1 /* 2 * keys.c handle private keys for use in DNSSEC 3 * 4 * This module should hide some of the openSSL complexities 5 * and give a general interface for private keys and hmac 6 * handling 7 * 8 * (c) NLnet Labs, 2004-2006 9 * 10 * See the file LICENSE for the license 11 */ 12 13 #include <ldns/config.h> 14 15 #include <ldns/ldns.h> 16 17 #ifdef HAVE_SSL 18 #include <openssl/ssl.h> 19 #include <openssl/rand.h> 20 #include <openssl/bn.h> 21 #include <openssl/rsa.h> 22 #ifdef USE_DSA 23 #include <openssl/dsa.h> 24 #endif 25 #ifndef OPENSSL_NO_ENGINE 26 #include <openssl/engine.h> 27 #endif 28 #endif /* HAVE_SSL */ 29 30 ldns_lookup_table ldns_signing_algorithms[] = { 31 { LDNS_SIGN_RSAMD5, "RSAMD5" }, 32 { LDNS_SIGN_RSASHA1, "RSASHA1" }, 33 { LDNS_SIGN_RSASHA1_NSEC3, "RSASHA1-NSEC3-SHA1" }, 34 #ifdef USE_SHA2 35 { LDNS_SIGN_RSASHA256, "RSASHA256" }, 36 { LDNS_SIGN_RSASHA512, "RSASHA512" }, 37 #endif 38 #ifdef USE_GOST 39 { LDNS_SIGN_ECC_GOST, "ECC-GOST" }, 40 #endif 41 #ifdef USE_ECDSA 42 { LDNS_SIGN_ECDSAP256SHA256, "ECDSAP256SHA256" }, 43 { LDNS_SIGN_ECDSAP384SHA384, "ECDSAP384SHA384" }, 44 #endif 45 #ifdef USE_ED25519 46 { LDNS_SIGN_ED25519, "ED25519" }, 47 #endif 48 #ifdef USE_ED448 49 { LDNS_SIGN_ED448, "ED448" }, 50 #endif 51 #ifdef USE_DSA 52 { LDNS_SIGN_DSA, "DSA" }, 53 { LDNS_SIGN_DSA_NSEC3, "DSA-NSEC3-SHA1" }, 54 #endif 55 { LDNS_SIGN_HMACMD5, "hmac-md5.sig-alg.reg.int" }, 56 { LDNS_SIGN_HMACSHA1, "hmac-sha1" }, 57 { LDNS_SIGN_HMACSHA256, "hmac-sha256" }, 58 { LDNS_SIGN_HMACSHA224, "hmac-sha224" }, 59 { LDNS_SIGN_HMACSHA384, "hmac-sha384" }, 60 { LDNS_SIGN_HMACSHA512, "hmac-sha512" }, 61 { 0, NULL } 62 }; 63 64 ldns_key_list * 65 ldns_key_list_new(void) 66 { 67 ldns_key_list *key_list = LDNS_MALLOC(ldns_key_list); 68 if (!key_list) { 69 return NULL; 70 } else { 71 key_list->_key_count = 0; 72 key_list->_keys = NULL; 73 return key_list; 74 } 75 } 76 77 ldns_key * 78 ldns_key_new(void) 79 { 80 ldns_key *newkey; 81 82 newkey = LDNS_MALLOC(ldns_key); 83 if (!newkey) { 84 return NULL; 85 } else { 86 /* some defaults - not sure wether to do this */ 87 ldns_key_set_use(newkey, true); 88 ldns_key_set_flags(newkey, LDNS_KEY_ZONE_KEY); 89 ldns_key_set_origttl(newkey, 0); 90 ldns_key_set_keytag(newkey, 0); 91 ldns_key_set_inception(newkey, 0); 92 ldns_key_set_expiration(newkey, 0); 93 ldns_key_set_pubkey_owner(newkey, NULL); 94 #ifdef HAVE_SSL 95 ldns_key_set_evp_key(newkey, NULL); 96 #endif /* HAVE_SSL */ 97 ldns_key_set_hmac_key(newkey, NULL); 98 ldns_key_set_external_key(newkey, NULL); 99 return newkey; 100 } 101 } 102 103 ldns_status 104 ldns_key_new_frm_fp(ldns_key **k, FILE *fp) 105 { 106 return ldns_key_new_frm_fp_l(k, fp, NULL); 107 } 108 109 #if defined(HAVE_SSL) && !defined(OPENSSL_NO_ENGINE) 110 ldns_status 111 ldns_key_new_frm_engine(ldns_key **key, ENGINE *e, char *key_id, ldns_algorithm alg) 112 { 113 ldns_key *k; 114 115 k = ldns_key_new(); 116 if(!k) return LDNS_STATUS_MEM_ERR; 117 #ifndef S_SPLINT_S 118 k->_key.key = ENGINE_load_private_key(e, key_id, UI_OpenSSL(), NULL); 119 if(!k->_key.key) { 120 ldns_key_free(k); 121 return LDNS_STATUS_ERR; 122 } 123 ldns_key_set_algorithm(k, (ldns_signing_algorithm) alg); 124 if (!k->_key.key) { 125 ldns_key_free(k); 126 return LDNS_STATUS_ENGINE_KEY_NOT_LOADED; 127 } 128 #endif /* splint */ 129 *key = k; 130 return LDNS_STATUS_OK; 131 } 132 #endif 133 134 #ifdef USE_GOST 135 /** store GOST engine reference loaded into OpenSSL library */ 136 ENGINE* ldns_gost_engine = NULL; 137 138 int 139 ldns_key_EVP_load_gost_id(void) 140 { 141 static int gost_id = 0; 142 const EVP_PKEY_ASN1_METHOD* meth; 143 ENGINE* e; 144 145 if(gost_id) return gost_id; 146 147 /* see if configuration loaded gost implementation from other engine*/ 148 meth = EVP_PKEY_asn1_find_str(NULL, "gost2001", -1); 149 if(meth) { 150 EVP_PKEY_asn1_get0_info(&gost_id, NULL, NULL, NULL, NULL, meth); 151 return gost_id; 152 } 153 154 /* see if engine can be loaded already */ 155 e = ENGINE_by_id("gost"); 156 if(!e) { 157 /* load it ourself, in case statically linked */ 158 ENGINE_load_builtin_engines(); 159 ENGINE_load_dynamic(); 160 e = ENGINE_by_id("gost"); 161 } 162 if(!e) { 163 /* no gost engine in openssl */ 164 return 0; 165 } 166 if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) { 167 ENGINE_finish(e); 168 ENGINE_free(e); 169 return 0; 170 } 171 172 meth = EVP_PKEY_asn1_find_str(&e, "gost2001", -1); 173 if(!meth) { 174 /* algo not found */ 175 ENGINE_finish(e); 176 ENGINE_free(e); 177 return 0; 178 } 179 /* Note: do not ENGINE_finish and ENGINE_free the acquired engine 180 * on some platforms this frees up the meth and unloads gost stuff */ 181 ldns_gost_engine = e; 182 183 EVP_PKEY_asn1_get0_info(&gost_id, NULL, NULL, NULL, NULL, meth); 184 return gost_id; 185 } 186 187 void ldns_key_EVP_unload_gost(void) 188 { 189 if(ldns_gost_engine) { 190 ENGINE_finish(ldns_gost_engine); 191 ENGINE_free(ldns_gost_engine); 192 ldns_gost_engine = NULL; 193 } 194 } 195 196 /** read GOST private key */ 197 static EVP_PKEY* 198 ldns_key_new_frm_fp_gost_l(FILE* fp, int* line_nr) 199 { 200 char token[16384]; 201 const unsigned char* pp; 202 int gost_id; 203 EVP_PKEY* pkey; 204 ldns_rdf* b64rdf = NULL; 205 206 gost_id = ldns_key_EVP_load_gost_id(); 207 if(!gost_id) 208 return NULL; 209 210 if (ldns_fget_keyword_data_l(fp, "GostAsn1", ": ", token, "\n", 211 sizeof(token), line_nr) == -1) 212 return NULL; 213 while(strlen(token) < 96) { 214 /* read more b64 from the file, b64 split on multiple lines */ 215 if(ldns_fget_token_l(fp, token+strlen(token), "\n", 216 sizeof(token)-strlen(token), line_nr) == -1) 217 return NULL; 218 } 219 if(ldns_str2rdf_b64(&b64rdf, token) != LDNS_STATUS_OK) 220 return NULL; 221 pp = (unsigned char*)ldns_rdf_data(b64rdf); 222 pkey = d2i_PrivateKey(gost_id, NULL, &pp, (int)ldns_rdf_size(b64rdf)); 223 ldns_rdf_deep_free(b64rdf); 224 return pkey; 225 } 226 #endif 227 228 #ifdef USE_ECDSA 229 /** calculate public key from private key */ 230 static int 231 ldns_EC_KEY_calc_public(EC_KEY* ec) 232 { 233 EC_POINT* pub_key; 234 const EC_GROUP* group; 235 group = EC_KEY_get0_group(ec); 236 pub_key = EC_POINT_new(group); 237 if(!pub_key) return 0; 238 if(!EC_POINT_copy(pub_key, EC_GROUP_get0_generator(group))) { 239 EC_POINT_free(pub_key); 240 return 0; 241 } 242 if(!EC_POINT_mul(group, pub_key, EC_KEY_get0_private_key(ec), 243 NULL, NULL, NULL)) { 244 EC_POINT_free(pub_key); 245 return 0; 246 } 247 if(EC_KEY_set_public_key(ec, pub_key) == 0) { 248 EC_POINT_free(pub_key); 249 return 0; 250 } 251 EC_POINT_free(pub_key); 252 return 1; 253 } 254 255 /** read ECDSA private key */ 256 static EVP_PKEY* 257 ldns_key_new_frm_fp_ecdsa_l(FILE* fp, ldns_algorithm alg, int* line_nr) 258 { 259 char token[16384]; 260 ldns_rdf* b64rdf = NULL; 261 unsigned char* pp; 262 BIGNUM* bn; 263 EVP_PKEY* evp_key; 264 EC_KEY* ec; 265 if (ldns_fget_keyword_data_l(fp, "PrivateKey", ": ", token, "\n", 266 sizeof(token), line_nr) == -1) 267 return NULL; 268 if(ldns_str2rdf_b64(&b64rdf, token) != LDNS_STATUS_OK) 269 return NULL; 270 pp = (unsigned char*)ldns_rdf_data(b64rdf); 271 272 if(alg == LDNS_ECDSAP256SHA256) 273 ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); 274 else if(alg == LDNS_ECDSAP384SHA384) 275 ec = EC_KEY_new_by_curve_name(NID_secp384r1); 276 else ec = NULL; 277 if(!ec) { 278 ldns_rdf_deep_free(b64rdf); 279 return NULL; 280 } 281 bn = BN_bin2bn(pp, (int)ldns_rdf_size(b64rdf), NULL); 282 ldns_rdf_deep_free(b64rdf); 283 if(!bn) { 284 EC_KEY_free(ec); 285 return NULL; 286 } 287 EC_KEY_set_private_key(ec, bn); 288 BN_free(bn); 289 if(!ldns_EC_KEY_calc_public(ec)) { 290 EC_KEY_free(ec); 291 return NULL; 292 } 293 294 evp_key = EVP_PKEY_new(); 295 if(!evp_key) { 296 EC_KEY_free(ec); 297 return NULL; 298 } 299 if (!EVP_PKEY_assign_EC_KEY(evp_key, ec)) { 300 EVP_PKEY_free(evp_key); 301 EC_KEY_free(ec); 302 return NULL; 303 } 304 return evp_key; 305 } 306 #endif 307 308 #ifdef USE_ED25519 309 /** turn private key buffer into EC_KEY structure */ 310 static EVP_PKEY* 311 ldns_ed25519_priv_raw(uint8_t* pkey, int plen) 312 { 313 const unsigned char* pp; 314 uint8_t buf[256]; 315 int buflen = 0; 316 uint8_t pre[] = {0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 317 0x03, 0x2b, 0x65, 0x70, 0x04, 0x22, 0x04, 0x20}; 318 int pre_len = 16; 319 /* ASN looks like this for ED25519 public key 320 * 302a300506032b6570032100 <32byteskey> 321 * for ED25519 private key 322 * 302e020100300506032b657004220420 <32bytes> 323 * 324 * for X25519 this was 325 * 30320201010420 <32byteskey> 326 * andparameters a00b06092b06010401da470f01 327 * (noparameters, preamble is 30250201010420). 328 * the key is reversed (little endian). 329 */ 330 buflen = pre_len + plen; 331 if((size_t)buflen > sizeof(buf)) 332 return NULL; 333 memmove(buf, pre, pre_len); 334 memmove(buf+pre_len, pkey, plen); 335 /* reverse the pkey into the buf - key is not reversed it seems */ 336 /* for(i=0; i<plen; i++) 337 buf[pre_len+i] = pkey[plen-1-i]; */ 338 pp = buf; 339 return d2i_PrivateKey(NID_ED25519, NULL, &pp, buflen); 340 } 341 342 /** read ED25519 private key */ 343 static EVP_PKEY* 344 ldns_key_new_frm_fp_ed25519_l(FILE* fp, int* line_nr) 345 { 346 char token[16384]; 347 ldns_rdf* b64rdf = NULL; 348 EVP_PKEY* evp_key; 349 if (ldns_fget_keyword_data_l(fp, "PrivateKey", ": ", token, "\n", 350 sizeof(token), line_nr) == -1) 351 return NULL; 352 if(ldns_str2rdf_b64(&b64rdf, token) != LDNS_STATUS_OK) 353 return NULL; 354 355 /* we use d2i_ECPrivateKey because it calculates the public key 356 * from the private part, which others, EC_KEY_set_private_key, 357 * and o2i methods, do not do */ 358 /* for that the private key has to be encoded in ASN1 notation 359 * with a ED25519 prefix on it */ 360 361 evp_key = ldns_ed25519_priv_raw(ldns_rdf_data(b64rdf), 362 (int)ldns_rdf_size(b64rdf)); 363 ldns_rdf_deep_free(b64rdf); 364 return evp_key; 365 } 366 #endif 367 368 #ifdef USE_ED448 369 /** turn private key buffer into EC_KEY structure */ 370 static EVP_PKEY* 371 ldns_ed448_priv_raw(uint8_t* pkey, int plen) 372 { 373 const unsigned char* pp; 374 uint8_t buf[256]; 375 int buflen = 0; 376 uint8_t pre[] = {0x30, 0x47, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x71, 0x04, 0x3b, 0x04, 0x39}; 377 int pre_len = 16; 378 /* ASN looks like this for ED448 379 * 3047020100300506032b6571043b0439 <57bytekey> 380 * the key is reversed (little endian). 381 */ 382 buflen = pre_len + plen; 383 if((size_t)buflen > sizeof(buf)) 384 return NULL; 385 memmove(buf, pre, pre_len); 386 memmove(buf+pre_len, pkey, plen); 387 /* reverse the pkey into the buf - key is not reversed it seems */ 388 /* for(i=0; i<plen; i++) 389 buf[pre_len+i] = pkey[plen-1-i]; */ 390 pp = buf; 391 return d2i_PrivateKey(NID_ED448, NULL, &pp, buflen); 392 } 393 394 /** read ED448 private key */ 395 static EVP_PKEY* 396 ldns_key_new_frm_fp_ed448_l(FILE* fp, int* line_nr) 397 { 398 char token[16384]; 399 ldns_rdf* b64rdf = NULL; 400 EVP_PKEY* evp_key; 401 if (ldns_fget_keyword_data_l(fp, "PrivateKey", ": ", token, "\n", 402 sizeof(token), line_nr) == -1) 403 return NULL; 404 if(ldns_str2rdf_b64(&b64rdf, token) != LDNS_STATUS_OK) 405 return NULL; 406 407 /* convert private key into ASN notation and then convert that */ 408 evp_key = ldns_ed448_priv_raw(ldns_rdf_data(b64rdf), 409 (int)ldns_rdf_size(b64rdf)); 410 ldns_rdf_deep_free(b64rdf); 411 return evp_key; 412 } 413 #endif 414 415 ldns_status 416 ldns_key_new_frm_fp_l(ldns_key **key, FILE *fp, int *line_nr) 417 { 418 ldns_key *k; 419 char *d; 420 ldns_signing_algorithm alg; 421 ldns_rr *key_rr; 422 #ifdef HAVE_SSL 423 RSA *rsa; 424 #ifdef USE_DSA 425 DSA *dsa; 426 #endif 427 unsigned char *hmac; 428 size_t hmac_size; 429 #endif /* HAVE_SSL */ 430 431 k = ldns_key_new(); 432 433 d = LDNS_XMALLOC(char, LDNS_MAX_LINELEN); 434 if (!k || !d) { 435 ldns_key_free(k); 436 LDNS_FREE(d); 437 return LDNS_STATUS_MEM_ERR; 438 } 439 440 alg = 0; 441 442 /* the file is highly structured. Do this in sequence */ 443 /* RSA: 444 * Private-key-format: v1.x. 445 * Algorithm: 1 (RSA) 446 447 */ 448 /* get the key format version number */ 449 if (ldns_fget_keyword_data_l(fp, "Private-key-format", ": ", d, "\n", 450 LDNS_MAX_LINELEN, line_nr) == -1) { 451 /* no version information */ 452 ldns_key_free(k); 453 LDNS_FREE(d); 454 return LDNS_STATUS_SYNTAX_ERR; 455 } 456 if (strncmp(d, "v1.", 3) != 0) { 457 ldns_key_free(k); 458 LDNS_FREE(d); 459 return LDNS_STATUS_SYNTAX_VERSION_ERR; 460 } 461 462 /* get the algorithm type, our file function strip ( ) so there are 463 * not in the return string! */ 464 if (ldns_fget_keyword_data_l(fp, "Algorithm", ": ", d, "\n", 465 LDNS_MAX_LINELEN, line_nr) == -1) { 466 /* no alg information */ 467 ldns_key_free(k); 468 LDNS_FREE(d); 469 return LDNS_STATUS_SYNTAX_ALG_ERR; 470 } 471 472 if (strncmp(d, "1 RSA", 2) == 0) { 473 alg = LDNS_SIGN_RSAMD5; 474 } 475 if (strncmp(d, "2 DH", 2) == 0) { 476 alg = (ldns_signing_algorithm)LDNS_DH; 477 } 478 if (strncmp(d, "3 DSA", 2) == 0) { 479 #ifdef USE_DSA 480 alg = LDNS_SIGN_DSA; 481 #else 482 # ifdef STDERR_MSGS 483 fprintf(stderr, "Warning: DSA not compiled into this "); 484 fprintf(stderr, "version of ldns\n"); 485 # endif 486 #endif 487 } 488 if (strncmp(d, "4 ECC", 2) == 0) { 489 alg = (ldns_signing_algorithm)LDNS_ECC; 490 } 491 if (strncmp(d, "5 RSASHA1", 2) == 0) { 492 alg = LDNS_SIGN_RSASHA1; 493 } 494 if (strncmp(d, "6 DSA", 2) == 0) { 495 #ifdef USE_DSA 496 alg = LDNS_SIGN_DSA_NSEC3; 497 #else 498 # ifdef STDERR_MSGS 499 fprintf(stderr, "Warning: DSA not compiled into this "); 500 fprintf(stderr, "version of ldns\n"); 501 # endif 502 #endif 503 } 504 if (strncmp(d, "7 RSASHA1", 2) == 0) { 505 alg = LDNS_SIGN_RSASHA1_NSEC3; 506 } 507 508 if (strncmp(d, "8 RSASHA256", 2) == 0) { 509 #ifdef USE_SHA2 510 alg = LDNS_SIGN_RSASHA256; 511 #else 512 # ifdef STDERR_MSGS 513 fprintf(stderr, "Warning: SHA256 not compiled into this "); 514 fprintf(stderr, "version of ldns\n"); 515 # endif 516 #endif 517 } 518 if (strncmp(d, "10 RSASHA512", 3) == 0) { 519 #ifdef USE_SHA2 520 alg = LDNS_SIGN_RSASHA512; 521 #else 522 # ifdef STDERR_MSGS 523 fprintf(stderr, "Warning: SHA512 not compiled into this "); 524 fprintf(stderr, "version of ldns\n"); 525 # endif 526 #endif 527 } 528 if (strncmp(d, "12 ECC-GOST", 3) == 0) { 529 #ifdef USE_GOST 530 alg = LDNS_SIGN_ECC_GOST; 531 #else 532 # ifdef STDERR_MSGS 533 fprintf(stderr, "Warning: ECC-GOST not compiled into this "); 534 fprintf(stderr, "version of ldns, use --enable-gost\n"); 535 # endif 536 #endif 537 } 538 if (strncmp(d, "13 ECDSAP256SHA256", 3) == 0) { 539 #ifdef USE_ECDSA 540 alg = LDNS_SIGN_ECDSAP256SHA256; 541 #else 542 # ifdef STDERR_MSGS 543 fprintf(stderr, "Warning: ECDSA not compiled into this "); 544 fprintf(stderr, "version of ldns, use --enable-ecdsa\n"); 545 # endif 546 #endif 547 } 548 if (strncmp(d, "14 ECDSAP384SHA384", 3) == 0) { 549 #ifdef USE_ECDSA 550 alg = LDNS_SIGN_ECDSAP384SHA384; 551 #else 552 # ifdef STDERR_MSGS 553 fprintf(stderr, "Warning: ECDSA not compiled into this "); 554 fprintf(stderr, "version of ldns, use --enable-ecdsa\n"); 555 # endif 556 #endif 557 } 558 if (strncmp(d, "15 ED25519", 3) == 0) { 559 #ifdef USE_ED25519 560 alg = LDNS_SIGN_ED25519; 561 #else 562 # ifdef STDERR_MSGS 563 fprintf(stderr, "Warning: ED25519 not compiled into this "); 564 fprintf(stderr, "version of ldns, use --enable-ed25519\n"); 565 # endif 566 #endif 567 } 568 if (strncmp(d, "16 ED448", 3) == 0) { 569 #ifdef USE_ED448 570 alg = LDNS_SIGN_ED448; 571 #else 572 # ifdef STDERR_MSGS 573 fprintf(stderr, "Warning: ED448 not compiled into this "); 574 fprintf(stderr, "version of ldns, use --enable-ed448\n"); 575 # endif 576 #endif 577 } 578 if (strncmp(d, "157 HMAC-MD5", 4) == 0) { 579 alg = LDNS_SIGN_HMACMD5; 580 } 581 if (strncmp(d, "158 HMAC-SHA1", 4) == 0) { 582 alg = LDNS_SIGN_HMACSHA1; 583 } 584 if (strncmp(d, "159 HMAC-SHA256", 4) == 0) { 585 alg = LDNS_SIGN_HMACSHA256; 586 } 587 /* For compatibility with dnssec-keygen */ 588 if (strncmp(d, "161 ", 4) == 0) { 589 alg = LDNS_SIGN_HMACSHA1; 590 } 591 if (strncmp(d, "162 HMAC-SHA224", 4) == 0) { 592 alg = LDNS_SIGN_HMACSHA224; 593 } 594 /* For compatibility with dnssec-keygen */ 595 if (strncmp(d, "163 ", 4) == 0) { 596 alg = LDNS_SIGN_HMACSHA256; 597 } 598 if (strncmp(d, "164 HMAC-SHA384", 4) == 0) { 599 alg = LDNS_SIGN_HMACSHA384; 600 } 601 if (strncmp(d, "165 HMAC-SHA512", 4) == 0) { 602 alg = LDNS_SIGN_HMACSHA512; 603 } 604 LDNS_FREE(d); 605 606 switch(alg) { 607 case LDNS_SIGN_RSAMD5: 608 case LDNS_SIGN_RSASHA1: 609 case LDNS_SIGN_RSASHA1_NSEC3: 610 #ifdef USE_SHA2 611 case LDNS_SIGN_RSASHA256: 612 case LDNS_SIGN_RSASHA512: 613 #endif 614 ldns_key_set_algorithm(k, alg); 615 #ifdef HAVE_SSL 616 rsa = ldns_key_new_frm_fp_rsa_l(fp, line_nr); 617 if (!rsa) { 618 ldns_key_free(k); 619 return LDNS_STATUS_ERR; 620 } 621 ldns_key_assign_rsa_key(k, rsa); 622 #endif /* HAVE_SSL */ 623 break; 624 #ifdef USE_DSA 625 case LDNS_SIGN_DSA: 626 case LDNS_SIGN_DSA_NSEC3: 627 ldns_key_set_algorithm(k, alg); 628 #ifdef HAVE_SSL 629 dsa = ldns_key_new_frm_fp_dsa_l(fp, line_nr); 630 if (!dsa) { 631 ldns_key_free(k); 632 return LDNS_STATUS_ERR; 633 } 634 ldns_key_assign_dsa_key(k, dsa); 635 #endif /* HAVE_SSL */ 636 break; 637 #endif /* USE_DSA */ 638 case LDNS_SIGN_HMACMD5: 639 case LDNS_SIGN_HMACSHA1: 640 case LDNS_SIGN_HMACSHA224: 641 case LDNS_SIGN_HMACSHA256: 642 case LDNS_SIGN_HMACSHA384: 643 case LDNS_SIGN_HMACSHA512: 644 ldns_key_set_algorithm(k, alg); 645 #ifdef HAVE_SSL 646 hmac = ldns_key_new_frm_fp_hmac_l(fp, line_nr, &hmac_size); 647 if (!hmac) { 648 ldns_key_free(k); 649 return LDNS_STATUS_ERR; 650 } 651 ldns_key_set_hmac_size(k, hmac_size); 652 ldns_key_set_hmac_key(k, hmac); 653 #endif /* HAVE_SSL */ 654 break; 655 case LDNS_SIGN_ECC_GOST: 656 ldns_key_set_algorithm(k, alg); 657 #if defined(HAVE_SSL) && defined(USE_GOST) 658 if(!ldns_key_EVP_load_gost_id()) { 659 ldns_key_free(k); 660 return LDNS_STATUS_CRYPTO_ALGO_NOT_IMPL; 661 } 662 ldns_key_set_evp_key(k, 663 ldns_key_new_frm_fp_gost_l(fp, line_nr)); 664 #ifndef S_SPLINT_S 665 if(!k->_key.key) { 666 ldns_key_free(k); 667 return LDNS_STATUS_ERR; 668 } 669 #endif /* splint */ 670 #endif 671 break; 672 #ifdef USE_ECDSA 673 case LDNS_SIGN_ECDSAP256SHA256: 674 case LDNS_SIGN_ECDSAP384SHA384: 675 ldns_key_set_algorithm(k, alg); 676 ldns_key_set_evp_key(k, 677 ldns_key_new_frm_fp_ecdsa_l(fp, (ldns_algorithm)alg, line_nr)); 678 #ifndef S_SPLINT_S 679 if(!k->_key.key) { 680 ldns_key_free(k); 681 return LDNS_STATUS_ERR; 682 } 683 #endif /* splint */ 684 break; 685 #endif 686 #ifdef USE_ED25519 687 case LDNS_SIGN_ED25519: 688 ldns_key_set_algorithm(k, alg); 689 ldns_key_set_evp_key(k, 690 ldns_key_new_frm_fp_ed25519_l(fp, line_nr)); 691 #ifndef S_SPLINT_S 692 if(!k->_key.key) { 693 ldns_key_free(k); 694 return LDNS_STATUS_ERR; 695 } 696 #endif /* splint */ 697 break; 698 #endif 699 #ifdef USE_ED448 700 case LDNS_SIGN_ED448: 701 ldns_key_set_algorithm(k, alg); 702 ldns_key_set_evp_key(k, 703 ldns_key_new_frm_fp_ed448_l(fp, line_nr)); 704 #ifndef S_SPLINT_S 705 if(!k->_key.key) { 706 ldns_key_free(k); 707 return LDNS_STATUS_ERR; 708 } 709 #endif /* splint */ 710 break; 711 #endif 712 default: 713 ldns_key_free(k); 714 return LDNS_STATUS_SYNTAX_ALG_ERR; 715 } 716 key_rr = ldns_key2rr(k); 717 ldns_key_set_keytag(k, ldns_calc_keytag(key_rr)); 718 ldns_rr_free(key_rr); 719 720 if (key) { 721 *key = k; 722 return LDNS_STATUS_OK; 723 } 724 ldns_key_free(k); 725 return LDNS_STATUS_ERR; 726 } 727 728 #ifdef HAVE_SSL 729 RSA * 730 ldns_key_new_frm_fp_rsa(FILE *f) 731 { 732 return ldns_key_new_frm_fp_rsa_l(f, NULL); 733 } 734 735 RSA * 736 ldns_key_new_frm_fp_rsa_l(FILE *f, int *line_nr) 737 { 738 /* we parse 739 * Modulus: 740 * PublicExponent: 741 * PrivateExponent: 742 * Prime1: 743 * Prime2: 744 * Exponent1: 745 * Exponent2: 746 * Coefficient: 747 * 748 * man 3 RSA: 749 * 750 * struct 751 * { 752 * BIGNUM *n; // public modulus 753 * BIGNUM *e; // public exponent 754 * BIGNUM *d; // private exponent 755 * BIGNUM *p; // secret prime factor 756 * BIGNUM *q; // secret prime factor 757 * BIGNUM *dmp1; // d mod (p-1) 758 * BIGNUM *dmq1; // d mod (q-1) 759 * BIGNUM *iqmp; // q^-1 mod p 760 * // ... 761 * 762 */ 763 char *b; 764 RSA *rsa; 765 uint8_t *buf; 766 int i; 767 BIGNUM *n=NULL, *e=NULL, *d=NULL, *p=NULL, *q=NULL, 768 *dmp1=NULL, *dmq1=NULL, *iqmp=NULL; 769 770 b = LDNS_XMALLOC(char, LDNS_MAX_LINELEN); 771 buf = LDNS_XMALLOC(uint8_t, LDNS_MAX_LINELEN); 772 rsa = RSA_new(); 773 if (!b || !rsa || !buf) { 774 goto error; 775 } 776 777 /* I could use functions again, but that seems an overkill, 778 * allthough this also looks tedious 779 */ 780 781 /* Modules, rsa->n */ 782 if (ldns_fget_keyword_data_l(f, "Modulus", ": ", b, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 783 goto error; 784 } 785 i = ldns_b64_pton((const char*)b, buf, ldns_b64_ntop_calculate_size(strlen(b))); 786 #ifndef S_SPLINT_S 787 n = BN_bin2bn((const char unsigned*)buf, i, NULL); 788 if (!n) { 789 goto error; 790 } 791 792 /* PublicExponent, rsa->e */ 793 if (ldns_fget_keyword_data_l(f, "PublicExponent", ": ", b, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 794 goto error; 795 } 796 i = ldns_b64_pton((const char*)b, buf, ldns_b64_ntop_calculate_size(strlen(b))); 797 e = BN_bin2bn((const char unsigned*)buf, i, NULL); 798 if (!e) { 799 goto error; 800 } 801 802 /* PrivateExponent, rsa->d */ 803 if (ldns_fget_keyword_data_l(f, "PrivateExponent", ": ", b, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 804 goto error; 805 } 806 i = ldns_b64_pton((const char*)b, buf, ldns_b64_ntop_calculate_size(strlen(b))); 807 d = BN_bin2bn((const char unsigned*)buf, i, NULL); 808 if (!d) { 809 goto error; 810 } 811 812 /* Prime1, rsa->p */ 813 if (ldns_fget_keyword_data_l(f, "Prime1", ": ", b, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 814 goto error; 815 } 816 i = ldns_b64_pton((const char*)b, buf, ldns_b64_ntop_calculate_size(strlen(b))); 817 p = BN_bin2bn((const char unsigned*)buf, i, NULL); 818 if (!p) { 819 goto error; 820 } 821 822 /* Prime2, rsa->q */ 823 if (ldns_fget_keyword_data_l(f, "Prime2", ": ", b, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 824 goto error; 825 } 826 i = ldns_b64_pton((const char*)b, buf, ldns_b64_ntop_calculate_size(strlen(b))); 827 q = BN_bin2bn((const char unsigned*)buf, i, NULL); 828 if (!q) { 829 goto error; 830 } 831 832 /* Exponent1, rsa->dmp1 */ 833 if (ldns_fget_keyword_data_l(f, "Exponent1", ": ", b, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 834 goto error; 835 } 836 i = ldns_b64_pton((const char*)b, buf, ldns_b64_ntop_calculate_size(strlen(b))); 837 dmp1 = BN_bin2bn((const char unsigned*)buf, i, NULL); 838 if (!dmp1) { 839 goto error; 840 } 841 842 /* Exponent2, rsa->dmq1 */ 843 if (ldns_fget_keyword_data_l(f, "Exponent2", ": ", b, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 844 goto error; 845 } 846 i = ldns_b64_pton((const char*)b, buf, ldns_b64_ntop_calculate_size(strlen(b))); 847 dmq1 = BN_bin2bn((const char unsigned*)buf, i, NULL); 848 if (!dmq1) { 849 goto error; 850 } 851 852 /* Coefficient, rsa->iqmp */ 853 if (ldns_fget_keyword_data_l(f, "Coefficient", ": ", b, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 854 goto error; 855 } 856 i = ldns_b64_pton((const char*)b, buf, ldns_b64_ntop_calculate_size(strlen(b))); 857 iqmp = BN_bin2bn((const char unsigned*)buf, i, NULL); 858 if (!iqmp) { 859 goto error; 860 } 861 #endif /* splint */ 862 863 #if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL) 864 # ifndef S_SPLINT_S 865 rsa->n = n; 866 rsa->e = e; 867 rsa->d = d; 868 rsa->p = p; 869 rsa->q = q; 870 rsa->dmp1 = dmp1; 871 rsa->dmq1 = dmq1; 872 rsa->iqmp = iqmp; 873 # endif 874 #else 875 if(!RSA_set0_key(rsa, n, e, d)) 876 goto error; 877 n = NULL; 878 e = NULL; 879 d = NULL; 880 if(!RSA_set0_factors(rsa, p, q)) 881 goto error; 882 p = NULL; 883 q = NULL; 884 if(!RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp)) 885 goto error; 886 #endif 887 888 LDNS_FREE(buf); 889 LDNS_FREE(b); 890 return rsa; 891 892 error: 893 RSA_free(rsa); 894 LDNS_FREE(b); 895 LDNS_FREE(buf); 896 BN_free(n); 897 BN_free(e); 898 BN_free(d); 899 BN_free(p); 900 BN_free(q); 901 BN_free(dmp1); 902 BN_free(dmq1); 903 BN_free(iqmp); 904 return NULL; 905 } 906 907 DSA * 908 ldns_key_new_frm_fp_dsa(FILE *f) 909 { 910 return ldns_key_new_frm_fp_dsa_l(f, NULL); 911 } 912 913 DSA * 914 ldns_key_new_frm_fp_dsa_l(FILE *f, ATTR_UNUSED(int *line_nr)) 915 { 916 int i; 917 char *d; 918 DSA *dsa; 919 uint8_t *buf; 920 BIGNUM *p=NULL, *q=NULL, *g=NULL, *priv_key=NULL, *pub_key=NULL; 921 922 d = LDNS_XMALLOC(char, LDNS_MAX_LINELEN); 923 buf = LDNS_XMALLOC(uint8_t, LDNS_MAX_LINELEN); 924 dsa = DSA_new(); 925 if (!d || !dsa || !buf) { 926 goto error; 927 } 928 929 /* the line parser removes the () from the input... */ 930 931 /* Prime, dsa->p */ 932 if (ldns_fget_keyword_data_l(f, "Primep", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 933 goto error; 934 } 935 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); 936 #ifndef S_SPLINT_S 937 p = BN_bin2bn((const char unsigned*)buf, i, NULL); 938 if (!p) { 939 goto error; 940 } 941 942 /* Subprime, dsa->q */ 943 if (ldns_fget_keyword_data_l(f, "Subprimeq", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 944 goto error; 945 } 946 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); 947 q = BN_bin2bn((const char unsigned*)buf, i, NULL); 948 if (!q) { 949 goto error; 950 } 951 952 /* Base, dsa->g */ 953 if (ldns_fget_keyword_data_l(f, "Baseg", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 954 goto error; 955 } 956 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); 957 g = BN_bin2bn((const char unsigned*)buf, i, NULL); 958 if (!g) { 959 goto error; 960 } 961 962 /* Private key, dsa->priv_key */ 963 if (ldns_fget_keyword_data_l(f, "Private_valuex", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 964 goto error; 965 } 966 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); 967 priv_key = BN_bin2bn((const char unsigned*)buf, i, NULL); 968 if (!priv_key) { 969 goto error; 970 } 971 972 /* Public key, dsa->priv_key */ 973 if (ldns_fget_keyword_data_l(f, "Public_valuey", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 974 goto error; 975 } 976 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); 977 pub_key = BN_bin2bn((const char unsigned*)buf, i, NULL); 978 if (!pub_key) { 979 goto error; 980 } 981 #endif /* splint */ 982 983 #if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL) 984 # ifndef S_SPLINT_S 985 dsa->p = p; 986 dsa->q = q; 987 dsa->g = g; 988 dsa->priv_key = priv_key; 989 dsa->pub_key = pub_key; 990 # endif 991 #else 992 if(!DSA_set0_pqg(dsa, p, q, g)) 993 goto error; 994 p = NULL; 995 q = NULL; 996 g = NULL; 997 if(!DSA_set0_key(dsa, pub_key, priv_key)) 998 goto error; 999 #endif 1000 1001 LDNS_FREE(buf); 1002 LDNS_FREE(d); 1003 1004 return dsa; 1005 1006 error: 1007 LDNS_FREE(d); 1008 LDNS_FREE(buf); 1009 DSA_free(dsa); 1010 BN_free(p); 1011 BN_free(q); 1012 BN_free(g); 1013 BN_free(priv_key); 1014 BN_free(pub_key); 1015 return NULL; 1016 } 1017 1018 unsigned char * 1019 ldns_key_new_frm_fp_hmac(FILE *f, size_t *hmac_size) 1020 { 1021 return ldns_key_new_frm_fp_hmac_l(f, NULL, hmac_size); 1022 } 1023 1024 unsigned char * 1025 ldns_key_new_frm_fp_hmac_l( FILE *f 1026 , ATTR_UNUSED(int *line_nr) 1027 , size_t *hmac_size 1028 ) 1029 { 1030 size_t bufsz; 1031 char d[LDNS_MAX_LINELEN]; 1032 unsigned char *buf = NULL; 1033 1034 *hmac_size = ldns_fget_keyword_data_l(f, "Key", ": ", d, "\n", 1035 LDNS_MAX_LINELEN, line_nr) == -1 1036 ? 0 1037 : (buf = LDNS_XMALLOC( unsigned char, (bufsz = 1038 ldns_b64_ntop_calculate_size(strlen(d))))) == NULL 1039 ? 0 1040 : (size_t) ldns_b64_pton((const char*)d, buf, bufsz); 1041 return buf; 1042 } 1043 #endif /* HAVE_SSL */ 1044 1045 #ifdef USE_GOST 1046 static EVP_PKEY* 1047 ldns_gen_gost_key(void) 1048 { 1049 EVP_PKEY_CTX* ctx; 1050 EVP_PKEY* p = NULL; 1051 int gost_id = ldns_key_EVP_load_gost_id(); 1052 if(!gost_id) 1053 return NULL; 1054 ctx = EVP_PKEY_CTX_new_id(gost_id, NULL); 1055 if(!ctx) { 1056 /* the id should be available now */ 1057 return NULL; 1058 } 1059 if(EVP_PKEY_CTX_ctrl_str(ctx, "paramset", "A") <= 0) { 1060 /* cannot set paramset */ 1061 EVP_PKEY_CTX_free(ctx); 1062 return NULL; 1063 } 1064 1065 if(EVP_PKEY_keygen_init(ctx) <= 0) { 1066 EVP_PKEY_CTX_free(ctx); 1067 return NULL; 1068 } 1069 if(EVP_PKEY_keygen(ctx, &p) <= 0) { 1070 EVP_PKEY_free(p); 1071 EVP_PKEY_CTX_free(ctx); 1072 return NULL; 1073 } 1074 EVP_PKEY_CTX_free(ctx); 1075 return p; 1076 } 1077 #endif 1078 1079 ldns_key * 1080 ldns_key_new_frm_algorithm(ldns_signing_algorithm alg, uint16_t size) 1081 { 1082 ldns_key *k; 1083 #ifdef HAVE_SSL 1084 #ifdef USE_DSA 1085 DSA *d; 1086 #endif /* USE_DSA */ 1087 # ifdef USE_ECDSA 1088 EC_KEY *ec = NULL; 1089 # endif 1090 # ifdef HAVE_EVP_PKEY_KEYGEN 1091 EVP_PKEY_CTX *ctx; 1092 # else 1093 RSA *r; 1094 # endif 1095 #else 1096 int i; 1097 uint16_t offset = 0; 1098 #endif 1099 unsigned char *hmac; 1100 1101 k = ldns_key_new(); 1102 if (!k) { 1103 return NULL; 1104 } 1105 switch(alg) { 1106 case LDNS_SIGN_RSAMD5: 1107 case LDNS_SIGN_RSASHA1: 1108 case LDNS_SIGN_RSASHA1_NSEC3: 1109 case LDNS_SIGN_RSASHA256: 1110 case LDNS_SIGN_RSASHA512: 1111 #ifdef HAVE_SSL 1112 #ifdef HAVE_EVP_PKEY_KEYGEN 1113 ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL); 1114 if(!ctx) { 1115 ldns_key_free(k); 1116 return NULL; 1117 } 1118 if(EVP_PKEY_keygen_init(ctx) <= 0) { 1119 ldns_key_free(k); 1120 EVP_PKEY_CTX_free(ctx); 1121 return NULL; 1122 } 1123 if (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, size) <= 0) { 1124 ldns_key_free(k); 1125 EVP_PKEY_CTX_free(ctx); 1126 return NULL; 1127 } 1128 #ifndef S_SPLINT_S 1129 if (EVP_PKEY_keygen(ctx, &k->_key.key) <= 0) { 1130 ldns_key_free(k); 1131 EVP_PKEY_CTX_free(ctx); 1132 return NULL; 1133 } 1134 #endif 1135 EVP_PKEY_CTX_free(ctx); 1136 #else /* HAVE_EVP_PKEY_KEYGEN */ 1137 r = RSA_generate_key((int)size, RSA_F4, NULL, NULL); 1138 if(!r) { 1139 ldns_key_free(k); 1140 return NULL; 1141 } 1142 if (RSA_check_key(r) != 1) { 1143 ldns_key_free(k); 1144 return NULL; 1145 } 1146 ldns_key_set_rsa_key(k, r); 1147 RSA_free(r); 1148 #endif /* HAVE_EVP_PKEY_KEYGEN */ 1149 #endif /* HAVE_SSL */ 1150 break; 1151 case LDNS_SIGN_DSA: 1152 case LDNS_SIGN_DSA_NSEC3: 1153 #ifdef USE_DSA 1154 #ifdef HAVE_SSL 1155 # if OPENSSL_VERSION_NUMBER < 0x00908000L 1156 d = DSA_generate_parameters((int)size, NULL, 0, NULL, NULL, NULL, NULL); 1157 if (!d) { 1158 ldns_key_free(k); 1159 return NULL; 1160 } 1161 1162 # else 1163 if (! (d = DSA_new())) { 1164 ldns_key_free(k); 1165 return NULL; 1166 } 1167 if (! DSA_generate_parameters_ex(d, (int)size, NULL, 0, NULL, NULL, NULL)) { 1168 DSA_free(d); 1169 ldns_key_free(k); 1170 return NULL; 1171 } 1172 # endif 1173 if (DSA_generate_key(d) != 1) { 1174 ldns_key_free(k); 1175 return NULL; 1176 } 1177 ldns_key_set_dsa_key(k, d); 1178 DSA_free(d); 1179 #endif /* HAVE_SSL */ 1180 #endif /* USE_DSA */ 1181 break; 1182 case LDNS_SIGN_HMACMD5: 1183 case LDNS_SIGN_HMACSHA1: 1184 case LDNS_SIGN_HMACSHA224: 1185 case LDNS_SIGN_HMACSHA256: 1186 case LDNS_SIGN_HMACSHA384: 1187 case LDNS_SIGN_HMACSHA512: 1188 #ifdef HAVE_SSL 1189 #ifndef S_SPLINT_S 1190 k->_key.key = NULL; 1191 #endif /* splint */ 1192 #endif /* HAVE_SSL */ 1193 size = size / 8; 1194 ldns_key_set_hmac_size(k, size); 1195 1196 hmac = LDNS_XMALLOC(unsigned char, size); 1197 if(!hmac) { 1198 ldns_key_free(k); 1199 return NULL; 1200 } 1201 #ifdef HAVE_SSL 1202 if (RAND_bytes(hmac, (int) size) != 1) { 1203 LDNS_FREE(hmac); 1204 ldns_key_free(k); 1205 return NULL; 1206 } 1207 #else 1208 while (offset + sizeof(i) < size) { 1209 i = random(); 1210 memcpy(&hmac[offset], &i, sizeof(i)); 1211 offset += sizeof(i); 1212 } 1213 if (offset < size) { 1214 i = random(); 1215 memcpy(&hmac[offset], &i, size - offset); 1216 } 1217 #endif /* HAVE_SSL */ 1218 ldns_key_set_hmac_key(k, hmac); 1219 1220 ldns_key_set_flags(k, 0); 1221 break; 1222 case LDNS_SIGN_ECC_GOST: 1223 #if defined(HAVE_SSL) && defined(USE_GOST) 1224 ldns_key_set_evp_key(k, ldns_gen_gost_key()); 1225 #ifndef S_SPLINT_S 1226 if(!k->_key.key) { 1227 ldns_key_free(k); 1228 return NULL; 1229 } 1230 #endif /* splint */ 1231 #else 1232 ldns_key_free(k); 1233 return NULL; 1234 #endif /* HAVE_SSL and USE_GOST */ 1235 break; 1236 case LDNS_SIGN_ECDSAP256SHA256: 1237 case LDNS_SIGN_ECDSAP384SHA384: 1238 #ifdef USE_ECDSA 1239 if(alg == LDNS_SIGN_ECDSAP256SHA256) 1240 ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); 1241 else if(alg == LDNS_SIGN_ECDSAP384SHA384) 1242 ec = EC_KEY_new_by_curve_name(NID_secp384r1); 1243 if(!ec) { 1244 ldns_key_free(k); 1245 return NULL; 1246 } 1247 if(!EC_KEY_generate_key(ec)) { 1248 ldns_key_free(k); 1249 EC_KEY_free(ec); 1250 return NULL; 1251 } 1252 #ifndef S_SPLINT_S 1253 k->_key.key = EVP_PKEY_new(); 1254 if(!k->_key.key) { 1255 ldns_key_free(k); 1256 EC_KEY_free(ec); 1257 return NULL; 1258 } 1259 if (!EVP_PKEY_assign_EC_KEY(k->_key.key, ec)) { 1260 ldns_key_free(k); 1261 EC_KEY_free(ec); 1262 return NULL; 1263 } 1264 #endif /* splint */ 1265 #else 1266 ldns_key_free(k); 1267 return NULL; 1268 #endif /* ECDSA */ 1269 break; 1270 #ifdef USE_ED25519 1271 case LDNS_SIGN_ED25519: 1272 #ifdef HAVE_EVP_PKEY_KEYGEN 1273 ctx = EVP_PKEY_CTX_new_id(NID_ED25519, NULL); 1274 if(!ctx) { 1275 ldns_key_free(k); 1276 return NULL; 1277 } 1278 if(EVP_PKEY_keygen_init(ctx) <= 0) { 1279 ldns_key_free(k); 1280 EVP_PKEY_CTX_free(ctx); 1281 return NULL; 1282 } 1283 if (EVP_PKEY_keygen(ctx, &k->_key.key) <= 0) { 1284 ldns_key_free(k); 1285 EVP_PKEY_CTX_free(ctx); 1286 return NULL; 1287 } 1288 EVP_PKEY_CTX_free(ctx); 1289 #endif 1290 break; 1291 #endif /* ED25519 */ 1292 #ifdef USE_ED448 1293 case LDNS_SIGN_ED448: 1294 #ifdef HAVE_EVP_PKEY_KEYGEN 1295 ctx = EVP_PKEY_CTX_new_id(NID_ED448, NULL); 1296 if(!ctx) { 1297 ldns_key_free(k); 1298 return NULL; 1299 } 1300 if(EVP_PKEY_keygen_init(ctx) <= 0) { 1301 ldns_key_free(k); 1302 EVP_PKEY_CTX_free(ctx); 1303 return NULL; 1304 } 1305 if (EVP_PKEY_keygen(ctx, &k->_key.key) <= 0) { 1306 ldns_key_free(k); 1307 EVP_PKEY_CTX_free(ctx); 1308 return NULL; 1309 } 1310 EVP_PKEY_CTX_free(ctx); 1311 #endif 1312 break; 1313 #endif /* ED448 */ 1314 } 1315 ldns_key_set_algorithm(k, alg); 1316 return k; 1317 } 1318 1319 void 1320 ldns_key_print(FILE *output, const ldns_key *k) 1321 { 1322 char *str = ldns_key2str(k); 1323 if (str) { 1324 fprintf(output, "%s", str); 1325 } else { 1326 fprintf(output, "Unable to convert private key to string\n"); 1327 } 1328 LDNS_FREE(str); 1329 } 1330 1331 1332 void 1333 ldns_key_set_algorithm(ldns_key *k, ldns_signing_algorithm l) 1334 { 1335 k->_alg = l; 1336 } 1337 1338 void 1339 ldns_key_set_flags(ldns_key *k, uint16_t f) 1340 { 1341 k->_extra.dnssec.flags = f; 1342 } 1343 1344 #ifdef HAVE_SSL 1345 #ifndef S_SPLINT_S 1346 void 1347 ldns_key_set_evp_key(ldns_key *k, EVP_PKEY *e) 1348 { 1349 k->_key.key = e; 1350 } 1351 1352 void 1353 ldns_key_set_rsa_key(ldns_key *k, RSA *r) 1354 { 1355 EVP_PKEY *key = EVP_PKEY_new(); 1356 EVP_PKEY_set1_RSA(key, r); 1357 k->_key.key = key; 1358 } 1359 1360 void 1361 ldns_key_set_dsa_key(ldns_key *k, DSA *d) 1362 { 1363 #ifdef USE_DSA 1364 EVP_PKEY *key = EVP_PKEY_new(); 1365 EVP_PKEY_set1_DSA(key, d); 1366 k->_key.key = key; 1367 #else 1368 (void)k; (void)d; 1369 #endif 1370 } 1371 1372 void 1373 ldns_key_assign_rsa_key(ldns_key *k, RSA *r) 1374 { 1375 EVP_PKEY *key = EVP_PKEY_new(); 1376 EVP_PKEY_assign_RSA(key, r); 1377 k->_key.key = key; 1378 } 1379 1380 void 1381 ldns_key_assign_dsa_key(ldns_key *k, DSA *d) 1382 { 1383 #ifdef USE_DSA 1384 EVP_PKEY *key = EVP_PKEY_new(); 1385 EVP_PKEY_assign_DSA(key, d); 1386 k->_key.key = key; 1387 #else 1388 (void)k; (void)d; 1389 #endif 1390 } 1391 #endif /* splint */ 1392 #endif /* HAVE_SSL */ 1393 1394 void 1395 ldns_key_set_hmac_key(ldns_key *k, unsigned char *hmac) 1396 { 1397 k->_key.hmac.key = hmac; 1398 } 1399 1400 void 1401 ldns_key_set_hmac_size(ldns_key *k, size_t hmac_size) 1402 { 1403 k->_key.hmac.size = hmac_size; 1404 } 1405 1406 void 1407 ldns_key_set_external_key(ldns_key *k, void *external_key) 1408 { 1409 k->_key.external_key = external_key; 1410 } 1411 1412 void 1413 ldns_key_set_origttl(ldns_key *k, uint32_t t) 1414 { 1415 k->_extra.dnssec.orig_ttl = t; 1416 } 1417 1418 void 1419 ldns_key_set_inception(ldns_key *k, uint32_t i) 1420 { 1421 k->_extra.dnssec.inception = i; 1422 } 1423 1424 void 1425 ldns_key_set_expiration(ldns_key *k, uint32_t e) 1426 { 1427 k->_extra.dnssec.expiration = e; 1428 } 1429 1430 void 1431 ldns_key_set_pubkey_owner(ldns_key *k, ldns_rdf *r) 1432 { 1433 k->_pubkey_owner = r; 1434 } 1435 1436 void 1437 ldns_key_set_keytag(ldns_key *k, uint16_t tag) 1438 { 1439 k->_extra.dnssec.keytag = tag; 1440 } 1441 1442 /* read */ 1443 size_t 1444 ldns_key_list_key_count(const ldns_key_list *key_list) 1445 { 1446 return key_list->_key_count; 1447 } 1448 1449 ldns_key * 1450 ldns_key_list_key(const ldns_key_list *key, size_t nr) 1451 { 1452 if (nr < ldns_key_list_key_count(key)) { 1453 return key->_keys[nr]; 1454 } else { 1455 return NULL; 1456 } 1457 } 1458 1459 ldns_signing_algorithm 1460 ldns_key_algorithm(const ldns_key *k) 1461 { 1462 return k->_alg; 1463 } 1464 1465 void 1466 ldns_key_set_use(ldns_key *k, bool v) 1467 { 1468 if (k) { 1469 k->_use = v; 1470 } 1471 } 1472 1473 bool 1474 ldns_key_use(const ldns_key *k) 1475 { 1476 if (k) { 1477 return k->_use; 1478 } 1479 return false; 1480 } 1481 1482 #ifdef HAVE_SSL 1483 #ifndef S_SPLINT_S 1484 EVP_PKEY * 1485 ldns_key_evp_key(const ldns_key *k) 1486 { 1487 return k->_key.key; 1488 } 1489 1490 RSA * 1491 ldns_key_rsa_key(const ldns_key *k) 1492 { 1493 if (k->_key.key) { 1494 return EVP_PKEY_get1_RSA(k->_key.key); 1495 } else { 1496 return NULL; 1497 } 1498 } 1499 1500 DSA * 1501 ldns_key_dsa_key(const ldns_key *k) 1502 { 1503 #ifdef USE_DSA 1504 if (k->_key.key) { 1505 return EVP_PKEY_get1_DSA(k->_key.key); 1506 } else { 1507 return NULL; 1508 } 1509 #else 1510 (void)k; 1511 return NULL; 1512 #endif 1513 } 1514 #endif /* splint */ 1515 #endif /* HAVE_SSL */ 1516 1517 unsigned char * 1518 ldns_key_hmac_key(const ldns_key *k) 1519 { 1520 if (k->_key.hmac.key) { 1521 return k->_key.hmac.key; 1522 } else { 1523 return NULL; 1524 } 1525 } 1526 1527 size_t 1528 ldns_key_hmac_size(const ldns_key *k) 1529 { 1530 if (k->_key.hmac.size) { 1531 return k->_key.hmac.size; 1532 } else { 1533 return 0; 1534 } 1535 } 1536 1537 void * 1538 ldns_key_external_key(const ldns_key *k) 1539 { 1540 return k->_key.external_key; 1541 } 1542 1543 uint32_t 1544 ldns_key_origttl(const ldns_key *k) 1545 { 1546 return k->_extra.dnssec.orig_ttl; 1547 } 1548 1549 uint16_t 1550 ldns_key_flags(const ldns_key *k) 1551 { 1552 return k->_extra.dnssec.flags; 1553 } 1554 1555 uint32_t 1556 ldns_key_inception(const ldns_key *k) 1557 { 1558 return k->_extra.dnssec.inception; 1559 } 1560 1561 uint32_t 1562 ldns_key_expiration(const ldns_key *k) 1563 { 1564 return k->_extra.dnssec.expiration; 1565 } 1566 1567 uint16_t 1568 ldns_key_keytag(const ldns_key *k) 1569 { 1570 return k->_extra.dnssec.keytag; 1571 } 1572 1573 ldns_rdf * 1574 ldns_key_pubkey_owner(const ldns_key *k) 1575 { 1576 return k->_pubkey_owner; 1577 } 1578 1579 /* write */ 1580 void 1581 ldns_key_list_set_use(ldns_key_list *keys, bool v) 1582 { 1583 size_t i; 1584 1585 for (i = 0; i < ldns_key_list_key_count(keys); i++) { 1586 ldns_key_set_use(ldns_key_list_key(keys, i), v); 1587 } 1588 } 1589 1590 void 1591 ldns_key_list_set_key_count(ldns_key_list *key, size_t count) 1592 { 1593 key->_key_count = count; 1594 } 1595 1596 bool 1597 ldns_key_list_push_key(ldns_key_list *key_list, ldns_key *key) 1598 { 1599 size_t key_count; 1600 ldns_key **keys; 1601 1602 key_count = ldns_key_list_key_count(key_list); 1603 1604 /* grow the array */ 1605 keys = LDNS_XREALLOC( 1606 key_list->_keys, ldns_key *, key_count + 1); 1607 if (!keys) { 1608 return false; 1609 } 1610 1611 /* add the new member */ 1612 key_list->_keys = keys; 1613 key_list->_keys[key_count] = key; 1614 1615 ldns_key_list_set_key_count(key_list, key_count + 1); 1616 return true; 1617 } 1618 1619 ldns_key * 1620 ldns_key_list_pop_key(ldns_key_list *key_list) 1621 { 1622 size_t key_count; 1623 ldns_key** a; 1624 ldns_key *pop; 1625 1626 if (!key_list) { 1627 return NULL; 1628 } 1629 1630 key_count = ldns_key_list_key_count(key_list); 1631 if (key_count == 0) { 1632 return NULL; 1633 } 1634 1635 pop = ldns_key_list_key(key_list, key_count); 1636 1637 /* shrink the array */ 1638 a = LDNS_XREALLOC(key_list->_keys, ldns_key *, key_count - 1); 1639 if(a) { 1640 key_list->_keys = a; 1641 } 1642 1643 ldns_key_list_set_key_count(key_list, key_count - 1); 1644 1645 return pop; 1646 } 1647 1648 #ifdef HAVE_SSL 1649 #ifndef S_SPLINT_S 1650 /* data pointer must be large enough (LDNS_MAX_KEYLEN) */ 1651 static bool 1652 ldns_key_rsa2bin(unsigned char *data, RSA *k, uint16_t *size) 1653 { 1654 int i,j; 1655 const BIGNUM *n=NULL, *e=NULL; 1656 1657 if (!k) { 1658 return false; 1659 } 1660 #if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL) 1661 n = k->n; 1662 e = k->e; 1663 #else 1664 RSA_get0_key(k, &n, &e, NULL); 1665 #endif 1666 1667 if (BN_num_bytes(e) <= 256) { 1668 /* normally only this path is executed (small factors are 1669 * more common 1670 */ 1671 data[0] = (unsigned char) BN_num_bytes(e); 1672 i = BN_bn2bin(e, data + 1); 1673 j = BN_bn2bin(n, data + i + 1); 1674 *size = (uint16_t) i + j; 1675 } else if (BN_num_bytes(e) <= 65536) { 1676 data[0] = 0; 1677 /* BN_bn2bin does bigendian, _uint16 also */ 1678 ldns_write_uint16(data + 1, (uint16_t) BN_num_bytes(e)); 1679 1680 BN_bn2bin(e, data + 3); 1681 BN_bn2bin(n, data + 4 + BN_num_bytes(e)); 1682 *size = (uint16_t) BN_num_bytes(n) + 6; 1683 } else { 1684 return false; 1685 } 1686 return true; 1687 } 1688 1689 #ifdef USE_DSA 1690 /* data pointer must be large enough (LDNS_MAX_KEYLEN) */ 1691 static bool 1692 ldns_key_dsa2bin(unsigned char *data, DSA *k, uint16_t *size) 1693 { 1694 uint8_t T; 1695 const BIGNUM *p, *q, *g; 1696 const BIGNUM *pub_key, *priv_key; 1697 1698 if (!k) { 1699 return false; 1700 } 1701 1702 /* See RFC2536 */ 1703 # ifdef HAVE_DSA_GET0_PQG 1704 DSA_get0_pqg(k, &p, &q, &g); 1705 # else 1706 p = k->p; q = k->q; g = k->g; 1707 # endif 1708 # ifdef HAVE_DSA_GET0_KEY 1709 DSA_get0_key(k, &pub_key, &priv_key); 1710 # else 1711 pub_key = k->pub_key; priv_key = k->priv_key; 1712 # endif 1713 (void)priv_key; 1714 *size = (uint16_t)BN_num_bytes(p); 1715 T = (*size - 64) / 8; 1716 1717 if (T > 8) { 1718 #ifdef STDERR_MSGS 1719 fprintf(stderr, "DSA key with T > 8 (ie. > 1024 bits)"); 1720 fprintf(stderr, " not implemented\n"); 1721 #endif 1722 return false; 1723 } 1724 1725 /* size = 64 + (T * 8); */ 1726 memset(data, 0, 21 + *size * 3); 1727 data[0] = (unsigned char)T; 1728 BN_bn2bin(q, data + 1 ); /* 20 octects */ 1729 BN_bn2bin(p, data + 21 ); /* offset octects */ 1730 BN_bn2bin(g, data + 21 + *size * 2 - BN_num_bytes(g)); 1731 BN_bn2bin(pub_key,data + 21 + *size * 3 - BN_num_bytes(pub_key)); 1732 *size = 21 + *size * 3; 1733 return true; 1734 } 1735 #endif /* USE_DSA */ 1736 1737 #ifdef USE_GOST 1738 static bool 1739 ldns_key_gost2bin(unsigned char* data, EVP_PKEY* k, uint16_t* size) 1740 { 1741 int i; 1742 unsigned char* pp = NULL; 1743 if(i2d_PUBKEY(k, &pp) != 37 + 64) { 1744 /* expect 37 byte(ASN header) and 64 byte(X and Y) */ 1745 free(pp); 1746 return false; 1747 } 1748 /* omit ASN header */ 1749 for(i=0; i<64; i++) 1750 data[i] = pp[i+37]; 1751 free(pp); 1752 *size = 64; 1753 return true; 1754 } 1755 #endif /* USE_GOST */ 1756 1757 #ifdef USE_ED25519 1758 static bool 1759 ldns_key_ed255192bin(unsigned char* data, EVP_PKEY* k, uint16_t* size) 1760 { 1761 int i; 1762 unsigned char* pp = NULL; 1763 if(i2d_PUBKEY(k, &pp) != 12 + 32) { 1764 /* expect 12 byte(ASN header) and 32 byte(pubkey) */ 1765 free(pp); 1766 return false; 1767 } 1768 /* omit ASN header */ 1769 for(i=0; i<32; i++) 1770 data[i] = pp[i+12]; 1771 free(pp); 1772 *size = 32; 1773 return true; 1774 } 1775 #endif /* USE_ED25519 */ 1776 1777 #ifdef USE_ED448 1778 static bool 1779 ldns_key_ed4482bin(unsigned char* data, EVP_PKEY* k, uint16_t* size) 1780 { 1781 int i; 1782 unsigned char* pp = NULL; 1783 if(i2d_PUBKEY(k, &pp) != 12 + 57) { 1784 /* expect 12 byte(ASN header) and 57 byte(pubkey) */ 1785 free(pp); 1786 return false; 1787 } 1788 /* omit ASN header */ 1789 for(i=0; i<57; i++) 1790 data[i] = pp[i+12]; 1791 free(pp); 1792 *size = 57; 1793 return true; 1794 } 1795 #endif /* USE_ED448 */ 1796 #endif /* splint */ 1797 #endif /* HAVE_SSL */ 1798 1799 ldns_rr * 1800 ldns_key2rr(const ldns_key *k) 1801 { 1802 /* this function will convert a the keydata contained in 1803 * rsa/dsa pointers to a DNSKEY rr. It will fill in as 1804 * much as it can, but it does not know about key-flags 1805 * for instance 1806 */ 1807 ldns_rr *pubkey; 1808 ldns_rdf *keybin; 1809 unsigned char *bin = NULL; 1810 uint16_t size = 0; 1811 #ifdef HAVE_SSL 1812 RSA *rsa = NULL; 1813 #ifdef USE_DSA 1814 DSA *dsa = NULL; 1815 #endif /* USE_DSA */ 1816 #endif /* HAVE_SSL */ 1817 #ifdef USE_ECDSA 1818 EC_KEY* ec; 1819 #endif 1820 int internal_data = 0; 1821 1822 if (!k) { 1823 return NULL; 1824 } 1825 pubkey = ldns_rr_new(); 1826 1827 switch (ldns_key_algorithm(k)) { 1828 case LDNS_SIGN_HMACMD5: 1829 case LDNS_SIGN_HMACSHA1: 1830 case LDNS_SIGN_HMACSHA224: 1831 case LDNS_SIGN_HMACSHA256: 1832 case LDNS_SIGN_HMACSHA384: 1833 case LDNS_SIGN_HMACSHA512: 1834 ldns_rr_set_type(pubkey, LDNS_RR_TYPE_KEY); 1835 break; 1836 default: 1837 ldns_rr_set_type(pubkey, LDNS_RR_TYPE_DNSKEY); 1838 break; 1839 } 1840 /* zero-th rdf - flags */ 1841 ldns_rr_push_rdf(pubkey, 1842 ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16, 1843 ldns_key_flags(k))); 1844 /* first - proto */ 1845 ldns_rr_push_rdf(pubkey, 1846 ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8, LDNS_DNSSEC_KEYPROTO)); 1847 1848 if (ldns_key_pubkey_owner(k)) { 1849 ldns_rr_set_owner(pubkey, ldns_rdf_clone(ldns_key_pubkey_owner(k))); 1850 } 1851 1852 /* third - da algorithm */ 1853 switch(ldns_key_algorithm(k)) { 1854 case LDNS_SIGN_RSAMD5: 1855 case LDNS_SIGN_RSASHA1: 1856 case LDNS_SIGN_RSASHA1_NSEC3: 1857 case LDNS_SIGN_RSASHA256: 1858 case LDNS_SIGN_RSASHA512: 1859 ldns_rr_push_rdf(pubkey, 1860 ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG, ldns_key_algorithm(k))); 1861 #ifdef HAVE_SSL 1862 rsa = ldns_key_rsa_key(k); 1863 if (rsa) { 1864 bin = LDNS_XMALLOC(unsigned char, LDNS_MAX_KEYLEN); 1865 if (!bin) { 1866 ldns_rr_free(pubkey); 1867 return NULL; 1868 } 1869 if (!ldns_key_rsa2bin(bin, rsa, &size)) { 1870 LDNS_FREE(bin); 1871 ldns_rr_free(pubkey); 1872 return NULL; 1873 } 1874 RSA_free(rsa); 1875 internal_data = 1; 1876 } 1877 #endif 1878 size++; 1879 break; 1880 case LDNS_SIGN_DSA: 1881 ldns_rr_push_rdf(pubkey, 1882 ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG, LDNS_DSA)); 1883 #ifdef USE_DSA 1884 #ifdef HAVE_SSL 1885 dsa = ldns_key_dsa_key(k); 1886 if (dsa) { 1887 bin = LDNS_XMALLOC(unsigned char, LDNS_MAX_KEYLEN); 1888 if (!bin) { 1889 ldns_rr_free(pubkey); 1890 return NULL; 1891 } 1892 if (!ldns_key_dsa2bin(bin, dsa, &size)) { 1893 LDNS_FREE(bin); 1894 ldns_rr_free(pubkey); 1895 return NULL; 1896 } 1897 DSA_free(dsa); 1898 internal_data = 1; 1899 } 1900 #endif /* HAVE_SSL */ 1901 #endif /* USE_DSA */ 1902 break; 1903 case LDNS_SIGN_DSA_NSEC3: 1904 ldns_rr_push_rdf(pubkey, 1905 ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG, LDNS_DSA_NSEC3)); 1906 #ifdef USE_DSA 1907 #ifdef HAVE_SSL 1908 dsa = ldns_key_dsa_key(k); 1909 if (dsa) { 1910 bin = LDNS_XMALLOC(unsigned char, LDNS_MAX_KEYLEN); 1911 if (!bin) { 1912 ldns_rr_free(pubkey); 1913 return NULL; 1914 } 1915 if (!ldns_key_dsa2bin(bin, dsa, &size)) { 1916 LDNS_FREE(bin); 1917 ldns_rr_free(pubkey); 1918 return NULL; 1919 } 1920 DSA_free(dsa); 1921 internal_data = 1; 1922 } 1923 #endif /* HAVE_SSL */ 1924 #endif /* USE_DSA */ 1925 break; 1926 case LDNS_SIGN_ECC_GOST: 1927 ldns_rr_push_rdf(pubkey, ldns_native2rdf_int8( 1928 LDNS_RDF_TYPE_ALG, ldns_key_algorithm(k))); 1929 #if defined(HAVE_SSL) && defined(USE_GOST) 1930 bin = LDNS_XMALLOC(unsigned char, LDNS_MAX_KEYLEN); 1931 if (!bin) { 1932 ldns_rr_free(pubkey); 1933 return NULL; 1934 } 1935 #ifndef S_SPLINT_S 1936 if (!ldns_key_gost2bin(bin, k->_key.key, &size)) { 1937 LDNS_FREE(bin); 1938 ldns_rr_free(pubkey); 1939 return NULL; 1940 } 1941 #endif /* splint */ 1942 internal_data = 1; 1943 #else 1944 ldns_rr_free(pubkey); 1945 return NULL; 1946 #endif /* HAVE_SSL and USE_GOST */ 1947 break; 1948 case LDNS_SIGN_ECDSAP256SHA256: 1949 case LDNS_SIGN_ECDSAP384SHA384: 1950 #ifdef USE_ECDSA 1951 ldns_rr_push_rdf(pubkey, ldns_native2rdf_int8( 1952 LDNS_RDF_TYPE_ALG, ldns_key_algorithm(k))); 1953 bin = NULL; 1954 #ifndef S_SPLINT_S 1955 ec = EVP_PKEY_get1_EC_KEY(k->_key.key); 1956 #endif 1957 EC_KEY_set_conv_form(ec, POINT_CONVERSION_UNCOMPRESSED); 1958 size = (uint16_t)i2o_ECPublicKey(ec, NULL); 1959 if(!i2o_ECPublicKey(ec, &bin)) { 1960 EC_KEY_free(ec); 1961 ldns_rr_free(pubkey); 1962 return NULL; 1963 } 1964 if(size > 1) { 1965 /* move back one byte to shave off the 0x02 1966 * 'uncompressed' indicator that openssl made 1967 * Actually its 0x04 (from implementation). 1968 */ 1969 assert(bin[0] == POINT_CONVERSION_UNCOMPRESSED); 1970 size -= 1; 1971 memmove(bin, bin+1, size); 1972 } 1973 /* down the reference count for ec, its still assigned 1974 * to the pkey */ 1975 EC_KEY_free(ec); 1976 internal_data = 1; 1977 #else 1978 ldns_rr_free(pubkey); 1979 return NULL; 1980 #endif /* ECDSA */ 1981 break; 1982 #ifdef USE_ED25519 1983 case LDNS_SIGN_ED25519: 1984 ldns_rr_push_rdf(pubkey, ldns_native2rdf_int8( 1985 LDNS_RDF_TYPE_ALG, ldns_key_algorithm(k))); 1986 bin = LDNS_XMALLOC(unsigned char, LDNS_MAX_KEYLEN); 1987 if (!bin) { 1988 ldns_rr_free(pubkey); 1989 return NULL; 1990 } 1991 if (!ldns_key_ed255192bin(bin, k->_key.key, &size)) { 1992 LDNS_FREE(bin); 1993 ldns_rr_free(pubkey); 1994 return NULL; 1995 } 1996 internal_data = 1; 1997 break; 1998 #endif 1999 #ifdef USE_ED448 2000 case LDNS_SIGN_ED448: 2001 ldns_rr_push_rdf(pubkey, ldns_native2rdf_int8( 2002 LDNS_RDF_TYPE_ALG, ldns_key_algorithm(k))); 2003 bin = LDNS_XMALLOC(unsigned char, LDNS_MAX_KEYLEN); 2004 if (!bin) { 2005 ldns_rr_free(pubkey); 2006 return NULL; 2007 } 2008 if (!ldns_key_ed4482bin(bin, k->_key.key, &size)) { 2009 LDNS_FREE(bin); 2010 ldns_rr_free(pubkey); 2011 return NULL; 2012 } 2013 internal_data = 1; 2014 break; 2015 #endif 2016 case LDNS_SIGN_HMACMD5: 2017 case LDNS_SIGN_HMACSHA1: 2018 case LDNS_SIGN_HMACSHA224: 2019 case LDNS_SIGN_HMACSHA256: 2020 case LDNS_SIGN_HMACSHA384: 2021 case LDNS_SIGN_HMACSHA512: 2022 bin = LDNS_XMALLOC(unsigned char, ldns_key_hmac_size(k)); 2023 if (!bin) { 2024 ldns_rr_free(pubkey); 2025 return NULL; 2026 } 2027 ldns_rr_push_rdf(pubkey, 2028 ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG, 2029 ldns_key_algorithm(k))); 2030 size = ldns_key_hmac_size(k); 2031 memcpy(bin, ldns_key_hmac_key(k), size); 2032 internal_data = 1; 2033 break; 2034 } 2035 /* fourth the key bin material */ 2036 if (internal_data) { 2037 keybin = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, size, bin); 2038 LDNS_FREE(bin); 2039 ldns_rr_push_rdf(pubkey, keybin); 2040 } 2041 return pubkey; 2042 } 2043 2044 void 2045 ldns_key_free(ldns_key *key) 2046 { 2047 LDNS_FREE(key); 2048 } 2049 2050 void 2051 ldns_key_deep_free(ldns_key *key) 2052 { 2053 unsigned char* hmac; 2054 if (ldns_key_pubkey_owner(key)) { 2055 ldns_rdf_deep_free(ldns_key_pubkey_owner(key)); 2056 } 2057 #ifdef HAVE_SSL 2058 if (ldns_key_evp_key(key)) { 2059 EVP_PKEY_free(ldns_key_evp_key(key)); 2060 } 2061 #endif /* HAVE_SSL */ 2062 if (ldns_key_hmac_key(key)) { 2063 hmac = ldns_key_hmac_key(key); 2064 LDNS_FREE(hmac); 2065 } 2066 LDNS_FREE(key); 2067 } 2068 2069 void 2070 ldns_key_list_free(ldns_key_list *key_list) 2071 { 2072 size_t i; 2073 for (i = 0; i < ldns_key_list_key_count(key_list); i++) { 2074 ldns_key_deep_free(ldns_key_list_key(key_list, i)); 2075 } 2076 LDNS_FREE(key_list->_keys); 2077 LDNS_FREE(key_list); 2078 } 2079 2080 ldns_rr * 2081 ldns_read_anchor_file(const char *filename) 2082 { 2083 FILE *fp; 2084 /*char line[LDNS_MAX_PACKETLEN];*/ 2085 char *line = LDNS_XMALLOC(char, LDNS_MAX_PACKETLEN); 2086 int c; 2087 size_t i = 0; 2088 ldns_rr *r; 2089 ldns_status status; 2090 if(!line) { 2091 return NULL; 2092 } 2093 2094 fp = fopen(filename, "r"); 2095 if (!fp) { 2096 #ifdef STDERR_MSGS 2097 fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno)); 2098 #endif 2099 LDNS_FREE(line); 2100 return NULL; 2101 } 2102 2103 while ((c = fgetc(fp)) && i+1 < LDNS_MAX_PACKETLEN && c != EOF) { 2104 line[i] = c; 2105 i++; 2106 } 2107 line[i] = '\0'; 2108 2109 fclose(fp); 2110 2111 if (i <= 0) { 2112 #ifdef STDERR_MSGS 2113 fprintf(stderr, "nothing read from %s", filename); 2114 #endif 2115 LDNS_FREE(line); 2116 return NULL; 2117 } else { 2118 status = ldns_rr_new_frm_str(&r, line, 0, NULL, NULL); 2119 if (status == LDNS_STATUS_OK && (ldns_rr_get_type(r) == LDNS_RR_TYPE_DNSKEY || ldns_rr_get_type(r) == LDNS_RR_TYPE_DS)) { 2120 LDNS_FREE(line); 2121 return r; 2122 } else { 2123 #ifdef STDERR_MSGS 2124 fprintf(stderr, "Error creating DNSKEY or DS rr from %s: %s\n", filename, ldns_get_errorstr_by_id(status)); 2125 #endif 2126 LDNS_FREE(line); 2127 return NULL; 2128 } 2129 } 2130 } 2131 2132 char * 2133 ldns_key_get_file_base_name(const ldns_key *key) 2134 { 2135 ldns_buffer *buffer; 2136 char *file_base_name; 2137 2138 buffer = ldns_buffer_new(255); 2139 ldns_buffer_printf(buffer, "K"); 2140 (void)ldns_rdf2buffer_str_dname(buffer, ldns_key_pubkey_owner(key)); 2141 ldns_buffer_printf(buffer, 2142 "+%03u+%05u", 2143 ldns_key_algorithm(key), 2144 ldns_key_keytag(key)); 2145 file_base_name = ldns_buffer_export(buffer); 2146 ldns_buffer_free(buffer); 2147 return file_base_name; 2148 } 2149 2150 int ldns_key_algo_supported(int algo) 2151 { 2152 ldns_lookup_table *lt = ldns_signing_algorithms; 2153 while(lt->name) { 2154 if(lt->id == algo) 2155 return 1; 2156 lt++; 2157 } 2158 return 0; 2159 } 2160 2161 ldns_signing_algorithm ldns_get_signing_algorithm_by_name(const char* name) 2162 { 2163 /* list of (signing algorithm id, alias_name) */ 2164 ldns_lookup_table aliases[] = { 2165 /* from bind dnssec-keygen */ 2166 {LDNS_SIGN_HMACMD5, "HMAC-MD5"}, 2167 {LDNS_SIGN_DSA_NSEC3, "NSEC3DSA"}, 2168 {LDNS_SIGN_RSASHA1_NSEC3, "NSEC3RSASHA1"}, 2169 /* old ldns usage, now RFC names */ 2170 #ifdef USE_DSA 2171 {LDNS_SIGN_DSA_NSEC3, "DSA_NSEC3" }, 2172 #endif 2173 {LDNS_SIGN_RSASHA1_NSEC3, "RSASHA1_NSEC3" }, 2174 #ifdef USE_GOST 2175 {LDNS_SIGN_ECC_GOST, "GOST"}, 2176 #endif 2177 /* compat with possible output */ 2178 {LDNS_DH, "DH"}, 2179 {LDNS_ECC, "ECC"}, 2180 {LDNS_INDIRECT, "INDIRECT"}, 2181 {LDNS_PRIVATEDNS, "PRIVATEDNS"}, 2182 {LDNS_PRIVATEOID, "PRIVATEOID"}, 2183 {0, NULL}}; 2184 ldns_lookup_table* lt = ldns_signing_algorithms; 2185 ldns_signing_algorithm a; 2186 char *endptr; 2187 2188 while(lt->name) { 2189 if(strcasecmp(lt->name, name) == 0) 2190 return lt->id; 2191 lt++; 2192 } 2193 lt = aliases; 2194 while(lt->name) { 2195 if(strcasecmp(lt->name, name) == 0) 2196 return lt->id; 2197 lt++; 2198 } 2199 a = strtol(name, &endptr, 10); 2200 if (*name && !*endptr) 2201 return a; 2202 2203 return 0; 2204 } 2205