dnssec_sign.h revision 266114 
1/** dnssec_verify */
2
3#ifndef LDNS_DNSSEC_SIGN_H
4#define LDNS_DNSSEC_SIGN_H
5
6#include <ldns/dnssec.h>
7
8#ifdef __cplusplus
9extern "C" {
10#endif
11
12/* sign functions */
13
14/** Sign flag that makes DNSKEY type signed by all keys, not only by SEP keys*/
15#define LDNS_SIGN_DNSKEY_WITH_ZSK 1
16
17/**
18 * Create an empty RRSIG RR (i.e. without the actual signature data)
19 * \param[in] rrset The RRset to create the signature for
20 * \param[in] key The key that will create the signature
21 * \return signature rr
22 */
23ldns_rr *
24ldns_create_empty_rrsig(ldns_rr_list *rrset,
25                        ldns_key *key);
26
27/**
28 * Sign the buffer which contains the wiredata of an rrset, and the
29 * corresponding empty rrsig rr with the given key
30 * \param[in] sign_buf the buffer with data to sign
31 * \param[in] key the key to sign with
32 * \return an rdata field with the signature data
33 */
34ldns_rdf *
35ldns_sign_public_buffer(ldns_buffer *sign_buf, ldns_key *key);
36
37/**
38 * Sign an rrset
39 * \param[in] rrset the rrset
40 * \param[in] keys the keys to use
41 * \return a rr_list with the signatures
42 */
43ldns_rr_list *ldns_sign_public(ldns_rr_list *rrset, ldns_key_list *keys);
44
45#if LDNS_BUILD_CONFIG_HAVE_SSL
46/**
47 * Sign a buffer with the DSA key (hash with SHA1)
48 * \param[in] to_sign buffer with the data
49 * \param[in] key the key to use
50 * \return a ldns_rdf with the signed data
51 */
52ldns_rdf *ldns_sign_public_dsa(ldns_buffer *to_sign, DSA *key);
53
54/**
55 * Sign data with EVP (general method for different algorithms)
56 *
57 * \param[in] to_sign The ldns_buffer containing raw data that is
58 *                    to be signed
59 * \param[in] key The EVP_PKEY key structure to sign with
60 * \param[in] digest_type The digest algorithm to use in the creation of
61 *                        the signature
62 * \return ldns_rdf for the RRSIG ldns_rr
63 */
64ldns_rdf *ldns_sign_public_evp(ldns_buffer *to_sign,
65						 EVP_PKEY *key,
66						 const EVP_MD *digest_type);
67
68/**
69 * Sign a buffer with the RSA key (hash with SHA1)
70 * \param[in] to_sign buffer with the data
71 * \param[in] key the key to use
72 * \return a ldns_rdf with the signed data
73 */
74ldns_rdf *ldns_sign_public_rsasha1(ldns_buffer *to_sign, RSA *key);
75
76/**
77 * Sign a buffer with the RSA key (hash with MD5)
78 * \param[in] to_sign buffer with the data
79 * \param[in] key the key to use
80 * \return a ldns_rdf with the signed data
81 */
82ldns_rdf *ldns_sign_public_rsamd5(ldns_buffer *to_sign, RSA *key);
83#endif /* LDNS_BUILD_CONFIG_HAVE_SSL */
84
85/**
86 * Marks the names in the zone that are occluded. Those names will be skipped
87 * when walking the tree with the ldns_dnssec_name_node_next_nonglue()
88 * function. But watch out! Names that are partially occluded (like glue with
89 * the same name as the delegation) will not be marked and should specifically
90 * be taken into account separately.
91 *
92 * When glue_list is given (not NULL), in the process of marking the names, all
93 * glue resource records will be pushed to that list, even glue at the delegation name.
94 *
95 * \param[in] zone the zone in which to mark the names
96 * \param[in] glue_list the list to which to push the glue rrs
97 * \return LDNS_STATUS_OK on success, an error code otherwise
98 */
99ldns_status
100ldns_dnssec_zone_mark_and_get_glue(
101		ldns_dnssec_zone *zone, ldns_rr_list *glue_list);
102
103/**
104 * Marks the names in the zone that are occluded. Those names will be skipped
105 * when walking the tree with the ldns_dnssec_name_node_next_nonglue()
106 * function. But watch out! Names that are partially occluded (like glue with
107 * the same name as the delegation) will not be marked and should specifically
108 * be taken into account separately.
109 *
110 * \param[in] zone the zone in which to mark the names
111 * \return LDNS_STATUS_OK on succesful completion
112 */
113ldns_status
114ldns_dnssec_zone_mark_glue(ldns_dnssec_zone *zone);
115
116/**
117 * Finds the first dnssec_name node in the rbtree that is not occluded.
118 * It *does* return names that are partially occluded.
119 *
120 * \param[in] node the first node to check
121 * \return the first node that has not been marked as glue, or NULL
122 * if not found (TODO: make that LDNS_RBTREE_NULL?)
123 */
124ldns_rbnode_t *ldns_dnssec_name_node_next_nonglue(ldns_rbnode_t *node);
125
126/**
127 * Adds NSEC records to the given dnssec_zone
128 *
129 * \param[in] zone the zone to add the records to
130 * \param[in] new_rrs ldns_rr's created by this function are
131 *            added to this rr list, so the caller can free them later
132 * \return LDNS_STATUS_OK on success, an error code otherwise
133 */
134ldns_status ldns_dnssec_zone_create_nsecs(ldns_dnssec_zone *zone,
135								  ldns_rr_list *new_rrs);
136
137/**
138 * Adds NSEC3 records to the zone
139 */
140ldns_status
141ldns_dnssec_zone_create_nsec3s(ldns_dnssec_zone *zone,
142						 ldns_rr_list *new_rrs,
143						 uint8_t algorithm,
144						 uint8_t flags,
145						 uint16_t iterations,
146						 uint8_t salt_length,
147						 uint8_t *salt);
148
149/**
150 * remove signatures if callback function tells to
151 *
152 * \param[in] signatures list of signatures to check, and
153 *            possibly remove, depending on the value of the
154 *            callback
155 * \param[in] key_list these are marked to be used or not,
156 *            on the return value of the callback
157 * \param[in] func this function is called to specify what to
158 *            do with each signature (and corresponding key)
159 * \param[in] arg Optional argument for the callback function
160 * \returns pointer to the new signatures rrs (the original
161 *          passed to this function may have been removed)
162 */
163ldns_dnssec_rrs *ldns_dnssec_remove_signatures(ldns_dnssec_rrs *signatures,
164									  ldns_key_list *key_list,
165									  int (*func)(ldns_rr *, void *),
166									  void *arg);
167
168/**
169 * Adds signatures to the zone
170 *
171 * \param[in] zone the zone to add RRSIG Resource Records to
172 * \param[in] new_rrs the RRSIG RRs that are created are also
173 *            added to this list, so the caller can free them
174 *            later
175 * \param[in] key_list list of keys to sign with.
176 * \param[in] func Callback function to decide what keys to
177 *            use and what to do with old signatures
178 * \param[in] arg Optional argument for the callback function
179 * \param[in] flags option flags for signing process. 0 makes DNSKEY
180 * RRset signed with the minimal key set, that is only SEP keys are used
181 * for signing. If there are no SEP keys available, non-SEP keys will
182 * be used. LDNS_SIGN_DNSKEY_WITH_ZSK makes DNSKEY type signed with all
183 * keys. 0 is the default.
184 * \return LDNS_STATUS_OK on success, error otherwise
185 */
186ldns_status ldns_dnssec_zone_create_rrsigs_flg(ldns_dnssec_zone *zone,
187					ldns_rr_list *new_rrs,
188					ldns_key_list *key_list,
189					int (*func)(ldns_rr *, void*),
190					void *arg,
191					int flags);
192
193/**
194 * Adds signatures to the zone
195 *
196 * \param[in] zone the zone to add RRSIG Resource Records to
197 * \param[in] new_rrs the RRSIG RRs that are created are also
198 *            added to this list, so the caller can free them
199 *            later
200 * \param[in] key_list list of keys to sign with.
201 * \param[in] func Callback function to decide what keys to
202 *            use and what to do with old signatures
203 * \param[in] arg Optional argument for the callback function
204 * \return LDNS_STATUS_OK on success, error otherwise
205 */
206ldns_status ldns_dnssec_zone_create_rrsigs(ldns_dnssec_zone *zone,
207								   ldns_rr_list *new_rrs,
208								   ldns_key_list *key_list,
209								   int (*func)(ldns_rr *, void*),
210								   void *arg);
211
212/**
213 * signs the given zone with the given keys
214 *
215 * \param[in] zone the zone to sign
216 * \param[in] key_list the list of keys to sign the zone with
217 * \param[in] new_rrs newly created resource records are added to this list, to free them later
218 * \param[in] func callback function that decides what to do with old signatures
219 *            This function takes an ldns_rr* and an optional void *arg argument, and returns one of four values:
220 * LDNS_SIGNATURE_LEAVE_ADD_NEW:
221 * leave the signature and add a new one for the corresponding key
222 * LDNS_SIGNATURE_REMOVE_ADD_NEW:
223 * remove the signature and replace is with a new one from the same key
224 * LDNS_SIGNATURE_LEAVE_NO_ADD:
225 * leave the signature and do not add a new one with the corresponding key
226 * LDNS_SIGNATURE_REMOVE_NO_ADD:
227 * remove the signature and do not replace
228 *
229 * \param[in] arg optional argument for the callback function
230 * \param[in] flags option flags for signing process. 0 makes DNSKEY
231 * RRset signed with the minimal key set, that is only SEP keys are used
232 * for signing. If there are no SEP keys available, non-SEP keys will
233 * be used. LDNS_SIGN_DNSKEY_WITH_ZSK makes DNSKEY type signed with all
234 * keys. 0 is the default.
235 * \return LDNS_STATUS_OK on success, an error code otherwise
236 */
237ldns_status ldns_dnssec_zone_sign_flg(ldns_dnssec_zone *zone,
238					ldns_rr_list *new_rrs,
239					ldns_key_list *key_list,
240					int (*func)(ldns_rr *, void *),
241					void *arg,
242					int flags);
243
244/**
245 * signs the given zone with the given new zone, with NSEC3
246 *
247 * \param[in] zone the zone to sign
248 * \param[in] key_list the list of keys to sign the zone with
249 * \param[in] new_rrs newly created resource records are added to this list, to free them later
250 * \param[in] func callback function that decides what to do with old signatures
251 * \param[in] arg optional argument for the callback function
252 * \param[in] algorithm the NSEC3 hashing algorithm to use
253 * \param[in] flags NSEC3 flags
254 * \param[in] iterations the number of NSEC3 hash iterations to use
255 * \param[in] salt_length the length (in octets) of the NSEC3 salt
256 * \param[in] salt the NSEC3 salt data
257 * \param[in] signflags option flags for signing process. 0 is the default.
258 * \return LDNS_STATUS_OK on success, an error code otherwise
259 */
260ldns_status ldns_dnssec_zone_sign_nsec3_flg(ldns_dnssec_zone *zone,
261				ldns_rr_list *new_rrs,
262				ldns_key_list *key_list,
263				int (*func)(ldns_rr *, void *),
264				void *arg,
265				uint8_t algorithm,
266				uint8_t flags,
267				uint16_t iterations,
268				uint8_t salt_length,
269				uint8_t *salt,
270				int signflags);
271
272/**
273 * signs the given zone with the given new zone, with NSEC3
274 *
275 * \param[in] zone the zone to sign
276 * \param[in] key_list the list of keys to sign the zone with
277 * \param[in] new_rrs newly created resource records are added to this list, to free them later
278 * \param[in] func callback function that decides what to do with old signatures
279 * \param[in] arg optional argument for the callback function
280 * \param[in] algorithm the NSEC3 hashing algorithm to use
281 * \param[in] flags NSEC3 flags
282 * \param[in] iterations the number of NSEC3 hash iterations to use
283 * \param[in] salt_length the length (in octets) of the NSEC3 salt
284 * \param[in] salt the NSEC3 salt data
285 * \param[in] signflags option flags for signing process. 0 is the default.
286 * \param[out] map a referenced rbtree pointer variable. The newly created
287 *                 rbtree will contain mappings from hashed owner names to the
288 *                 unhashed name.
289 * \return LDNS_STATUS_OK on success, an error code otherwise
290 */
291ldns_status ldns_dnssec_zone_sign_nsec3_flg_mkmap(ldns_dnssec_zone *zone,
292				ldns_rr_list *new_rrs,
293				ldns_key_list *key_list,
294				int (*func)(ldns_rr *, void *),
295				void *arg,
296				uint8_t algorithm,
297				uint8_t flags,
298				uint16_t iterations,
299				uint8_t salt_length,
300				uint8_t *salt,
301				int signflags,
302				ldns_rbtree_t **map
303				);
304
305
306/**
307 * signs the given zone with the given keys
308 *
309 * \param[in] zone the zone to sign
310 * \param[in] key_list the list of keys to sign the zone with
311 * \param[in] new_rrs newly created resource records are added to this list, to free them later
312 * \param[in] func callback function that decides what to do with old signatures
313 *            This function takes an ldns_rr* and an optional void *arg argument, and returns one of four values:
314 * LDNS_SIGNATURE_LEAVE_ADD_NEW:
315 * leave the signature and add a new one for the corresponding key
316 * LDNS_SIGNATURE_REMOVE_ADD_NEW:
317 * remove the signature and replace is with a new one from the same key
318 * LDNS_SIGNATURE_LEAVE_NO_ADD:
319 * leave the signature and do not add a new one with the corresponding key
320 * LDNS_SIGNATURE_REMOVE_NO_ADD:
321 * remove the signature and do not replace
322 *
323 * \param[in] arg optional argument for the callback function
324 * \return LDNS_STATUS_OK on success, an error code otherwise
325 */
326ldns_status ldns_dnssec_zone_sign(ldns_dnssec_zone *zone,
327						    ldns_rr_list *new_rrs,
328						    ldns_key_list *key_list,
329						    int (*func)(ldns_rr *, void *),
330						    void *arg);
331
332/**
333 * signs the given zone with the given new zone, with NSEC3
334 *
335 * \param[in] zone the zone to sign
336 * \param[in] key_list the list of keys to sign the zone with
337 * \param[in] new_rrs newly created resource records are added to this list, to free them later
338 * \param[in] func callback function that decides what to do with old signatures
339 * \param[in] arg optional argument for the callback function
340 * \param[in] algorithm the NSEC3 hashing algorithm to use
341 * \param[in] flags NSEC3 flags
342 * \param[in] iterations the number of NSEC3 hash iterations to use
343 * \param[in] salt_length the length (in octets) of the NSEC3 salt
344 * \param[in] salt the NSEC3 salt data
345 * \return LDNS_STATUS_OK on success, an error code otherwise
346 */
347ldns_status ldns_dnssec_zone_sign_nsec3(ldns_dnssec_zone *zone,
348								ldns_rr_list *new_rrs,
349								ldns_key_list *key_list,
350								int (*func)(ldns_rr *, void *),
351								void *arg,
352								uint8_t algorithm,
353								uint8_t flags,
354								uint16_t iterations,
355								uint8_t salt_length,
356								uint8_t *salt);
357
358/**
359 * Signs the zone, and returns a newly allocated signed zone
360 * \param[in] zone the zone to sign
361 * \param[in] key_list list of keys to sign with
362 * \return signed zone
363 */
364ldns_zone *ldns_zone_sign(const ldns_zone *zone, ldns_key_list *key_list);
365
366/**
367 * Signs the zone with NSEC3, and returns a newly allocated signed zone
368 * \param[in] zone the zone to sign
369 * \param[in] key_list list of keys to sign with
370 * \param[in] algorithm the NSEC3 hashing algorithm to use
371 * \param[in] flags NSEC3 flags
372 * \param[in] iterations the number of NSEC3 hash iterations to use
373 * \param[in] salt_length the length (in octets) of the NSEC3 salt
374 * \param[in] salt the NSEC3 salt data
375 * \return signed zone
376 */
377ldns_zone *ldns_zone_sign_nsec3(ldns_zone *zone, ldns_key_list *key_list, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt);
378
379#ifdef __cplusplus
380}
381#endif
382
383#endif
384