1 /** dnssec_verify */ 2 3 #ifndef LDNS_DNSSEC_SIGN_H 4 #define LDNS_DNSSEC_SIGN_H 5 6 #include <ldns/dnssec.h> 7 8 #ifdef __cplusplus 9 extern "C" { 10 #endif 11 12 /* sign functions */ 13 14 /** Sign flag that makes DNSKEY type signed by all keys, not only by SEP keys*/ 15 #define LDNS_SIGN_DNSKEY_WITH_ZSK 1 16 17 /** 18 * Create an empty RRSIG RR (i.e. without the actual signature data) 19 * \param[in] rrset The RRset to create the signature for 20 * \param[in] key The key that will create the signature 21 * \return signature rr 22 */ 23 ldns_rr * 24 ldns_create_empty_rrsig(ldns_rr_list *rrset, 25 ldns_key *key); 26 27 /** 28 * Sign the buffer which contains the wiredata of an rrset, and the 29 * corresponding empty rrsig rr with the given key 30 * \param[in] sign_buf the buffer with data to sign 31 * \param[in] key the key to sign with 32 * \return an rdata field with the signature data 33 */ 34 ldns_rdf * 35 ldns_sign_public_buffer(ldns_buffer *sign_buf, ldns_key *key); 36 37 /** 38 * Sign an rrset 39 * \param[in] rrset the rrset 40 * \param[in] keys the keys to use 41 * \return a rr_list with the signatures 42 */ 43 ldns_rr_list *ldns_sign_public(ldns_rr_list *rrset, ldns_key_list *keys); 44 45 #ifdef HAVE_SSL 46 /** 47 * Sign a buffer with the DSA key (hash with SHA1) 48 * \param[in] to_sign buffer with the data 49 * \param[in] key the key to use 50 * \return a ldns_rdf with the signed data 51 */ 52 ldns_rdf *ldns_sign_public_dsa(ldns_buffer *to_sign, DSA *key); 53 54 /** 55 * Sign data with EVP (general method for different algorithms) 56 * 57 * \param[in] to_sign The ldns_buffer containing raw data that is 58 * to be signed 59 * \param[in] key The EVP_PKEY key structure to sign with 60 * \param[in] digest_type The digest algorithm to use in the creation of 61 * the signature 62 * \return ldns_rdf for the RRSIG ldns_rr 63 */ 64 ldns_rdf *ldns_sign_public_evp(ldns_buffer *to_sign, 65 EVP_PKEY *key, 66 const EVP_MD *digest_type); 67 68 /** 69 * Sign a buffer with the RSA key (hash with SHA1) 70 * \param[in] to_sign buffer with the data 71 * \param[in] key the key to use 72 * \return a ldns_rdf with the signed data 73 */ 74 ldns_rdf *ldns_sign_public_rsasha1(ldns_buffer *to_sign, RSA *key); 75 76 /** 77 * Sign a buffer with the RSA key (hash with MD5) 78 * \param[in] to_sign buffer with the data 79 * \param[in] key the key to use 80 * \return a ldns_rdf with the signed data 81 */ 82 ldns_rdf *ldns_sign_public_rsamd5(ldns_buffer *to_sign, RSA *key); 83 #endif /* HAVE_SSL */ 84 85 /** 86 * Finds the first dnssec_name node in the rbtree that has not been marked 87 * as glue, starting at the given node 88 * 89 * \param[in] node the first node to check 90 * \return the first node that has not been marked as glue, or NULL 91 * if not found (TODO: make that LDNS_RBTREE_NULL?) 92 */ 93 ldns_rbnode_t *ldns_dnssec_name_node_next_nonglue(ldns_rbnode_t *node); 94 95 /** 96 * Adds NSEC records to the given dnssec_zone 97 * 98 * \param[in] zone the zone to add the records to 99 * \param[in] new_rrs ldns_rr's created by this function are 100 * added to this rr list, so the caller can free them later 101 * \return LDNS_STATUS_OK on success, an error code otherwise 102 */ 103 ldns_status ldns_dnssec_zone_create_nsecs(ldns_dnssec_zone *zone, 104 ldns_rr_list *new_rrs); 105 106 /** 107 * Adds NSEC3 records to the zone 108 */ 109 ldns_status 110 ldns_dnssec_zone_create_nsec3s(ldns_dnssec_zone *zone, 111 ldns_rr_list *new_rrs, 112 uint8_t algorithm, 113 uint8_t flags, 114 uint16_t iterations, 115 uint8_t salt_length, 116 uint8_t *salt); 117 118 /** 119 * remove signatures if callback function tells to 120 * 121 * \param[in] signatures list of signatures to check, and 122 * possibly remove, depending on the value of the 123 * callback 124 * \param[in] key_list these are marked to be used or not, 125 * on the return value of the callback 126 * \param[in] func this function is called to specify what to 127 * do with each signature (and corresponding key) 128 * \param[in] arg Optional argument for the callback function 129 * \returns pointer to the new signatures rrs (the original 130 * passed to this function may have been removed) 131 */ 132 ldns_dnssec_rrs *ldns_dnssec_remove_signatures(ldns_dnssec_rrs *signatures, 133 ldns_key_list *key_list, 134 int (*func)(ldns_rr *, void *), 135 void *arg); 136 137 /** 138 * Adds signatures to the zone 139 * 140 * \param[in] zone the zone to add RRSIG Resource Records to 141 * \param[in] new_rrs the RRSIG RRs that are created are also 142 * added to this list, so the caller can free them 143 * later 144 * \param[in] key_list list of keys to sign with. 145 * \param[in] func Callback function to decide what keys to 146 * use and what to do with old signatures 147 * \param[in] arg Optional argument for the callback function 148 * \param[in] flags option flags for signing process. 0 makes DNSKEY 149 * RRset signed with the minimal key set, that is only SEP keys are used 150 * for signing. If there are no SEP keys available, non-SEP keys will 151 * be used. LDNS_SIGN_DNSKEY_WITH_ZSK makes DNSKEY type signed with all 152 * keys. 0 is the default. 153 * \return LDNS_STATUS_OK on success, error otherwise 154 */ 155 ldns_status ldns_dnssec_zone_create_rrsigs_flg(ldns_dnssec_zone *zone, 156 ldns_rr_list *new_rrs, 157 ldns_key_list *key_list, 158 int (*func)(ldns_rr *, void*), 159 void *arg, 160 int flags); 161 162 /** 163 * Adds signatures to the zone 164 * 165 * \param[in] zone the zone to add RRSIG Resource Records to 166 * \param[in] new_rrs the RRSIG RRs that are created are also 167 * added to this list, so the caller can free them 168 * later 169 * \param[in] key_list list of keys to sign with. 170 * \param[in] func Callback function to decide what keys to 171 * use and what to do with old signatures 172 * \param[in] arg Optional argument for the callback function 173 * \return LDNS_STATUS_OK on success, error otherwise 174 */ 175 ldns_status ldns_dnssec_zone_create_rrsigs(ldns_dnssec_zone *zone, 176 ldns_rr_list *new_rrs, 177 ldns_key_list *key_list, 178 int (*func)(ldns_rr *, void*), 179 void *arg); 180 181 /** 182 * signs the given zone with the given keys 183 * 184 * \param[in] zone the zone to sign 185 * \param[in] key_list the list of keys to sign the zone with 186 * \param[in] new_rrs newly created resource records are added to this list, to free them later 187 * \param[in] func callback function that decides what to do with old signatures 188 * This function takes an ldns_rr* and an optional void *arg argument, and returns one of four values: 189 * LDNS_SIGNATURE_LEAVE_ADD_NEW: 190 * leave the signature and add a new one for the corresponding key 191 * LDNS_SIGNATURE_REMOVE_ADD_NEW: 192 * remove the signature and replace is with a new one from the same key 193 * LDNS_SIGNATURE_LEAVE_NO_ADD: 194 * leave the signature and do not add a new one with the corresponding key 195 * LDNS_SIGNATURE_REMOVE_NO_ADD: 196 * remove the signature and do not replace 197 * 198 * \param[in] arg optional argument for the callback function 199 * \param[in] flags option flags for signing process. 0 makes DNSKEY 200 * RRset signed with the minimal key set, that is only SEP keys are used 201 * for signing. If there are no SEP keys available, non-SEP keys will 202 * be used. LDNS_SIGN_DNSKEY_WITH_ZSK makes DNSKEY type signed with all 203 * keys. 0 is the default. 204 * \return LDNS_STATUS_OK on success, an error code otherwise 205 */ 206 ldns_status ldns_dnssec_zone_sign_flg(ldns_dnssec_zone *zone, 207 ldns_rr_list *new_rrs, 208 ldns_key_list *key_list, 209 int (*func)(ldns_rr *, void *), 210 void *arg, 211 int flags); 212 213 /** 214 * signs the given zone with the given new zone, with NSEC3 215 * 216 * \param[in] zone the zone to sign 217 * \param[in] key_list the list of keys to sign the zone with 218 * \param[in] new_rrs newly created resource records are added to this list, to free them later 219 * \param[in] func callback function that decides what to do with old signatures 220 * \param[in] arg optional argument for the callback function 221 * \param[in] algorithm the NSEC3 hashing algorithm to use 222 * \param[in] flags NSEC3 flags 223 * \param[in] iterations the number of NSEC3 hash iterations to use 224 * \param[in] salt_length the length (in octets) of the NSEC3 salt 225 * \param[in] salt the NSEC3 salt data 226 * \param[in] signflags option flags for signing process. 0 is the default. 227 * \return LDNS_STATUS_OK on success, an error code otherwise 228 */ 229 ldns_status ldns_dnssec_zone_sign_nsec3_flg(ldns_dnssec_zone *zone, 230 ldns_rr_list *new_rrs, 231 ldns_key_list *key_list, 232 int (*func)(ldns_rr *, void *), 233 void *arg, 234 uint8_t algorithm, 235 uint8_t flags, 236 uint16_t iterations, 237 uint8_t salt_length, 238 uint8_t *salt, 239 int signflags); 240 241 /** 242 * signs the given zone with the given keys 243 * 244 * \param[in] zone the zone to sign 245 * \param[in] key_list the list of keys to sign the zone with 246 * \param[in] new_rrs newly created resource records are added to this list, to free them later 247 * \param[in] func callback function that decides what to do with old signatures 248 * This function takes an ldns_rr* and an optional void *arg argument, and returns one of four values: 249 * LDNS_SIGNATURE_LEAVE_ADD_NEW: 250 * leave the signature and add a new one for the corresponding key 251 * LDNS_SIGNATURE_REMOVE_ADD_NEW: 252 * remove the signature and replace is with a new one from the same key 253 * LDNS_SIGNATURE_LEAVE_NO_ADD: 254 * leave the signature and do not add a new one with the corresponding key 255 * LDNS_SIGNATURE_REMOVE_NO_ADD: 256 * remove the signature and do not replace 257 * 258 * \param[in] arg optional argument for the callback function 259 * \return LDNS_STATUS_OK on success, an error code otherwise 260 */ 261 ldns_status ldns_dnssec_zone_sign(ldns_dnssec_zone *zone, 262 ldns_rr_list *new_rrs, 263 ldns_key_list *key_list, 264 int (*func)(ldns_rr *, void *), 265 void *arg); 266 267 /** 268 * signs the given zone with the given new zone, with NSEC3 269 * 270 * \param[in] zone the zone to sign 271 * \param[in] key_list the list of keys to sign the zone with 272 * \param[in] new_rrs newly created resource records are added to this list, to free them later 273 * \param[in] func callback function that decides what to do with old signatures 274 * \param[in] arg optional argument for the callback function 275 * \param[in] algorithm the NSEC3 hashing algorithm to use 276 * \param[in] flags NSEC3 flags 277 * \param[in] iterations the number of NSEC3 hash iterations to use 278 * \param[in] salt_length the length (in octets) of the NSEC3 salt 279 * \param[in] salt the NSEC3 salt data 280 * \return LDNS_STATUS_OK on success, an error code otherwise 281 */ 282 ldns_status ldns_dnssec_zone_sign_nsec3(ldns_dnssec_zone *zone, 283 ldns_rr_list *new_rrs, 284 ldns_key_list *key_list, 285 int (*func)(ldns_rr *, void *), 286 void *arg, 287 uint8_t algorithm, 288 uint8_t flags, 289 uint16_t iterations, 290 uint8_t salt_length, 291 uint8_t *salt); 292 293 /** 294 * Signs the zone, and returns a newly allocated signed zone 295 * \param[in] zone the zone to sign 296 * \param[in] key_list list of keys to sign with 297 * \return signed zone 298 */ 299 ldns_zone *ldns_zone_sign(const ldns_zone *zone, ldns_key_list *key_list); 300 301 /** 302 * Signs the zone with NSEC3, and returns a newly allocated signed zone 303 * \param[in] zone the zone to sign 304 * \param[in] key_list list of keys to sign with 305 * \param[in] algorithm the NSEC3 hashing algorithm to use 306 * \param[in] flags NSEC3 flags 307 * \param[in] iterations the number of NSEC3 hash iterations to use 308 * \param[in] salt_length the length (in octets) of the NSEC3 salt 309 * \param[in] salt the NSEC3 salt data 310 * \return signed zone 311 */ 312 ldns_zone *ldns_zone_sign_nsec3(ldns_zone *zone, ldns_key_list *key_list, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt); 313 314 #ifdef __cplusplus 315 } 316 #endif 317 318 #endif 319