if(!line) { 1605 return NULL; 1606 } 1607 1608 fp = fopen(filename, "r"); 1609 if (!fp) { 1610 fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno)); 1611 LDNS_FREE(line); 1612 return NULL; 1613 } 1614 1615 while ((c = fgetc(fp)) && i+1 < LDNS_MAX_PACKETLEN && c != EOF) { 1616 line[i] = c; 1617 i++; 1618 } 1619 line[i] = '\0'; 1620 1621 fclose(fp); 1622 1623 if (i <= 0) { 1624 fprintf(stderr, "nothing read from %s", filename); 1625 LDNS_FREE(line); 1626 return NULL; 1627 } else { 1628 status = ldns_rr_new_frm_str(&r, line, 0, NULL, NULL); 1629 if (status == LDNS_STATUS_OK && (ldns_rr_get_type(r) == LDNS_RR_TYPE_DNSKEY || ldns_rr_get_type(r) == LDNS_RR_TYPE_DS)) { 1630 LDNS_FREE(line); 1631 return r; 1632 } else { 1633 fprintf(stderr, "Error creating DNSKEY or DS rr from %s: %s\n", filename, ldns_get_errorstr_by_id(status)); 1634 LDNS_FREE(line); 1635 return NULL; 1636 } 1637 } 1638 } 1639 1640 char * 1641 ldns_key_get_file_base_name(ldns_key *key) 1642 { 1643 ldns_buffer *buffer; 1644 char *file_base_name; 1645 1646 buffer = ldns_buffer_new(255); 1647 ldns_buffer_printf(buffer, "K"); 1648 (void)ldns_rdf2buffer_str_dname(buffer, ldns_key_pubkey_owner(key)); 1649 ldns_buffer_printf(buffer, 1650 "+%03u+%05u", 1651 ldns_key_algorithm(key), 1652 ldns_key_keytag(key)); 1653 file_base_name = ldns_buffer_export(buffer); 1654 ldns_buffer_free(buffer); 1655 return file_base_name; 1656 } 1657 1658 int ldns_key_algo_supported(int algo) 1659 { 1660 ldns_lookup_table *lt = ldns_signing_algorithms; 1661 while(lt->name) { 1662 if(lt->id == algo) 1663 return 1; 1664 lt++; 1665 } 1666 return 0; 1667 } 1668 1669 ldns_signing_algorithm ldns_get_signing_algorithm_by_name(const char* name) 1670 { 1671 /* list of (signing algorithm id, alias_name) */ 1672 ldns_lookup_table aliases[] = { 1673 /* from bind dnssec-keygen */ 1674 {LDNS_SIGN_HMACMD5, "HMAC-MD5"}, 1675 {LDNS_SIGN_DSA_NSEC3, "NSEC3DSA"}, 1676 {LDNS_SIGN_RSASHA1_NSEC3, "NSEC3RSASHA1"}, 1677 /* old ldns usage, now RFC names */ 1678 {LDNS_SIGN_DSA_NSEC3, "DSA_NSEC3" }, 1679 {LDNS_SIGN_RSASHA1_NSEC3, "RSASHA1_NSEC3" }, 1680 #ifdef USE_GOST 1681 {LDNS_SIGN_ECC_GOST, "GOST"}, 1682 #endif 1683 /* compat with possible output */ 1684 {LDNS_DH, "DH"}, 1685 {LDNS_ECC, "ECC"}, 1686 {LDNS_INDIRECT, "INDIRECT"}, 1687 {LDNS_PRIVATEDNS, "PRIVATEDNS"}, 1688 {LDNS_PRIVATEOID, "PRIVATEOID"}, 1689 {0, NULL}}; 1690 ldns_lookup_table* lt = ldns_signing_algorithms; 1691 while(lt->name) { 1692 if(strcasecmp(lt->name, name) == 0) 1693 return lt->id; 1694 lt++; 1695 } 1696 lt = aliases; 1697 while(lt->name) { 1698 if(strcasecmp(lt->name, name) == 0) 1699 return lt->id; 1700 lt++; 1701 } 1702 if(atoi(name) != 0) 1703 return atoi(name); 1704 return 0; 1705 } 1706