1 /** dnssec_verify */ 2 3 #ifndef LDNS_DNSSEC_SIGN_H 4 #define LDNS_DNSSEC_SIGN_H 5 6 #include <ldns/dnssec.h> 7 8 /* sign functions */ 9 10 /** Sign flag that makes DNSKEY type signed by all keys, not only by SEP keys*/ 11 #define LDNS_SIGN_DNSKEY_WITH_ZSK 1 12 13 /** 14 * Create an empty RRSIG RR (i.e. without the actual signature data) 15 * \param[in] rrset The RRset to create the signature for 16 * \param[in] key The key that will create the signature 17 * \return signature rr 18 */ 19 ldns_rr * 20 ldns_create_empty_rrsig(ldns_rr_list *rrset, 21 ldns_key *key); 22 23 /** 24 * Sign the buffer which contains the wiredata of an rrset, and the 25 * corresponding empty rrsig rr with the given key 26 * \param[in] sign_buf the buffer with data to sign 27 * \param[in] key the key to sign with 28 * \return an rdata field with the signature data 29 */ 30 ldns_rdf * 31 ldns_sign_public_buffer(ldns_buffer *sign_buf, ldns_key *key); 32 33 /** 34 * Sign an rrset 35 * \param[in] rrset the rrset 36 * \param[in] keys the keys to use 37 * \return a rr_list with the signatures 38 */ 39 ldns_rr_list *ldns_sign_public(ldns_rr_list *rrset, ldns_key_list *keys); 40 41 #ifdef HAVE_SSL 42 /** 43 * Sign a buffer with the DSA key (hash with SHA1) 44 * \param[in] to_sign buffer with the data 45 * \param[in] key the key to use 46 * \return a ldns_rdf with the signed data 47 */ 48 ldns_rdf *ldns_sign_public_dsa(ldns_buffer *to_sign, DSA *key); 49 50 /** 51 * Sign data with EVP (general method for different algorithms) 52 * 53 * \param[in] to_sign The ldns_buffer containing raw data that is 54 * to be signed 55 * \param[in] key The EVP_PKEY key structure to sign with 56 * \param[in] digest_type The digest algorithm to use in the creation of 57 * the signature 58 * \return ldns_rdf for the RRSIG ldns_rr 59 */ 60 ldns_rdf *ldns_sign_public_evp(ldns_buffer *to_sign, 61 EVP_PKEY *key, 62 const EVP_MD *digest_type); 63 64 /** 65 * Sign a buffer with the RSA key (hash with SHA1) 66 * \param[in] to_sign buffer with the data 67 * \param[in] key the key to use 68 * \return a ldns_rdf with the signed data 69 */ 70 ldns_rdf *ldns_sign_public_rsasha1(ldns_buffer *to_sign, RSA *key); 71 72 /** 73 * Sign a buffer with the RSA key (hash with MD5) 74 * \param[in] to_sign buffer with the data 75 * \param[in] key the key to use 76 * \return a ldns_rdf with the signed data 77 */ 78 ldns_rdf *ldns_sign_public_rsamd5(ldns_buffer *to_sign, RSA *key); 79 #endif /* HAVE_SSL */ 80 81 /** 82 * Finds the first dnssec_name node in the rbtree that has not been marked 83 * as glue, starting at the given node 84 * 85 * \param[in] node the first node to check 86 * \return the first node that has not been marked as glue, or NULL 87 * if not found (TODO: make that LDNS_RBTREE_NULL?) 88 */ 89 ldns_rbnode_t *ldns_dnssec_name_node_next_nonglue(ldns_rbnode_t *node); 90 91 /** 92 * Adds NSEC records to the given dnssec_zone 93 * 94 * \param[in] zone the zone to add the records to 95 * \param[in] new_rrs ldns_rr's created by this function are 96 * added to this rr list, so the caller can free them later 97 * \return LDNS_STATUS_OK on success, an error code otherwise 98 */ 99 ldns_status ldns_dnssec_zone_create_nsecs(ldns_dnssec_zone *zone, 100 ldns_rr_list *new_rrs); 101 102 /** 103 * Adds NSEC3 records to the zone 104 */ 105 ldns_status 106 ldns_dnssec_zone_create_nsec3s(ldns_dnssec_zone *zone, 107 ldns_rr_list *new_rrs, 108 uint8_t algorithm, 109 uint8_t flags, 110 uint16_t iterations, 111 uint8_t salt_length, 112 uint8_t *salt); 113 114 /** 115 * remove signatures if callback function tells to 116 * 117 * \param[in] signatures list of signatures to check, and 118 * possibly remove, depending on the value of the 119 * callback 120 * \param[in] key_list these are marked to be used or not, 121 * on the return value of the callback 122 * \param[in] func this function is called to specify what to 123 * do with each signature (and corresponding key) 124 * \param[in] arg Optional argument for the callback function 125 * \returns pointer to the new signatures rrs (the original 126 * passed to this function may have been removed) 127 */ 128 ldns_dnssec_rrs *ldns_dnssec_remove_signatures(ldns_dnssec_rrs *signatures, 129 ldns_key_list *key_list, 130 int (*func)(ldns_rr *, void *), 131 void *arg); 132 133 /** 134 * Adds signatures to the zone 135 * 136 * \param[in] zone the zone to add RRSIG Resource Records to 137 * \param[in] new_rrs the RRSIG RRs that are created are also 138 * added to this list, so the caller can free them 139 * later 140 * \param[in] key_list list of keys to sign with. 141 * \param[in] func Callback function to decide what keys to 142 * use and what to do with old signatures 143 * \param[in] arg Optional argument for the callback function 144 * \param[in] flags option flags for signing process. 0 makes DNSKEY 145 * RRset signed with the minimal key set, that is only SEP keys are used 146 * for signing. If there are no SEP keys available, non-SEP keys will 147 * be used. LDNS_SIGN_DNSKEY_WITH_ZSK makes DNSKEY type signed with all 148 * keys. 0 is the default. 149 * \return LDNS_STATUS_OK on success, error otherwise 150 */ 151 ldns_status ldns_dnssec_zone_create_rrsigs_flg(ldns_dnssec_zone *zone, 152 ldns_rr_list *new_rrs, 153 ldns_key_list *key_list, 154 int (*func)(ldns_rr *, void*), 155 void *arg, 156 int flags); 157 158 /** 159 * Adds signatures to the zone 160 * 161 * \param[in] zone the zone to add RRSIG Resource Records to 162 * \param[in] new_rrs the RRSIG RRs that are created are also 163 * added to this list, so the caller can free them 164 * later 165 * \param[in] key_list list of keys to sign with. 166 * \param[in] func Callback function to decide what keys to 167 * use and what to do with old signatures 168 * \param[in] arg Optional argument for the callback function 169 * \return LDNS_STATUS_OK on success, error otherwise 170 */ 171 ldns_status ldns_dnssec_zone_create_rrsigs(ldns_dnssec_zone *zone, 172 ldns_rr_list *new_rrs, 173 ldns_key_list *key_list, 174 int (*func)(ldns_rr *, void*), 175 void *arg); 176 177 /** 178 * signs the given zone with the given keys 179 * 180 * \param[in] zone the zone to sign 181 * \param[in] key_list the list of keys to sign the zone with 182 * \param[in] new_rrs newly created resource records are added to this list, to free them later 183 * \param[in] func callback function that decides what to do with old signatures 184 * This function takes an ldns_rr* and an optional void *arg argument, and returns one of four values: 185 * LDNS_SIGNATURE_LEAVE_ADD_NEW: 186 * leave the signature and add a new one for the corresponding key 187 * LDNS_SIGNATURE_REMOVE_ADD_NEW: 188 * remove the signature and replace is with a new one from the same key 189 * LDNS_SIGNATURE_LEAVE_NO_ADD: 190 * leave the signature and do not add a new one with the corresponding key 191 * LDNS_SIGNATURE_REMOVE_NO_ADD: 192 * remove the signature and do not replace 193 * 194 * \param[in] arg optional argument for the callback function 195 * \param[in] flags option flags for signing process. 0 makes DNSKEY 196 * RRset signed with the minimal key set, that is only SEP keys are used 197 * for signing. If there are no SEP keys available, non-SEP keys will 198 * be used. LDNS_SIGN_DNSKEY_WITH_ZSK makes DNSKEY type signed with all 199 * keys. 0 is the default. 200 * \return LDNS_STATUS_OK on success, an error code otherwise 201 */ 202 ldns_status ldns_dnssec_zone_sign_flg(ldns_dnssec_zone *zone, 203 ldns_rr_list *new_rrs, 204 ldns_key_list *key_list, 205 int (*func)(ldns_rr *, void *), 206 void *arg, 207 int flags); 208 209 /** 210 * signs the given zone with the given new zone, with NSEC3 211 * 212 * \param[in] zone the zone to sign 213 * \param[in] key_list the list of keys to sign the zone with 214 * \param[in] new_rrs newly created resource records are added to this list, to free them later 215 * \param[in] func callback function that decides what to do with old signatures 216 * \param[in] arg optional argument for the callback function 217 * \param[in] algorithm the NSEC3 hashing algorithm to use 218 * \param[in] flags NSEC3 flags 219 * \param[in] iterations the number of NSEC3 hash iterations to use 220 * \param[in] salt_length the length (in octets) of the NSEC3 salt 221 * \param[in] salt the NSEC3 salt data 222 * \param[in] signflags option flags for signing process. 0 is the default. 223 * \return LDNS_STATUS_OK on success, an error code otherwise 224 */ 225 ldns_status ldns_dnssec_zone_sign_nsec3_flg(ldns_dnssec_zone *zone, 226 ldns_rr_list *new_rrs, 227 ldns_key_list *key_list, 228 int (*func)(ldns_rr *, void *), 229 void *arg, 230 uint8_t algorithm, 231 uint8_t flags, 232 uint16_t iterations, 233 uint8_t salt_length, 234 uint8_t *salt, 235 int signflags); 236 237 /** 238 * signs the given zone with the given keys 239 * 240 * \param[in] zone the zone to sign 241 * \param[in] key_list the list of keys to sign the zone with 242 * \param[in] new_rrs newly created resource records are added to this list, to free them later 243 * \param[in] func callback function that decides what to do with old signatures 244 * This function takes an ldns_rr* and an optional void *arg argument, and returns one of four values: 245 * LDNS_SIGNATURE_LEAVE_ADD_NEW: 246 * leave the signature and add a new one for the corresponding key 247 * LDNS_SIGNATURE_REMOVE_ADD_NEW: 248 * remove the signature and replace is with a new one from the same key 249 * LDNS_SIGNATURE_LEAVE_NO_ADD: 250 * leave the signature and do not add a new one with the corresponding key 251 * LDNS_SIGNATURE_REMOVE_NO_ADD: 252 * remove the signature and do not replace 253 * 254 * \param[in] arg optional argument for the callback function 255 * \return LDNS_STATUS_OK on success, an error code otherwise 256 */ 257 ldns_status ldns_dnssec_zone_sign(ldns_dnssec_zone *zone, 258 ldns_rr_list *new_rrs, 259 ldns_key_list *key_list, 260 int (*func)(ldns_rr *, void *), 261 void *arg); 262 263 /** 264 * signs the given zone with the given new zone, with NSEC3 265 * 266 * \param[in] zone the zone to sign 267 * \param[in] key_list the list of keys to sign the zone with 268 * \param[in] new_rrs newly created resource records are added to this list, to free them later 269 * \param[in] func callback function that decides what to do with old signatures 270 * \param[in] arg optional argument for the callback function 271 * \param[in] algorithm the NSEC3 hashing algorithm to use 272 * \param[in] flags NSEC3 flags 273 * \param[in] iterations the number of NSEC3 hash iterations to use 274 * \param[in] salt_length the length (in octets) of the NSEC3 salt 275 * \param[in] salt the NSEC3 salt data 276 * \return LDNS_STATUS_OK on success, an error code otherwise 277 */ 278 ldns_status ldns_dnssec_zone_sign_nsec3(ldns_dnssec_zone *zone, 279 ldns_rr_list *new_rrs, 280 ldns_key_list *key_list, 281 int (*func)(ldns_rr *, void *), 282 void *arg, 283 uint8_t algorithm, 284 uint8_t flags, 285 uint16_t iterations, 286 uint8_t salt_length, 287 uint8_t *salt); 288 289 /** 290 * Signs the zone, and returns a newly allocated signed zone 291 * \param[in] zone the zone to sign 292 * \param[in] key_list list of keys to sign with 293 * \return signed zone 294 */ 295 ldns_zone *ldns_zone_sign(const ldns_zone *zone, ldns_key_list *key_list); 296 297 /** 298 * Signs the zone with NSEC3, and returns a newly allocated signed zone 299 * \param[in] zone the zone to sign 300 * \param[in] key_list list of keys to sign with 301 * \param[in] algorithm the NSEC3 hashing algorithm to use 302 * \param[in] flags NSEC3 flags 303 * \param[in] iterations the number of NSEC3 hash iterations to use 304 * \param[in] salt_length the length (in octets) of the NSEC3 salt 305 * \param[in] salt the NSEC3 salt data 306 * \return signed zone 307 */ 308 ldns_zone *ldns_zone_sign_nsec3(ldns_zone *zone, ldns_key_list *key_list, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt); 309 310 311 312 #endif 313