1 /* 2 * keys.c handle private keys for use in DNSSEC 3 * 4 * This module should hide some of the openSSL complexities 5 * and give a general interface for private keys and hmac 6 * handling 7 * 8 * (c) NLnet Labs, 2004-2006 9 * 10 * See the file LICENSE for the license 11 */ 12 13 #include <ldns/config.h> 14 15 #include <ldns/ldns.h> 16 17 #ifdef HAVE_SSL 18 #include <openssl/ssl.h> 19 #include <openssl/engine.h> 20 #include <openssl/rand.h> 21 #endif /* HAVE_SSL */ 22 23 ldns_lookup_table ldns_signing_algorithms[] = { 24 { LDNS_SIGN_RSAMD5, "RSAMD5" }, 25 { LDNS_SIGN_RSASHA1, "RSASHA1" }, 26 { LDNS_SIGN_RSASHA1_NSEC3, "RSASHA1-NSEC3-SHA1" }, 27 #ifdef USE_SHA2 28 { LDNS_SIGN_RSASHA256, "RSASHA256" }, 29 { LDNS_SIGN_RSASHA512, "RSASHA512" }, 30 #endif 31 #ifdef USE_GOST 32 { LDNS_SIGN_ECC_GOST, "ECC-GOST" }, 33 #endif 34 #ifdef USE_ECDSA 35 { LDNS_SIGN_ECDSAP256SHA256, "ECDSAP256SHA256" }, 36 { LDNS_SIGN_ECDSAP384SHA384, "ECDSAP384SHA384" }, 37 #endif 38 { LDNS_SIGN_DSA, "DSA" }, 39 { LDNS_SIGN_DSA_NSEC3, "DSA-NSEC3-SHA1" }, 40 { LDNS_SIGN_HMACMD5, "hmac-md5.sig-alg.reg.int" }, 41 { LDNS_SIGN_HMACSHA1, "hmac-sha1" }, 42 { LDNS_SIGN_HMACSHA256, "hmac-sha256" }, 43 { 0, NULL } 44 }; 45 46 ldns_key_list * 47 ldns_key_list_new() 48 { 49 ldns_key_list *key_list = LDNS_MALLOC(ldns_key_list); 50 if (!key_list) { 51 return NULL; 52 } else { 53 key_list->_key_count = 0; 54 key_list->_keys = NULL; 55 return key_list; 56 } 57 } 58 59 ldns_key * 60 ldns_key_new() 61 { 62 ldns_key *newkey; 63 64 newkey = LDNS_MALLOC(ldns_key); 65 if (!newkey) { 66 return NULL; 67 } else { 68 /* some defaults - not sure wether to do this */ 69 ldns_key_set_use(newkey, true); 70 ldns_key_set_flags(newkey, LDNS_KEY_ZONE_KEY); 71 ldns_key_set_origttl(newkey, 0); 72 ldns_key_set_keytag(newkey, 0); 73 ldns_key_set_inception(newkey, 0); 74 ldns_key_set_expiration(newkey, 0); 75 ldns_key_set_pubkey_owner(newkey, NULL); 76 #ifdef HAVE_SSL 77 ldns_key_set_evp_key(newkey, NULL); 78 #endif /* HAVE_SSL */ 79 ldns_key_set_hmac_key(newkey, NULL); 80 ldns_key_set_external_key(newkey, NULL); 81 return newkey; 82 } 83 } 84 85 ldns_status 86 ldns_key_new_frm_fp(ldns_key **k, FILE *fp) 87 { 88 return ldns_key_new_frm_fp_l(k, fp, NULL); 89 } 90 91 #ifdef HAVE_SSL 92 ldns_status 93 ldns_key_new_frm_engine(ldns_key **key, ENGINE *e, char *key_id, ldns_algorithm alg) 94 { 95 ldns_key *k; 96 97 k = ldns_key_new(); 98 if(!k) return LDNS_STATUS_MEM_ERR; 99 #ifndef S_SPLINT_S 100 k->_key.key = ENGINE_load_private_key(e, key_id, UI_OpenSSL(), NULL); 101 if(!k->_key.key) { 102 ldns_key_free(k); 103 return LDNS_STATUS_ERR; 104 } 105 ldns_key_set_algorithm(k, (ldns_signing_algorithm) alg); 106 if (!k->_key.key) { 107 ldns_key_free(k); 108 return LDNS_STATUS_ENGINE_KEY_NOT_LOADED; 109 } 110 #endif /* splint */ 111 *key = k; 112 return LDNS_STATUS_OK; 113 } 114 #endif 115 116 #ifdef USE_GOST 117 /** store GOST engine reference loaded into OpenSSL library */ 118 ENGINE* ldns_gost_engine = NULL; 119 120 int 121 ldns_key_EVP_load_gost_id(void) 122 { 123 static int gost_id = 0; 124 const EVP_PKEY_ASN1_METHOD* meth; 125 ENGINE* e; 126 127 if(gost_id) return gost_id; 128 129 /* see if configuration loaded gost implementation from other engine*/ 130 meth = EVP_PKEY_asn1_find_str(NULL, "gost2001", -1); 131 if(meth) { 132 EVP_PKEY_asn1_get0_info(&gost_id, NULL, NULL, NULL, NULL, meth); 133 return gost_id; 134 } 135 136 /* see if engine can be loaded already */ 137 e = ENGINE_by_id("gost"); 138 if(!e) { 139 /* load it ourself, in case statically linked */ 140 ENGINE_load_builtin_engines(); 141 ENGINE_load_dynamic(); 142 e = ENGINE_by_id("gost"); 143 } 144 if(!e) { 145 /* no gost engine in openssl */ 146 return 0; 147 } 148 if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) { 149 ENGINE_finish(e); 150 ENGINE_free(e); 151 return 0; 152 } 153 154 meth = EVP_PKEY_asn1_find_str(&e, "gost2001", -1); 155 if(!meth) { 156 /* algo not found */ 157 ENGINE_finish(e); 158 ENGINE_free(e); 159 return 0; 160 } 161 /* Note: do not ENGINE_finish and ENGINE_free the acquired engine 162 * on some platforms this frees up the meth and unloads gost stuff */ 163 ldns_gost_engine = e; 164 165 EVP_PKEY_asn1_get0_info(&gost_id, NULL, NULL, NULL, NULL, meth); 166 return gost_id; 167 } 168 169 void ldns_key_EVP_unload_gost(void) 170 { 171 if(ldns_gost_engine) { 172 ENGINE_finish(ldns_gost_engine); 173 ENGINE_free(ldns_gost_engine); 174 ldns_gost_engine = NULL; 175 } 176 } 177 178 /** read GOST private key */ 179 static EVP_PKEY* 180 ldns_key_new_frm_fp_gost_l(FILE* fp, int* line_nr) 181 { 182 char token[16384]; 183 const unsigned char* pp; 184 int gost_id; 185 EVP_PKEY* pkey; 186 ldns_rdf* b64rdf = NULL; 187 188 gost_id = ldns_key_EVP_load_gost_id(); 189 if(!gost_id) 190 return NULL; 191 192 if (ldns_fget_keyword_data_l(fp, "GostAsn1", ": ", token, "\n", 193 sizeof(token), line_nr) == -1) 194 return NULL; 195 while(strlen(token) < 96) { 196 /* read more b64 from the file, b64 split on multiple lines */ 197 if(ldns_fget_token_l(fp, token+strlen(token), "\n", 198 sizeof(token)-strlen(token), line_nr) == -1) 199 return NULL; 200 } 201 if(ldns_str2rdf_b64(&b64rdf, token) != LDNS_STATUS_OK) 202 return NULL; 203 pp = (unsigned char*)ldns_rdf_data(b64rdf); 204 pkey = d2i_PrivateKey(gost_id, NULL, &pp, (int)ldns_rdf_size(b64rdf)); 205 ldns_rdf_deep_free(b64rdf); 206 return pkey; 207 } 208 #endif 209 210 #ifdef USE_ECDSA 211 /** calculate public key from private key */ 212 static int 213 ldns_EC_KEY_calc_public(EC_KEY* ec) 214 { 215 EC_POINT* pub_key; 216 const EC_GROUP* group; 217 group = EC_KEY_get0_group(ec); 218 pub_key = EC_POINT_new(group); 219 if(!pub_key) return 0; 220 if(!EC_POINT_copy(pub_key, EC_GROUP_get0_generator(group))) { 221 EC_POINT_free(pub_key); 222 return 0; 223 } 224 if(!EC_POINT_mul(group, pub_key, EC_KEY_get0_private_key(ec), 225 NULL, NULL, NULL)) { 226 EC_POINT_free(pub_key); 227 return 0; 228 } 229 if(EC_KEY_set_public_key(ec, pub_key) == 0) { 230 EC_POINT_free(pub_key); 231 return 0; 232 } 233 EC_POINT_free(pub_key); 234 return 1; 235 } 236 237 /** read ECDSA private key */ 238 static EVP_PKEY* 239 ldns_key_new_frm_fp_ecdsa_l(FILE* fp, ldns_algorithm alg, int* line_nr) 240 { 241 char token[16384]; 242 ldns_rdf* b64rdf = NULL; 243 unsigned char* pp; 244 BIGNUM* bn; 245 EVP_PKEY* evp_key; 246 EC_KEY* ec; 247 if (ldns_fget_keyword_data_l(fp, "PrivateKey", ": ", token, "\n", 248 sizeof(token), line_nr) == -1) 249 return NULL; 250 if(ldns_str2rdf_b64(&b64rdf, token) != LDNS_STATUS_OK) 251 return NULL; 252 pp = (unsigned char*)ldns_rdf_data(b64rdf); 253 254 if(alg == LDNS_ECDSAP256SHA256) 255 ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); 256 else if(alg == LDNS_ECDSAP384SHA384) 257 ec = EC_KEY_new_by_curve_name(NID_secp384r1); 258 else ec = NULL; 259 if(!ec) { 260 ldns_rdf_deep_free(b64rdf); 261 return NULL; 262 } 263 bn = BN_bin2bn(pp, (int)ldns_rdf_size(b64rdf), NULL); 264 ldns_rdf_deep_free(b64rdf); 265 if(!bn) { 266 EC_KEY_free(ec); 267 return NULL; 268 } 269 EC_KEY_set_private_key(ec, bn); 270 BN_free(bn); 271 if(!ldns_EC_KEY_calc_public(ec)) { 272 EC_KEY_free(ec); 273 return NULL; 274 } 275 276 evp_key = EVP_PKEY_new(); 277 if(!evp_key) { 278 EC_KEY_free(ec); 279 return NULL; 280 } 281 if (!EVP_PKEY_assign_EC_KEY(evp_key, ec)) { 282 EVP_PKEY_free(evp_key); 283 EC_KEY_free(ec); 284 return NULL; 285 } 286 return evp_key; 287 } 288 #endif 289 290 ldns_status 291 ldns_key_new_frm_fp_l(ldns_key **key, FILE *fp, int *line_nr) 292 { 293 ldns_key *k; 294 char *d; 295 ldns_signing_algorithm alg; 296 ldns_rr *key_rr; 297 #ifdef HAVE_SSL 298 RSA *rsa; 299 DSA *dsa; 300 unsigned char *hmac; 301 size_t hmac_size; 302 #endif /* HAVE_SSL */ 303 304 k = ldns_key_new(); 305 306 d = LDNS_XMALLOC(char, LDNS_MAX_LINELEN); 307 if (!k || !d) { 308 ldns_key_free(k); 309 LDNS_FREE(d); 310 return LDNS_STATUS_MEM_ERR; 311 } 312 313 alg = 0; 314 315 /* the file is highly structured. Do this in sequence */ 316 /* RSA: 317 * Private-key-format: v1.2 318 * Algorithm: 1 (RSA) 319 320 */ 321 /* get the key format version number */ 322 if (ldns_fget_keyword_data_l(fp, "Private-key-format", ": ", d, "\n", 323 LDNS_MAX_LINELEN, line_nr) == -1) { 324 /* no version information */ 325 ldns_key_free(k); 326 LDNS_FREE(d); 327 return LDNS_STATUS_SYNTAX_ERR; 328 } 329 if (strncmp(d, "v1.2", strlen(d)) != 0) { 330 ldns_key_free(k); 331 LDNS_FREE(d); 332 return LDNS_STATUS_SYNTAX_VERSION_ERR; 333 } 334 335 /* get the algorithm type, our file function strip ( ) so there are 336 * not in the return string! */ 337 if (ldns_fget_keyword_data_l(fp, "Algorithm", ": ", d, "\n", 338 LDNS_MAX_LINELEN, line_nr) == -1) { 339 /* no alg information */ 340 ldns_key_free(k); 341 LDNS_FREE(d); 342 return LDNS_STATUS_SYNTAX_ALG_ERR; 343 } 344 345 if (strncmp(d, "1 RSA", 2) == 0) { 346 alg = LDNS_SIGN_RSAMD5; 347 } 348 if (strncmp(d, "2 DH", 2) == 0) { 349 alg = (ldns_signing_algorithm)LDNS_DH; 350 } 351 if (strncmp(d, "3 DSA", 2) == 0) { 352 alg = LDNS_SIGN_DSA; 353 } 354 if (strncmp(d, "4 ECC", 2) == 0) { 355 alg = (ldns_signing_algorithm)LDNS_ECC; 356 } 357 if (strncmp(d, "5 RSASHA1", 2) == 0) { 358 alg = LDNS_SIGN_RSASHA1; 359 } 360 if (strncmp(d, "6 DSA", 2) == 0) { 361 alg = LDNS_SIGN_DSA_NSEC3; 362 } 363 if (strncmp(d, "7 RSASHA1", 2) == 0) { 364 alg = LDNS_SIGN_RSASHA1_NSEC3; 365 } 366 367 if (strncmp(d, "8 RSASHA256", 2) == 0) { 368 #ifdef USE_SHA2 369 alg = LDNS_SIGN_RSASHA256; 370 #else 371 fprintf(stderr, "Warning: SHA256 not compiled into this "); 372 fprintf(stderr, "version of ldns\n"); 373 #endif 374 } 375 if (strncmp(d, "10 RSASHA512", 3) == 0) { 376 #ifdef USE_SHA2 377 alg = LDNS_SIGN_RSASHA512; 378 #else 379 fprintf(stderr, "Warning: SHA512 not compiled into this "); 380 fprintf(stderr, "version of ldns\n"); 381 #endif 382 } 383 if (strncmp(d, "12 ECC-GOST", 3) == 0) { 384 #ifdef USE_GOST 385 alg = LDNS_SIGN_ECC_GOST; 386 #else 387 fprintf(stderr, "Warning: ECC-GOST not compiled into this "); 388 fprintf(stderr, "version of ldns, use --enable-gost\n"); 389 #endif 390 } 391 #ifdef USE_ECDSA 392 if (strncmp(d, "13 ECDSAP256SHA256", 3) == 0) { 393 alg = LDNS_SIGN_ECDSAP256SHA256; 394 } 395 if (strncmp(d, "14 ECDSAP384SHA384", 3) == 0) { 396 alg = LDNS_SIGN_ECDSAP384SHA384; 397 } 398 #endif 399 if (strncmp(d, "157 HMAC-MD5", 4) == 0) { 400 alg = LDNS_SIGN_HMACMD5; 401 } 402 if (strncmp(d, "158 HMAC-SHA1", 4) == 0) { 403 alg = LDNS_SIGN_HMACSHA1; 404 } 405 if (strncmp(d, "159 HMAC-SHA256", 4) == 0) { 406 alg = LDNS_SIGN_HMACSHA256; 407 } 408 409 LDNS_FREE(d); 410 411 switch(alg) { 412 case LDNS_SIGN_RSAMD5: 413 case LDNS_SIGN_RSASHA1: 414 case LDNS_SIGN_RSASHA1_NSEC3: 415 #ifdef USE_SHA2 416 case LDNS_SIGN_RSASHA256: 417 case LDNS_SIGN_RSASHA512: 418 #endif 419 ldns_key_set_algorithm(k, alg); 420 #ifdef HAVE_SSL 421 rsa = ldns_key_new_frm_fp_rsa_l(fp, line_nr); 422 if (!rsa) { 423 ldns_key_free(k); 424 return LDNS_STATUS_ERR; 425 } 426 ldns_key_set_rsa_key(k, rsa); 427 RSA_free(rsa); 428 #endif /* HAVE_SSL */ 429 break; 430 case LDNS_SIGN_DSA: 431 case LDNS_SIGN_DSA_NSEC3: 432 ldns_key_set_algorithm(k, alg); 433 #ifdef HAVE_SSL 434 dsa = ldns_key_new_frm_fp_dsa_l(fp, line_nr); 435 if (!dsa) { 436 ldns_key_free(k); 437 return LDNS_STATUS_ERR; 438 } 439 ldns_key_set_dsa_key(k, dsa); 440 DSA_free(dsa); 441 #endif /* HAVE_SSL */ 442 break; 443 case LDNS_SIGN_HMACMD5: 444 case LDNS_SIGN_HMACSHA1: 445 case LDNS_SIGN_HMACSHA256: 446 ldns_key_set_algorithm(k, alg); 447 #ifdef HAVE_SSL 448 hmac = ldns_key_new_frm_fp_hmac_l(fp, line_nr, &hmac_size); 449 if (!hmac) { 450 ldns_key_free(k); 451 return LDNS_STATUS_ERR; 452 } 453 ldns_key_set_hmac_size(k, hmac_size); 454 ldns_key_set_hmac_key(k, hmac); 455 #endif /* HAVE_SSL */ 456 break; 457 case LDNS_SIGN_ECC_GOST: 458 ldns_key_set_algorithm(k, alg); 459 #if defined(HAVE_SSL) && defined(USE_GOST) 460 if(!ldns_key_EVP_load_gost_id()) { 461 ldns_key_free(k); 462 return LDNS_STATUS_CRYPTO_ALGO_NOT_IMPL; 463 } 464 ldns_key_set_evp_key(k, 465 ldns_key_new_frm_fp_gost_l(fp, line_nr)); 466 #ifndef S_SPLINT_S 467 if(!k->_key.key) { 468 ldns_key_free(k); 469 return LDNS_STATUS_ERR; 470 } 471 #endif /* splint */ 472 #endif 473 break; 474 #ifdef USE_ECDSA 475 case LDNS_SIGN_ECDSAP256SHA256: 476 case LDNS_SIGN_ECDSAP384SHA384: 477 ldns_key_set_algorithm(k, alg); 478 ldns_key_set_evp_key(k, 479 ldns_key_new_frm_fp_ecdsa_l(fp, (ldns_algorithm)alg, line_nr)); 480 #ifndef S_SPLINT_S 481 if(!k->_key.key) { 482 ldns_key_free(k); 483 return LDNS_STATUS_ERR; 484 } 485 #endif /* splint */ 486 break; 487 #endif 488 default: 489 ldns_key_free(k); 490 return LDNS_STATUS_SYNTAX_ALG_ERR; 491 } 492 key_rr = ldns_key2rr(k); 493 ldns_key_set_keytag(k, ldns_calc_keytag(key_rr)); 494 ldns_rr_free(key_rr); 495 496 if (key) { 497 *key = k; 498 return LDNS_STATUS_OK; 499 } 500 return LDNS_STATUS_ERR; 501 } 502 503 #ifdef HAVE_SSL 504 RSA * 505 ldns_key_new_frm_fp_rsa(FILE *f) 506 { 507 return ldns_key_new_frm_fp_rsa_l(f, NULL); 508 } 509 510 RSA * 511 ldns_key_new_frm_fp_rsa_l(FILE *f, int *line_nr) 512 { 513 /* we parse 514 * Modulus: 515 * PublicExponent: 516 * PrivateExponent: 517 * Prime1: 518 * Prime2: 519 * Exponent1: 520 * Exponent2: 521 * Coefficient: 522 * 523 * man 3 RSA: 524 * 525 * struct 526 * { 527 * BIGNUM *n; // public modulus 528 * BIGNUM *e; // public exponent 529 * BIGNUM *d; // private exponent 530 * BIGNUM *p; // secret prime factor 531 * BIGNUM *q; // secret prime factor 532 * BIGNUM *dmp1; // d mod (p-1) 533 * BIGNUM *dmq1; // d mod (q-1) 534 * BIGNUM *iqmp; // q^-1 mod p 535 * // ... 536 * 537 */ 538 char *d; 539 RSA *rsa; 540 uint8_t *buf; 541 int i; 542 543 d = LDNS_XMALLOC(char, LDNS_MAX_LINELEN); 544 buf = LDNS_XMALLOC(uint8_t, LDNS_MAX_LINELEN); 545 rsa = RSA_new(); 546 if (!d || !rsa || !buf) { 547 goto error; 548 } 549 550 /* I could use functions again, but that seems an overkill, 551 * allthough this also looks tedious 552 */ 553 554 /* Modules, rsa->n */ 555 if (ldns_fget_keyword_data_l(f, "Modulus", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 556 goto error; 557 } 558 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); 559 #ifndef S_SPLINT_S 560 rsa->n = BN_bin2bn((const char unsigned*)buf, i, NULL); 561 if (!rsa->n) { 562 goto error; 563 } 564 565 /* PublicExponent, rsa->e */ 566 if (ldns_fget_keyword_data_l(f, "PublicExponent", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 567 goto error; 568 } 569 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); 570 rsa->e = BN_bin2bn((const char unsigned*)buf, i, NULL); 571 if (!rsa->e) { 572 goto error; 573 } 574 575 /* PrivateExponent, rsa->d */ 576 if (ldns_fget_keyword_data_l(f, "PrivateExponent", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 577 goto error; 578 } 579 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); 580 rsa->d = BN_bin2bn((const char unsigned*)buf, i, NULL); 581 if (!rsa->d) { 582 goto error; 583 } 584 585 /* Prime1, rsa->p */ 586 if (ldns_fget_keyword_data_l(f, "Prime1", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 587 goto error; 588 } 589 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); 590 rsa->p = BN_bin2bn((const char unsigned*)buf, i, NULL); 591 if (!rsa->p) { 592 goto error; 593 } 594 595 /* Prime2, rsa->q */ 596 if (ldns_fget_keyword_data_l(f, "Prime2", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 597 goto error; 598 } 599 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); 600 rsa->q = BN_bin2bn((const char unsigned*)buf, i, NULL); 601 if (!rsa->q) { 602 goto error; 603 } 604 605 /* Exponent1, rsa->dmp1 */ 606 if (ldns_fget_keyword_data_l(f, "Exponent1", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 607 goto error; 608 } 609 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); 610 rsa->dmp1 = BN_bin2bn((const char unsigned*)buf, i, NULL); 611 if (!rsa->dmp1) { 612 goto error; 613 } 614 615 /* Exponent2, rsa->dmq1 */ 616 if (ldns_fget_keyword_data_l(f, "Exponent2", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 617 goto error; 618 } 619 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); 620 rsa->dmq1 = BN_bin2bn((const char unsigned*)buf, i, NULL); 621 if (!rsa->dmq1) { 622 goto error; 623 } 624 625 /* Coefficient, rsa->iqmp */ 626 if (ldns_fget_keyword_data_l(f, "Coefficient", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 627 goto error; 628 } 629 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); 630 rsa->iqmp = BN_bin2bn((const char unsigned*)buf, i, NULL); 631 if (!rsa->iqmp) { 632 goto error; 633 } 634 #endif /* splint */ 635 636 LDNS_FREE(buf); 637 LDNS_FREE(d); 638 return rsa; 639 640 error: 641 RSA_free(rsa); 642 LDNS_FREE(d); 643 LDNS_FREE(buf); 644 return NULL; 645 } 646 647 DSA * 648 ldns_key_new_frm_fp_dsa(FILE *f) 649 { 650 return ldns_key_new_frm_fp_dsa_l(f, NULL); 651 } 652 653 DSA * 654 ldns_key_new_frm_fp_dsa_l(FILE *f, int *line_nr) 655 { 656 int i; 657 char *d; 658 DSA *dsa; 659 uint8_t *buf; 660 661 line_nr = line_nr; 662 663 d = LDNS_XMALLOC(char, LDNS_MAX_LINELEN); 664 buf = LDNS_XMALLOC(uint8_t, LDNS_MAX_LINELEN); 665 dsa = DSA_new(); 666 if (!d || !dsa || !buf) { 667 goto error; 668 } 669 670 /* the line parser removes the () from the input... */ 671 672 /* Prime, dsa->p */ 673 if (ldns_fget_keyword_data_l(f, "Primep", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 674 goto error; 675 } 676 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); 677 #ifndef S_SPLINT_S 678 dsa->p = BN_bin2bn((const char unsigned*)buf, i, NULL); 679 if (!dsa->p) { 680 goto error; 681 } 682 683 /* Subprime, dsa->q */ 684 if (ldns_fget_keyword_data_l(f, "Subprimeq", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 685 goto error; 686 } 687 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); 688 dsa->q = BN_bin2bn((const char unsigned*)buf, i, NULL); 689 if (!dsa->q) { 690 goto error; 691 } 692 693 /* Base, dsa->g */ 694 if (ldns_fget_keyword_data_l(f, "Baseg", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 695 goto error; 696 } 697 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); 698 dsa->g = BN_bin2bn((const char unsigned*)buf, i, NULL); 699 if (!dsa->g) { 700 goto error; 701 } 702 703 /* Private key, dsa->priv_key */ 704 if (ldns_fget_keyword_data_l(f, "Private_valuex", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 705 goto error; 706 } 707 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); 708 dsa->priv_key = BN_bin2bn((const char unsigned*)buf, i, NULL); 709 if (!dsa->priv_key) { 710 goto error; 711 } 712 713 /* Public key, dsa->priv_key */ 714 if (ldns_fget_keyword_data_l(f, "Public_valuey", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 715 goto error; 716 } 717 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); 718 dsa->pub_key = BN_bin2bn((const char unsigned*)buf, i, NULL); 719 if (!dsa->pub_key) { 720 goto error; 721 } 722 #endif /* splint */ 723 724 LDNS_FREE(buf); 725 LDNS_FREE(d); 726 727 return dsa; 728 729 error: 730 LDNS_FREE(d); 731 LDNS_FREE(buf); 732 DSA_free(dsa); 733 return NULL; 734 } 735 736 unsigned char * 737 ldns_key_new_frm_fp_hmac(FILE *f, size_t *hmac_size) 738 { 739 return ldns_key_new_frm_fp_hmac_l(f, NULL, hmac_size); 740 } 741 742 unsigned char * 743 ldns_key_new_frm_fp_hmac_l(FILE *f, int *line_nr, size_t *hmac_size) 744 { 745 size_t i; 746 char *d; 747 unsigned char *buf; 748 749 line_nr = line_nr; 750 751 d = LDNS_XMALLOC(char, LDNS_MAX_LINELEN); 752 buf = LDNS_XMALLOC(unsigned char, LDNS_MAX_LINELEN); 753 if(!d || !buf) { 754 goto error; 755 } 756 757 if (ldns_fget_keyword_data_l(f, "Key", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { 758 goto error; 759 } 760 i = (size_t) ldns_b64_pton((const char*)d, 761 buf, 762 ldns_b64_ntop_calculate_size(strlen(d))); 763 764 *hmac_size = i; 765 return buf; 766 767 error: 768 LDNS_FREE(d); 769 LDNS_FREE(buf); 770 *hmac_size = 0; 771 return NULL; 772 } 773 #endif /* HAVE_SSL */ 774 775 #ifdef USE_GOST 776 static EVP_PKEY* 777 ldns_gen_gost_key(void) 778 { 779 EVP_PKEY_CTX* ctx; 780 EVP_PKEY* p = NULL; 781 int gost_id = ldns_key_EVP_load_gost_id(); 782 if(!gost_id) 783 return NULL; 784 ctx = EVP_PKEY_CTX_new_id(gost_id, NULL); 785 if(!ctx) { 786 /* the id should be available now */ 787 return NULL; 788 } 789 if(EVP_PKEY_CTX_ctrl_str(ctx, "paramset", "A") <= 0) { 790 /* cannot set paramset */ 791 EVP_PKEY_CTX_free(ctx); 792 return NULL; 793 } 794 795 if(EVP_PKEY_keygen_init(ctx) <= 0) { 796 EVP_PKEY_CTX_free(ctx); 797 return NULL; 798 } 799 if(EVP_PKEY_keygen(ctx, &p) <= 0) { 800 EVP_PKEY_free(p); 801 EVP_PKEY_CTX_free(ctx); 802 return NULL; 803 } 804 EVP_PKEY_CTX_free(ctx); 805 return p; 806 } 807 #endif 808 809 ldns_key * 810 ldns_key_new_frm_algorithm(ldns_signing_algorithm alg, uint16_t size) 811 { 812 ldns_key *k; 813 #ifdef HAVE_SSL 814 DSA *d; 815 RSA *r; 816 # ifdef USE_ECDSA 817 EC_KEY *ec = NULL; 818 # endif 819 #else 820 int i; 821 uint16_t offset = 0; 822 #endif 823 unsigned char *hmac; 824 825 k = ldns_key_new(); 826 if (!k) { 827 return NULL; 828 } 829 switch(alg) { 830 case LDNS_SIGN_RSAMD5: 831 case LDNS_SIGN_RSASHA1: 832 case LDNS_SIGN_RSASHA1_NSEC3: 833 case LDNS_SIGN_RSASHA256: 834 case LDNS_SIGN_RSASHA512: 835 #ifdef HAVE_SSL 836 r = RSA_generate_key((int)size, RSA_F4, NULL, NULL); 837 if(!r) { 838 ldns_key_free(k); 839 return NULL; 840 } 841 if (RSA_check_key(r) != 1) { 842 ldns_key_free(k); 843 return NULL; 844 } 845 ldns_key_set_rsa_key(k, r); 846 #endif /* HAVE_SSL */ 847 break; 848 case LDNS_SIGN_DSA: 849 case LDNS_SIGN_DSA_NSEC3: 850 #ifdef HAVE_SSL 851 d = DSA_generate_parameters((int)size, NULL, 0, NULL, NULL, NULL, NULL); 852 if (!d) { 853 ldns_key_free(k); 854 return NULL; 855 } 856 if (DSA_generate_key(d) != 1) { 857 ldns_key_free(k); 858 return NULL; 859 } 860 ldns_key_set_dsa_key(k, d); 861 #endif /* HAVE_SSL */ 862 break; 863 case LDNS_SIGN_HMACMD5: 864 case LDNS_SIGN_HMACSHA1: 865 case LDNS_SIGN_HMACSHA256: 866 #ifdef HAVE_SSL 867 #ifndef S_SPLINT_S 868 k->_key.key = NULL; 869 #endif /* splint */ 870 #endif /* HAVE_SSL */ 871 size = size / 8; 872 ldns_key_set_hmac_size(k, size); 873 874 hmac = LDNS_XMALLOC(unsigned char, size); 875 if(!hmac) { 876 ldns_key_free(k); 877 return NULL; 878 } 879 #ifdef HAVE_SSL 880 if (RAND_bytes(hmac, (int) size) != 1) { 881 LDNS_FREE(hmac); 882 ldns_key_free(k); 883 return NULL; 884 } 885 #else 886 while (offset + sizeof(i) < size) { 887 i = random(); 888 memcpy(&hmac[offset], &i, sizeof(i)); 889 offset += sizeof(i); 890 } 891 if (offset < size) { 892 i = random(); 893 memcpy(&hmac[offset], &i, size - offset); 894 } 895 #endif /* HAVE_SSL */ 896 ldns_key_set_hmac_key(k, hmac); 897 898 ldns_key_set_flags(k, 0); 899 break; 900 case LDNS_SIGN_ECC_GOST: 901 #if defined(HAVE_SSL) && defined(USE_GOST) 902 ldns_key_set_evp_key(k, ldns_gen_gost_key()); 903 #ifndef S_SPLINT_S 904 if(!k->_key.key) { 905 ldns_key_free(k); 906 return NULL; 907 } 908 #endif /* splint */ 909 #endif /* HAVE_SSL and USE_GOST */ 910 break; 911 #ifdef USE_ECDSA 912 case LDNS_SIGN_ECDSAP256SHA256: 913 case LDNS_SIGN_ECDSAP384SHA384: 914 if(alg == LDNS_SIGN_ECDSAP256SHA256) 915 ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); 916 else if(alg == LDNS_SIGN_ECDSAP384SHA384) 917 ec = EC_KEY_new_by_curve_name(NID_secp384r1); 918 if(!ec) { 919 ldns_key_free(k); 920 return NULL; 921 } 922 if(!EC_KEY_generate_key(ec)) { 923 ldns_key_free(k); 924 EC_KEY_free(ec); 925 return NULL; 926 } 927 #ifndef S_SPLINT_S 928 k->_key.key = EVP_PKEY_new(); 929 if(!k->_key.key) { 930 ldns_key_free(k); 931 EC_KEY_free(ec); 932 return NULL; 933 } 934 if (!EVP_PKEY_assign_EC_KEY(k->_key.key, ec)) { 935 ldns_key_free(k); 936 EC_KEY_free(ec); 937 return NULL; 938 } 939 #endif /* splint */ 940 break; 941 #endif 942 } 943 ldns_key_set_algorithm(k, alg); 944 return k; 945 } 946 947 void 948 ldns_key_print(FILE *output, const ldns_key *k) 949 { 950 char *str = ldns_key2str(k); 951 if (str) { 952 fprintf(output, "%s", str); 953 } else { 954 fprintf(output, "Unable to convert private key to string\n"); 955 } 956 LDNS_FREE(str); 957 } 958 959 960 void 961 ldns_key_set_algorithm(ldns_key *k, ldns_signing_algorithm l) 962 { 963 k->_alg = l; 964 } 965 966 void 967 ldns_key_set_flags(ldns_key *k, uint16_t f) 968 { 969 k->_extra.dnssec.flags = f; 970 } 971 972 #ifdef HAVE_SSL 973 #ifndef S_SPLINT_S 974 void 975 ldns_key_set_evp_key(ldns_key *k, EVP_PKEY *e) 976 { 977 k->_key.key = e; 978 } 979 980 void 981 ldns_key_set_rsa_key(ldns_key *k, RSA *r) 982 { 983 EVP_PKEY *key = EVP_PKEY_new(); 984 EVP_PKEY_set1_RSA(key, r); 985 k->_key.key = key; 986 } 987 988 void 989 ldns_key_set_dsa_key(ldns_key *k, DSA *d) 990 { 991 EVP_PKEY *key = EVP_PKEY_new(); 992 EVP_PKEY_set1_DSA(key, d); 993 k->_key.key = key; 994 } 995 #endif /* splint */ 996 #endif /* HAVE_SSL */ 997 998 void 999 ldns_key_set_hmac_key(ldns_key *k, unsigned char *hmac) 1000 { 1001 k->_key.hmac.key = hmac; 1002 } 1003 1004 void 1005 ldns_key_set_hmac_size(ldns_key *k, size_t hmac_size) 1006 { 1007 k->_key.hmac.size = hmac_size; 1008 } 1009 1010 void 1011 ldns_key_set_external_key(ldns_key *k, void *external_key) 1012 { 1013 k->_key.external_key = external_key; 1014 } 1015 1016 void 1017 ldns_key_set_origttl(ldns_key *k, uint32_t t) 1018 { 1019 k->_extra.dnssec.orig_ttl = t; 1020 } 1021 1022 void 1023 ldns_key_set_inception(ldns_key *k, uint32_t i) 1024 { 1025 k->_extra.dnssec.inception = i; 1026 } 1027 1028 void 1029 ldns_key_set_expiration(ldns_key *k, uint32_t e) 1030 { 1031 k->_extra.dnssec.expiration = e; 1032 } 1033 1034 void 1035 ldns_key_set_pubkey_owner(ldns_key *k, ldns_rdf *r) 1036 { 1037 k->_pubkey_owner = r; 1038 } 1039 1040 void 1041 ldns_key_set_keytag(ldns_key *k, uint16_t tag) 1042 { 1043 k->_extra.dnssec.keytag = tag; 1044 } 1045 1046 /* read */ 1047 size_t 1048 ldns_key_list_key_count(const ldns_key_list *key_list) 1049 { 1050 return key_list->_key_count; 1051 } 1052 1053 ldns_key * 1054 ldns_key_list_key(const ldns_key_list *key, size_t nr) 1055 { 1056 if (nr < ldns_key_list_key_count(key)) { 1057 return key->_keys[nr]; 1058 } else { 1059 return NULL; 1060 } 1061 } 1062 1063 ldns_signing_algorithm 1064 ldns_key_algorithm(const ldns_key *k) 1065 { 1066 return k->_alg; 1067 } 1068 1069 void 1070 ldns_key_set_use(ldns_key *k, bool v) 1071 { 1072 if (k) { 1073 k->_use = v; 1074 } 1075 } 1076 1077 bool 1078 ldns_key_use(const ldns_key *k) 1079 { 1080 if (k) { 1081 return k->_use; 1082 } 1083 return false; 1084 } 1085 1086 #ifdef HAVE_SSL 1087 #ifndef S_SPLINT_S 1088 EVP_PKEY * 1089 ldns_key_evp_key(const ldns_key *k) 1090 { 1091 return k->_key.key; 1092 } 1093 1094 RSA * 1095 ldns_key_rsa_key(const ldns_key *k) 1096 { 1097 if (k->_key.key) { 1098 return EVP_PKEY_get1_RSA(k->_key.key); 1099 } else { 1100 return NULL; 1101 } 1102 } 1103 1104 DSA * 1105 ldns_key_dsa_key(const ldns_key *k) 1106 { 1107 if (k->_key.key) { 1108 return EVP_PKEY_get1_DSA(k->_key.key); 1109 } else { 1110 return NULL; 1111 } 1112 } 1113 #endif /* splint */ 1114 #endif /* HAVE_SSL */ 1115 1116 unsigned char * 1117 ldns_key_hmac_key(const ldns_key *k) 1118 { 1119 if (k->_key.hmac.key) { 1120 return k->_key.hmac.key; 1121 } else { 1122 return NULL; 1123 } 1124 } 1125 1126 size_t 1127 ldns_key_hmac_size(const ldns_key *k) 1128 { 1129 if (k->_key.hmac.size) { 1130 return k->_key.hmac.size; 1131 } else { 1132 return 0; 1133 } 1134 } 1135 1136 void * 1137 ldns_key_external_key(const ldns_key *k) 1138 { 1139 return k->_key.external_key; 1140 } 1141 1142 uint32_t 1143 ldns_key_origttl(const ldns_key *k) 1144 { 1145 return k->_extra.dnssec.orig_ttl; 1146 } 1147 1148 uint16_t 1149 ldns_key_flags(const ldns_key *k) 1150 { 1151 return k->_extra.dnssec.flags; 1152 } 1153 1154 uint32_t 1155 ldns_key_inception(const ldns_key *k) 1156 { 1157 return k->_extra.dnssec.inception; 1158 } 1159 1160 uint32_t 1161 ldns_key_expiration(const ldns_key *k) 1162 { 1163 return k->_extra.dnssec.expiration; 1164 } 1165 1166 uint16_t 1167 ldns_key_keytag(const ldns_key *k) 1168 { 1169 return k->_extra.dnssec.keytag; 1170 } 1171 1172 ldns_rdf * 1173 ldns_key_pubkey_owner(const ldns_key *k) 1174 { 1175 return k->_pubkey_owner; 1176 } 1177 1178 /* write */ 1179 void 1180 ldns_key_list_set_use(ldns_key_list *keys, bool v) 1181 { 1182 size_t i; 1183 1184 for (i = 0; i < ldns_key_list_key_count(keys); i++) { 1185 ldns_key_set_use(ldns_key_list_key(keys, i), v); 1186 } 1187 } 1188 1189 void 1190 ldns_key_list_set_key_count(ldns_key_list *key, size_t count) 1191 { 1192 key->_key_count = count; 1193 } 1194 1195 bool 1196 ldns_key_list_push_key(ldns_key_list *key_list, ldns_key *key) 1197 { 1198 size_t key_count; 1199 ldns_key **keys; 1200 1201 key_count = ldns_key_list_key_count(key_list); 1202 1203 /* grow the array */ 1204 keys = LDNS_XREALLOC( 1205 key_list->_keys, ldns_key *, key_count + 1); 1206 if (!keys) { 1207 return false; 1208 } 1209 1210 /* add the new member */ 1211 key_list->_keys = keys; 1212 key_list->_keys[key_count] = key; 1213 1214 ldns_key_list_set_key_count(key_list, key_count + 1); 1215 return true; 1216 } 1217 1218 ldns_key * 1219 ldns_key_list_pop_key(ldns_key_list *key_list) 1220 { 1221 size_t key_count; 1222 ldns_key** a; 1223 ldns_key *pop; 1224 1225 if (!key_list) { 1226 return NULL; 1227 } 1228 1229 key_count = ldns_key_list_key_count(key_list); 1230 if (key_count == 0) { 1231 return NULL; 1232 } 1233 1234 pop = ldns_key_list_key(key_list, key_count); 1235 1236 /* shrink the array */ 1237 a = LDNS_XREALLOC(key_list->_keys, ldns_key *, key_count - 1); 1238 if(a) { 1239 key_list->_keys = a; 1240 } 1241 1242 ldns_key_list_set_key_count(key_list, key_count - 1); 1243 1244 return pop; 1245 } 1246 1247 #ifdef HAVE_SSL 1248 #ifndef S_SPLINT_S 1249 /* data pointer must be large enough (LDNS_MAX_KEYLEN) */ 1250 static bool 1251 ldns_key_rsa2bin(unsigned char *data, RSA *k, uint16_t *size) 1252 { 1253 int i,j; 1254 1255 if (!k) { 1256 return false; 1257 } 1258 1259 if (BN_num_bytes(k->e) <= 256) { 1260 /* normally only this path is executed (small factors are 1261 * more common 1262 */ 1263 data[0] = (unsigned char) BN_num_bytes(k->e); 1264 i = BN_bn2bin(k->e, data + 1); 1265 j = BN_bn2bin(k->n, data + i + 1); 1266 *size = (uint16_t) i + j; 1267 } else if (BN_num_bytes(k->e) <= 65536) { 1268 data[0] = 0; 1269 /* BN_bn2bin does bigendian, _uint16 also */ 1270 ldns_write_uint16(data + 1, (uint16_t) BN_num_bytes(k->e)); 1271 1272 BN_bn2bin(k->e, data + 3); 1273 BN_bn2bin(k->n, data + 4 + BN_num_bytes(k->e)); 1274 *size = (uint16_t) BN_num_bytes(k->n) + 6; 1275 } else { 1276 return false; 1277 } 1278 return true; 1279 } 1280 1281 /* data pointer must be large enough (LDNS_MAX_KEYLEN) */ 1282 static bool 1283 ldns_key_dsa2bin(unsigned char *data, DSA *k, uint16_t *size) 1284 { 1285 uint8_t T; 1286 1287 if (!k) { 1288 return false; 1289 } 1290 1291 /* See RFC2536 */ 1292 *size = (uint16_t)BN_num_bytes(k->g); 1293 T = (*size - 64) / 8; 1294 memcpy(data, &T, 1); 1295 1296 if (T > 8) { 1297 fprintf(stderr, "DSA key with T > 8 (ie. > 1024 bits)"); 1298 fprintf(stderr, " not implemented\n"); 1299 return false; 1300 } 1301 1302 /* size = 64 + (T * 8); */ 1303 data[0] = (unsigned char)T; 1304 BN_bn2bin(k->q, data + 1 ); /* 20 octects */ 1305 BN_bn2bin(k->p, data + 21 ); /* offset octects */ 1306 BN_bn2bin(k->g, data + 21 + *size); /* offset octets */ 1307 BN_bn2bin(k->pub_key, data + 21 + *size + *size); /* offset octets */ 1308 *size = 21 + (*size * 3); 1309 return true; 1310 } 1311 1312 #ifdef USE_GOST 1313 static bool 1314 ldns_key_gost2bin(unsigned char* data, EVP_PKEY* k, uint16_t* size) 1315 { 1316 int i; 1317 unsigned char* pp = NULL; 1318 if(i2d_PUBKEY(k, &pp) != 37 + 64) { 1319 /* expect 37 byte(ASN header) and 64 byte(X and Y) */ 1320 CRYPTO_free(pp); 1321 return false; 1322 } 1323 /* omit ASN header */ 1324 for(i=0; i<64; i++) 1325 data[i] = pp[i+37]; 1326 CRYPTO_free(pp); 1327 *size = 64; 1328 return true; 1329 } 1330 #endif /* USE_GOST */ 1331 #endif /* splint */ 1332 #endif /* HAVE_SSL */ 1333 1334 ldns_rr * 1335 ldns_key2rr(const ldns_key *k) 1336 { 1337 /* this function will convert a the keydata contained in 1338 * rsa/dsa pointers to a DNSKEY rr. It will fill in as 1339 * much as it can, but it does not know about key-flags 1340 * for instance 1341 */ 1342 ldns_rr *pubkey; 1343 ldns_rdf *keybin; 1344 unsigned char *bin = NULL; 1345 uint16_t size = 0; 1346 #ifdef HAVE_SSL 1347 RSA *rsa = NULL; 1348 DSA *dsa = NULL; 1349 #endif /* HAVE_SSL */ 1350 #ifdef USE_ECDSA 1351 EC_KEY* ec; 1352 #endif 1353 int internal_data = 0; 1354 1355 pubkey = ldns_rr_new(); 1356 if (!k) { 1357 return NULL; 1358 } 1359 1360 switch (ldns_key_algorithm(k)) { 1361 case LDNS_SIGN_HMACMD5: 1362 case LDNS_SIGN_HMACSHA1: 1363 case LDNS_SIGN_HMACSHA256: 1364 ldns_rr_set_type(pubkey, LDNS_RR_TYPE_KEY); 1365 break; 1366 default: 1367 ldns_rr_set_type(pubkey, LDNS_RR_TYPE_DNSKEY); 1368 break; 1369 } 1370 /* zero-th rdf - flags */ 1371 ldns_rr_push_rdf(pubkey, 1372 ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16, 1373 ldns_key_flags(k))); 1374 /* first - proto */ 1375 ldns_rr_push_rdf(pubkey, 1376 ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8, LDNS_DNSSEC_KEYPROTO)); 1377 1378 if (ldns_key_pubkey_owner(k)) { 1379 ldns_rr_set_owner(pubkey, ldns_rdf_clone(ldns_key_pubkey_owner(k))); 1380 } 1381 1382 /* third - da algorithm */ 1383 switch(ldns_key_algorithm(k)) { 1384 case LDNS_SIGN_RSAMD5: 1385 case LDNS_SIGN_RSASHA1: 1386 case LDNS_SIGN_RSASHA1_NSEC3: 1387 case LDNS_SIGN_RSASHA256: 1388 case LDNS_SIGN_RSASHA512: 1389 ldns_rr_push_rdf(pubkey, 1390 ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG, ldns_key_algorithm(k))); 1391 #ifdef HAVE_SSL 1392 rsa = ldns_key_rsa_key(k); 1393 if (rsa) { 1394 bin = LDNS_XMALLOC(unsigned char, LDNS_MAX_KEYLEN); 1395 if (!bin) { 1396 ldns_rr_free(pubkey); 1397 return NULL; 1398 } 1399 if (!ldns_key_rsa2bin(bin, rsa, &size)) { 1400 LDNS_FREE(bin); 1401 ldns_rr_free(pubkey); 1402 return NULL; 1403 } 1404 RSA_free(rsa); 1405 internal_data = 1; 1406 } 1407 #endif 1408 size++; 1409 break; 1410 case LDNS_SIGN_DSA: 1411 ldns_rr_push_rdf(pubkey, 1412 ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG, LDNS_DSA)); 1413 #ifdef HAVE_SSL 1414 dsa = ldns_key_dsa_key(k); 1415 if (dsa) { 1416 bin = LDNS_XMALLOC(unsigned char, LDNS_MAX_KEYLEN); 1417 if (!bin) { 1418 ldns_rr_free(pubkey); 1419 return NULL; 1420 } 1421 if (!ldns_key_dsa2bin(bin, dsa, &size)) { 1422 LDNS_FREE(bin); 1423 ldns_rr_free(pubkey); 1424 return NULL; 1425 } 1426 DSA_free(dsa); 1427 internal_data = 1; 1428 } 1429 #endif /* HAVE_SSL */ 1430 break; 1431 case LDNS_SIGN_DSA_NSEC3: 1432 ldns_rr_push_rdf(pubkey, 1433 ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG, LDNS_DSA_NSEC3)); 1434 #ifdef HAVE_SSL 1435 dsa = ldns_key_dsa_key(k); 1436 if (dsa) { 1437 bin = LDNS_XMALLOC(unsigned char, LDNS_MAX_KEYLEN); 1438 if (!bin) { 1439 ldns_rr_free(pubkey); 1440 return NULL; 1441 } 1442 if (!ldns_key_dsa2bin(bin, dsa, &size)) { 1443 LDNS_FREE(bin); 1444 ldns_rr_free(pubkey); 1445 return NULL; 1446 } 1447 DSA_free(dsa); 1448 internal_data = 1; 1449 } 1450 #endif /* HAVE_SSL */ 1451 break; 1452 case LDNS_SIGN_ECC_GOST: 1453 ldns_rr_push_rdf(pubkey, ldns_native2rdf_int8( 1454 LDNS_RDF_TYPE_ALG, ldns_key_algorithm(k))); 1455 #if defined(HAVE_SSL) && defined(USE_GOST) 1456 bin = LDNS_XMALLOC(unsigned char, LDNS_MAX_KEYLEN); 1457 if (!bin) { 1458 ldns_rr_free(pubkey); 1459 return NULL; 1460 } 1461 #ifndef S_SPLINT_S 1462 if (!ldns_key_gost2bin(bin, k->_key.key, &size)) { 1463 LDNS_FREE(bin); 1464 ldns_rr_free(pubkey); 1465 return NULL; 1466 } 1467 #endif /* splint */ 1468 internal_data = 1; 1469 #endif /* HAVE_SSL and USE_GOST */ 1470 break; 1471 #ifdef USE_ECDSA 1472 case LDNS_SIGN_ECDSAP256SHA256: 1473 case LDNS_SIGN_ECDSAP384SHA384: 1474 ldns_rr_push_rdf(pubkey, ldns_native2rdf_int8( 1475 LDNS_RDF_TYPE_ALG, ldns_key_algorithm(k))); 1476 bin = NULL; 1477 #ifndef S_SPLINT_S 1478 ec = EVP_PKEY_get1_EC_KEY(k->_key.key); 1479 #endif 1480 EC_KEY_set_conv_form(ec, POINT_CONVERSION_UNCOMPRESSED); 1481 size = (uint16_t)i2o_ECPublicKey(ec, NULL); 1482 if(!i2o_ECPublicKey(ec, &bin)) { 1483 EC_KEY_free(ec); 1484 ldns_rr_free(pubkey); 1485 return NULL; 1486 } 1487 if(size > 1) { 1488 /* move back one byte to shave off the 0x02 1489 * 'uncompressed' indicator that openssl made 1490 * Actually its 0x04 (from implementation). 1491 */ 1492 assert(bin[0] == POINT_CONVERSION_UNCOMPRESSED); 1493 size -= 1; 1494 memmove(bin, bin+1, size); 1495 } 1496 /* down the reference count for ec, its still assigned 1497 * to the pkey */ 1498 EC_KEY_free(ec); 1499 internal_data = 1; 1500 break; 1501 #endif 1502 case LDNS_SIGN_HMACMD5: 1503 case LDNS_SIGN_HMACSHA1: 1504 case LDNS_SIGN_HMACSHA256: 1505 bin = LDNS_XMALLOC(unsigned char, ldns_key_hmac_size(k)); 1506 if (!bin) { 1507 ldns_rr_free(pubkey); 1508 return NULL; 1509 } 1510 ldns_rr_push_rdf(pubkey, 1511 ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG, 1512 ldns_key_algorithm(k))); 1513 size = ldns_key_hmac_size(k); 1514 memcpy(bin, ldns_key_hmac_key(k), size); 1515 internal_data = 1; 1516 break; 1517 } 1518 /* fourth the key bin material */ 1519 if (internal_data) { 1520 keybin = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, size, bin); 1521 LDNS_FREE(bin); 1522 ldns_rr_push_rdf(pubkey, keybin); 1523 } 1524 return pubkey; 1525 } 1526 1527 void 1528 ldns_key_free(ldns_key *key) 1529 { 1530 LDNS_FREE(key); 1531 } 1532 1533 void 1534 ldns_key_deep_free(ldns_key *key) 1535 { 1536 if (ldns_key_pubkey_owner(key)) { 1537 ldns_rdf_deep_free(ldns_key_pubkey_owner(key)); 1538 } 1539 #ifdef HAVE_SSL 1540 if (ldns_key_evp_key(key)) { 1541 EVP_PKEY_free(ldns_key_evp_key(key)); 1542 } 1543 #endif /* HAVE_SSL */ 1544 if (ldns_key_hmac_key(key)) { 1545 free(ldns_key_hmac_key(key)); 1546 } 1547 LDNS_FREE(key); 1548 } 1549 1550 void 1551 ldns_key_list_free(ldns_key_list *key_list) 1552 { 1553 size_t i; 1554 for (i = 0; i < ldns_key_list_key_count(key_list); i++) { 1555 ldns_key_deep_free(ldns_key_list_key(key_list, i)); 1556 } 1557 LDNS_FREE(key_list->_keys); 1558 LDNS_FREE(key_list); 1559 } 1560 1561 ldns_rr * 1562 ldns_read_anchor_file(const char *filename) 1563 { 1564 FILE *fp; 1565 /*char line[LDNS_MAX_PACKETLEN];*/ 1566 char *line = LDNS_XMALLOC(char, LDNS_MAX_PACKETLEN); 1567 int c; 1568 size_t i = 0; 1569 ldns_rr *r; 1570 ldns_status status; 1571 if(!line) { 1572 return NULL; 1573 } 1574 1575 fp = fopen(filename, "r"); 1576 if (!fp) { 1577 fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno)); 1578 LDNS_FREE(line); 1579 return NULL; 1580 } 1581 1582 while ((c = fgetc(fp)) && i+1 < LDNS_MAX_PACKETLEN && c != EOF) { 1583 line[i] = c; 1584 i++; 1585 } 1586 line[i] = '\0'; 1587 1588 fclose(fp); 1589 1590 if (i <= 0) { 1591 fprintf(stderr, "nothing read from %s", filename); 1592 LDNS_FREE(line); 1593 return NULL; 1594 } else { 1595 status = ldns_rr_new_frm_str(&r, line, 0, NULL, NULL); 1596 if (status == LDNS_STATUS_OK && (ldns_rr_get_type(r) == LDNS_RR_TYPE_DNSKEY || ldns_rr_get_type(r) == LDNS_RR_TYPE_DS)) { 1597 LDNS_FREE(line); 1598 return r; 1599 } else { 1600 fprintf(stderr, "Error creating DNSKEY or DS rr from %s: %s\n", filename, ldns_get_errorstr_by_id(status)); 1601 LDNS_FREE(line); 1602 return NULL; 1603 } 1604 } 1605 } 1606 1607 char * 1608 ldns_key_get_file_base_name(ldns_key *key) 1609 { 1610 ldns_buffer *buffer; 1611 char *file_base_name; 1612 1613 buffer = ldns_buffer_new(255); 1614 ldns_buffer_printf(buffer, "K"); 1615 (void)ldns_rdf2buffer_str_dname(buffer, ldns_key_pubkey_owner(key)); 1616 ldns_buffer_printf(buffer, 1617 "+%03u+%05u", 1618 ldns_key_algorithm(key), 1619 ldns_key_keytag(key)); 1620 file_base_name = strdup(ldns_buffer_export(buffer)); 1621 ldns_buffer_free(buffer); 1622 return file_base_name; 1623 } 1624 1625 int ldns_key_algo_supported(int algo) 1626 { 1627 ldns_lookup_table *lt = ldns_signing_algorithms; 1628 while(lt->name) { 1629 if(lt->id == algo) 1630 return 1; 1631 lt++; 1632 } 1633 return 0; 1634 } 1635 1636 ldns_signing_algorithm ldns_get_signing_algorithm_by_name(const char* name) 1637 { 1638 /* list of (signing algorithm id, alias_name) */ 1639 ldns_lookup_table aliases[] = { 1640 /* from bind dnssec-keygen */ 1641 {LDNS_SIGN_HMACMD5, "HMAC-MD5"}, 1642 {LDNS_SIGN_DSA_NSEC3, "NSEC3DSA"}, 1643 {LDNS_SIGN_RSASHA1_NSEC3, "NSEC3RSASHA1"}, 1644 /* old ldns usage, now RFC names */ 1645 {LDNS_SIGN_DSA_NSEC3, "DSA_NSEC3" }, 1646 {LDNS_SIGN_RSASHA1_NSEC3, "RSASHA1_NSEC3" }, 1647 #ifdef USE_GOST 1648 {LDNS_SIGN_ECC_GOST, "GOST"}, 1649 #endif 1650 /* compat with possible output */ 1651 {LDNS_DH, "DH"}, 1652 {LDNS_ECC, "ECC"}, 1653 {LDNS_INDIRECT, "INDIRECT"}, 1654 {LDNS_PRIVATEDNS, "PRIVATEDNS"}, 1655 {LDNS_PRIVATEOID, "PRIVATEOID"}, 1656 {0, NULL}}; 1657 ldns_lookup_table* lt = ldns_signing_algorithms; 1658 while(lt->name) { 1659 if(strcasecmp(lt->name, name) == 0) 1660 return lt->id; 1661 lt++; 1662 } 1663 lt = aliases; 1664 while(lt->name) { 1665 if(strcasecmp(lt->name, name) == 0) 1666 return lt->id; 1667 lt++; 1668 } 1669 if(atoi(name) != 0) 1670 return atoi(name); 1671 return 0; 1672 } 1673