2 * keys.c handle private keys for use in DNSSEC
4 * This module should hide some of the openSSL complexities
5 * and give a general interface for private keys and hmac
8 * (c) NLnet Labs, 2004-2006
10 * See the file LICENSE for the license
13 #include <ldns/config.h>
15 #include <ldns/ldns.h>
18 #include <openssl/ssl.h>
19 #include <openssl/engine.h>
20 #include <openssl/rand.h>
23 ldns_lookup_table ldns_signing_algorithms[] = {
24 { LDNS_SIGN_RSAMD5, "RSAMD5" },
25 { LDNS_SIGN_RSASHA1, "RSASHA1" },
26 { LDNS_SIGN_RSASHA1_NSEC3, "RSASHA1_NSEC3" },
28 { LDNS_SIGN_RSASHA256, "RSASHA256" },
29 { LDNS_SIGN_RSASHA512, "RSASHA512" },
32 { LDNS_SIGN_GOST, "GOST" },
34 { LDNS_SIGN_DSA, "DSA" },
35 { LDNS_SIGN_DSA_NSEC3, "DSA_NSEC3" },
36 { LDNS_SIGN_HMACMD5, "hmac-md5.sig-alg.reg.int" },
37 { LDNS_SIGN_HMACSHA1, "hmac-sha1" },
38 { LDNS_SIGN_HMACSHA256, "hmac-sha256" },
45 ldns_key_list *key_list = LDNS_MALLOC(ldns_key_list);
49 key_list->_key_count = 0;
50 key_list->_keys = NULL;
60 newkey = LDNS_MALLOC(ldns_key);
64 /* some defaults - not sure wether to do this */
65 ldns_key_set_use(newkey, true);
66 ldns_key_set_flags(newkey, LDNS_KEY_ZONE_KEY);
67 ldns_key_set_origttl(newkey, 0);
68 ldns_key_set_keytag(newkey, 0);
69 ldns_key_set_inception(newkey, 0);
70 ldns_key_set_expiration(newkey, 0);
71 ldns_key_set_pubkey_owner(newkey, NULL);
73 ldns_key_set_evp_key(newkey, NULL);
75 ldns_key_set_hmac_key(newkey, NULL);
76 ldns_key_set_external_key(newkey, NULL);
82 ldns_key_new_frm_fp(ldns_key **k, FILE *fp)
84 return ldns_key_new_frm_fp_l(k, fp, NULL);
89 ldns_key_new_frm_engine(ldns_key **key, ENGINE *e, char *key_id, ldns_algorithm alg)
94 k->_key.key = ENGINE_load_private_key(e, key_id, UI_OpenSSL(), NULL);
95 ldns_key_set_algorithm(k, (ldns_signing_algorithm) alg);
97 return LDNS_STATUS_ENGINE_KEY_NOT_LOADED;
100 return LDNS_STATUS_OK;
107 ldns_key_EVP_load_gost_id(void)
109 static int gost_id = 0;
110 const EVP_PKEY_ASN1_METHOD* meth;
113 if(gost_id) return gost_id;
115 /* see if configuration loaded gost implementation from other engine*/
116 meth = EVP_PKEY_asn1_find_str(NULL, "gost2001", -1);
118 EVP_PKEY_asn1_get0_info(&gost_id, NULL, NULL, NULL, NULL, meth);
122 /* see if engine can be loaded already */
123 e = ENGINE_by_id("gost");
125 /* load it ourself, in case statically linked */
126 ENGINE_load_builtin_engines();
127 ENGINE_load_dynamic();
128 e = ENGINE_by_id("gost");
131 /* no gost engine in openssl */
134 if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
140 meth = EVP_PKEY_asn1_find_str(&e, "gost2001", -1);
148 EVP_PKEY_asn1_get0_info(&gost_id, NULL, NULL, NULL, NULL, meth);
152 /** read GOST private key */
154 ldns_key_new_frm_fp_gost_l(FILE* fp, int* line_nr)
157 const unsigned char* pp;
160 ldns_rdf* b64rdf = NULL;
162 gost_id = ldns_key_EVP_load_gost_id();
166 if (ldns_fget_keyword_data_l(fp, "GostAsn1", ": ", token, "\n",
167 sizeof(token), line_nr) == -1)
169 while(strlen(token) < 96) {
170 /* read more b64 from the file, b64 split on multiple lines */
171 if(ldns_fget_token_l(fp, token+strlen(token), "\n",
172 sizeof(token)-strlen(token), line_nr) == -1)
175 if(ldns_str2rdf_b64(&b64rdf, token) != LDNS_STATUS_OK)
177 pp = (unsigned char*)ldns_rdf_data(b64rdf);
178 pkey = d2i_PrivateKey(gost_id, NULL, &pp, ldns_rdf_size(b64rdf));
179 ldns_rdf_deep_free(b64rdf);
185 ldns_key_new_frm_fp_l(ldns_key **key, FILE *fp, int *line_nr)
189 ldns_signing_algorithm alg;
196 #endif /* HAVE_SSL */
200 d = LDNS_XMALLOC(char, LDNS_MAX_LINELEN);
202 return LDNS_STATUS_MEM_ERR;
207 /* the file is highly structured. Do this in sequence */
209 * Private-key-format: v1.2
213 /* get the key format version number */
214 if (ldns_fget_keyword_data_l(fp, "Private-key-format", ": ", d, "\n",
215 LDNS_MAX_LINELEN, line_nr) == -1) {
216 /* no version information */
217 return LDNS_STATUS_SYNTAX_ERR;
219 if (strncmp(d, "v1.2", strlen(d)) != 0) {
220 return LDNS_STATUS_SYNTAX_VERSION_ERR;
223 /* get the algorithm type, our file function strip ( ) so there are
224 * not in the return string! */
225 if (ldns_fget_keyword_data_l(fp, "Algorithm", ": ", d, "\n",
226 LDNS_MAX_LINELEN, line_nr) == -1) {
227 /* no alg information */
228 return LDNS_STATUS_SYNTAX_ALG_ERR;
231 if (strncmp(d, "1 RSA", 2) == 0) {
232 alg = LDNS_SIGN_RSAMD5;
234 if (strncmp(d, "2 DH", 2) == 0) {
235 alg = (ldns_signing_algorithm)LDNS_DH;
237 if (strncmp(d, "3 DSA", 2) == 0) {
240 if (strncmp(d, "4 ECC", 2) == 0) {
241 alg = (ldns_signing_algorithm)LDNS_ECC;
243 if (strncmp(d, "5 RSASHA1", 2) == 0) {
244 alg = LDNS_SIGN_RSASHA1;
246 if (strncmp(d, "6 DSA", 2) == 0) {
247 alg = LDNS_SIGN_DSA_NSEC3;
249 if (strncmp(d, "7 RSASHA1", 2) == 0) {
250 alg = LDNS_SIGN_RSASHA1_NSEC3;
253 if (strncmp(d, "8 RSASHA256", 2) == 0) {
255 alg = LDNS_SIGN_RSASHA256;
257 fprintf(stderr, "Warning: SHA256 not compiled into this ");
258 fprintf(stderr, "version of ldns\n");
261 if (strncmp(d, "10 RSASHA512", 3) == 0) {
263 alg = LDNS_SIGN_RSASHA512;
265 fprintf(stderr, "Warning: SHA512 not compiled into this ");
266 fprintf(stderr, "version of ldns\n");
269 if (strncmp(d, "249 GOST", 4) == 0) {
271 alg = LDNS_SIGN_GOST;
273 fprintf(stderr, "Warning: GOST not compiled into this ");
274 fprintf(stderr, "version of ldns\n");
277 if (strncmp(d, "157 HMAC-MD5", 4) == 0) {
278 alg = LDNS_SIGN_HMACMD5;
280 if (strncmp(d, "158 HMAC-SHA1", 4) == 0) {
281 alg = LDNS_SIGN_HMACSHA1;
283 if (strncmp(d, "159 HMAC-SHA256", 4) == 0) {
284 alg = LDNS_SIGN_HMACSHA256;
290 case LDNS_SIGN_RSAMD5:
291 case LDNS_SIGN_RSASHA1:
292 case LDNS_RSASHA1_NSEC3:
294 case LDNS_SIGN_RSASHA256:
295 case LDNS_SIGN_RSASHA512:
297 ldns_key_set_algorithm(k, alg);
299 rsa = ldns_key_new_frm_fp_rsa_l(fp, line_nr);
302 return LDNS_STATUS_ERR;
304 ldns_key_set_rsa_key(k, rsa);
306 #endif /* HAVE_SSL */
310 ldns_key_set_algorithm(k, alg);
312 dsa = ldns_key_new_frm_fp_dsa_l(fp, line_nr);
315 return LDNS_STATUS_ERR;
317 ldns_key_set_dsa_key(k, dsa);
319 #endif /* HAVE_SSL */
321 case LDNS_SIGN_HMACMD5:
322 case LDNS_SIGN_HMACSHA1:
323 case LDNS_SIGN_HMACSHA256:
324 ldns_key_set_algorithm(k, alg);
326 hmac = ldns_key_new_frm_fp_hmac_l(fp, line_nr, &hmac_size);
329 return LDNS_STATUS_ERR;
331 ldns_key_set_hmac_size(k, hmac_size);
332 ldns_key_set_hmac_key(k, hmac);
333 #endif /* HAVE_SSL */
336 ldns_key_set_algorithm(k, alg);
337 #if defined(HAVE_SSL) && defined(USE_GOST)
338 ldns_key_set_evp_key(k,
339 ldns_key_new_frm_fp_gost_l(fp, line_nr));
342 return LDNS_STATUS_ERR;
348 return LDNS_STATUS_SYNTAX_ALG_ERR;
351 key_rr = ldns_key2rr(k);
352 ldns_key_set_keytag(k, ldns_calc_keytag(key_rr));
353 ldns_rr_free(key_rr);
357 return LDNS_STATUS_OK;
359 return LDNS_STATUS_ERR;
364 ldns_key_new_frm_fp_rsa(FILE *f)
366 return ldns_key_new_frm_fp_rsa_l(f, NULL);
370 ldns_key_new_frm_fp_rsa_l(FILE *f, int *line_nr)
386 * BIGNUM *n; // public modulus
387 * BIGNUM *e; // public exponent
388 * BIGNUM *d; // private exponent
389 * BIGNUM *p; // secret prime factor
390 * BIGNUM *q; // secret prime factor
391 * BIGNUM *dmp1; // d mod (p-1)
392 * BIGNUM *dmq1; // d mod (q-1)
393 * BIGNUM *iqmp; // q^-1 mod p
402 d = LDNS_XMALLOC(char, LDNS_MAX_LINELEN);
403 buf = LDNS_XMALLOC(uint8_t, LDNS_MAX_LINELEN);
405 if (!d || !rsa || !buf) {
409 /* I could use functions again, but that seems an overkill,
410 * allthough this also looks tedious
413 /* Modules, rsa->n */
414 if (ldns_fget_keyword_data_l(f, "Modulus", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
417 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
418 rsa->n = BN_bin2bn((const char unsigned*)buf, i, NULL);
423 /* PublicExponent, rsa->e */
424 if (ldns_fget_keyword_data_l(f, "PublicExponent", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
427 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
428 rsa->e = BN_bin2bn((const char unsigned*)buf, i, NULL);
433 /* PrivateExponent, rsa->d */
434 if (ldns_fget_keyword_data_l(f, "PrivateExponent", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
437 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
438 rsa->d = BN_bin2bn((const char unsigned*)buf, i, NULL);
444 if (ldns_fget_keyword_data_l(f, "Prime1", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
447 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
448 rsa->p = BN_bin2bn((const char unsigned*)buf, i, NULL);
454 if (ldns_fget_keyword_data_l(f, "Prime2", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
457 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
458 rsa->q = BN_bin2bn((const char unsigned*)buf, i, NULL);
463 /* Exponent1, rsa->dmp1 */
464 if (ldns_fget_keyword_data_l(f, "Exponent1", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
467 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
468 rsa->dmp1 = BN_bin2bn((const char unsigned*)buf, i, NULL);
473 /* Exponent2, rsa->dmq1 */
474 if (ldns_fget_keyword_data_l(f, "Exponent2", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
477 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
478 rsa->dmq1 = BN_bin2bn((const char unsigned*)buf, i, NULL);
483 /* Coefficient, rsa->iqmp */
484 if (ldns_fget_keyword_data_l(f, "Coefficient", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
487 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
488 rsa->iqmp = BN_bin2bn((const char unsigned*)buf, i, NULL);
505 ldns_key_new_frm_fp_dsa(FILE *f)
507 return ldns_key_new_frm_fp_dsa_l(f, NULL);
511 ldns_key_new_frm_fp_dsa_l(FILE *f, int *line_nr)
520 d = LDNS_XMALLOC(char, LDNS_MAX_LINELEN);
521 buf = LDNS_XMALLOC(uint8_t, LDNS_MAX_LINELEN);
527 /* the line parser removes the () from the input... */
530 if (ldns_fget_keyword_data_l(f, "Primep", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
533 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
534 dsa->p = BN_bin2bn((const char unsigned*)buf, i, NULL);
539 /* Subprime, dsa->q */
540 if (ldns_fget_keyword_data_l(f, "Subprimeq", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
543 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
544 dsa->q = BN_bin2bn((const char unsigned*)buf, i, NULL);
550 if (ldns_fget_keyword_data_l(f, "Baseg", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
553 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
554 dsa->g = BN_bin2bn((const char unsigned*)buf, i, NULL);
559 /* Private key, dsa->priv_key */
560 if (ldns_fget_keyword_data_l(f, "Private_valuex", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
563 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
564 dsa->priv_key = BN_bin2bn((const char unsigned*)buf, i, NULL);
565 if (!dsa->priv_key) {
569 /* Public key, dsa->priv_key */
570 if (ldns_fget_keyword_data_l(f, "Public_valuey", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
573 i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d)));
574 dsa->pub_key = BN_bin2bn((const char unsigned*)buf, i, NULL);
591 ldns_key_new_frm_fp_hmac(FILE *f, size_t *hmac_size)
593 return ldns_key_new_frm_fp_hmac_l(f, NULL, hmac_size);
597 ldns_key_new_frm_fp_hmac_l(FILE *f, int *line_nr, size_t *hmac_size)
605 d = LDNS_XMALLOC(char, LDNS_MAX_LINELEN);
606 buf = LDNS_XMALLOC(unsigned char, LDNS_MAX_LINELEN);
608 if (ldns_fget_keyword_data_l(f, "Key", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) {
611 i = (size_t) ldns_b64_pton((const char*)d,
613 ldns_b64_ntop_calculate_size(strlen(d)));
624 #endif /* HAVE_SSL */
628 ldns_gen_gost_key(void)
632 int gost_id = ldns_key_EVP_load_gost_id();
635 ctx = EVP_PKEY_CTX_new_id(gost_id, NULL);
637 /* the id should be available now */
640 if(EVP_PKEY_CTX_ctrl_str(ctx, "paramset", "A") <= 0) {
641 /* cannot set paramset */
642 EVP_PKEY_CTX_free(ctx);
646 if(EVP_PKEY_keygen_init(ctx) <= 0) {
647 EVP_PKEY_CTX_free(ctx);
650 if(EVP_PKEY_keygen(ctx, &p) <= 0) {
652 EVP_PKEY_CTX_free(ctx);
655 EVP_PKEY_CTX_free(ctx);
661 ldns_key_new_frm_algorithm(ldns_signing_algorithm alg, uint16_t size)
678 case LDNS_SIGN_RSAMD5:
679 case LDNS_SIGN_RSASHA1:
680 case LDNS_SIGN_RSASHA1_NSEC3:
681 case LDNS_SIGN_RSASHA256:
682 case LDNS_SIGN_RSASHA512:
684 r = RSA_generate_key((int)size, RSA_F4, NULL, NULL);
685 if (RSA_check_key(r) != 1) {
689 ldns_key_set_rsa_key(k, r);
690 #endif /* HAVE_SSL */
693 case LDNS_SIGN_DSA_NSEC3:
695 d = DSA_generate_parameters((int)size, NULL, 0, NULL, NULL, NULL, NULL);
699 if (DSA_generate_key(d) != 1) {
702 ldns_key_set_dsa_key(k, d);
703 #endif /* HAVE_SSL */
705 case LDNS_SIGN_HMACMD5:
706 case LDNS_SIGN_HMACSHA1:
707 case LDNS_SIGN_HMACSHA256:
710 #endif /* HAVE_SSL */
712 ldns_key_set_hmac_size(k, size);
714 hmac = LDNS_XMALLOC(unsigned char, size);
716 if (RAND_bytes(hmac, (int) size) != 1) {
722 while (offset + sizeof(i) < size) {
724 memcpy(&hmac[offset], &i, sizeof(i));
729 memcpy(&hmac[offset], &i, size - offset);
731 #endif /* HAVE_SSL */
732 ldns_key_set_hmac_key(k, hmac);
734 ldns_key_set_flags(k, 0);
737 #if defined(HAVE_SSL) && defined(USE_GOST)
738 ldns_key_set_evp_key(k, ldns_gen_gost_key());
739 #endif /* HAVE_SSL and USE_GOST */
742 ldns_key_set_algorithm(k, alg);
747 ldns_key_print(FILE *output, const ldns_key *k)
749 char *str = ldns_key2str(k);
751 fprintf(output, "%s", str);
753 fprintf(output, "Unable to convert private key to string\n");
760 ldns_key_set_algorithm(ldns_key *k, ldns_signing_algorithm l)
766 ldns_key_set_flags(ldns_key *k, uint16_t f)
768 k->_extra.dnssec.flags = f;
773 ldns_key_set_evp_key(ldns_key *k, EVP_PKEY *e)
779 ldns_key_set_rsa_key(ldns_key *k, RSA *r)
781 EVP_PKEY *key = EVP_PKEY_new();
782 EVP_PKEY_set1_RSA(key, r);
787 ldns_key_set_dsa_key(ldns_key *k, DSA *d)
789 EVP_PKEY *key = EVP_PKEY_new();
790 EVP_PKEY_set1_DSA(key, d);
793 #endif /* HAVE_SSL */
796 ldns_key_set_hmac_key(ldns_key *k, unsigned char *hmac)
798 k->_key.hmac.key = hmac;
802 ldns_key_set_hmac_size(ldns_key *k, size_t hmac_size)
804 k->_key.hmac.size = hmac_size;
808 ldns_key_set_external_key(ldns_key *k, void *external_key)
810 k->_key.external_key = external_key;
814 ldns_key_set_origttl(ldns_key *k, uint32_t t)
816 k->_extra.dnssec.orig_ttl = t;
820 ldns_key_set_inception(ldns_key *k, uint32_t i)
822 k->_extra.dnssec.inception = i;
826 ldns_key_set_expiration(ldns_key *k, uint32_t e)
828 k->_extra.dnssec.expiration = e;
832 ldns_key_set_pubkey_owner(ldns_key *k, ldns_rdf *r)
834 k->_pubkey_owner = r;
838 ldns_key_set_keytag(ldns_key *k, uint16_t tag)
840 k->_extra.dnssec.keytag = tag;
845 ldns_key_list_key_count(const ldns_key_list *key_list)
847 return key_list->_key_count;
851 ldns_key_list_key(const ldns_key_list *key, size_t nr)
853 if (nr < ldns_key_list_key_count(key)) {
854 return key->_keys[nr];
860 ldns_signing_algorithm
861 ldns_key_algorithm(const ldns_key *k)
867 ldns_key_set_use(ldns_key *k, bool v)
875 ldns_key_use(const ldns_key *k)
885 ldns_key_evp_key(const ldns_key *k)
891 ldns_key_rsa_key(const ldns_key *k)
894 return EVP_PKEY_get1_RSA(k->_key.key);
901 ldns_key_dsa_key(const ldns_key *k)
904 return EVP_PKEY_get1_DSA(k->_key.key);
909 #endif /* HAVE_SSL */
912 ldns_key_hmac_key(const ldns_key *k)
914 if (k->_key.hmac.key) {
915 return k->_key.hmac.key;
922 ldns_key_hmac_size(const ldns_key *k)
924 if (k->_key.hmac.size) {
925 return k->_key.hmac.size;
932 ldns_key_external_key(const ldns_key *k)
934 return k->_key.external_key;
938 ldns_key_origttl(const ldns_key *k)
940 return k->_extra.dnssec.orig_ttl;
944 ldns_key_flags(const ldns_key *k)
946 return k->_extra.dnssec.flags;
950 ldns_key_inception(const ldns_key *k)
952 return k->_extra.dnssec.inception;
956 ldns_key_expiration(const ldns_key *k)
958 return k->_extra.dnssec.expiration;
962 ldns_key_keytag(const ldns_key *k)
964 return k->_extra.dnssec.keytag;
968 ldns_key_pubkey_owner(const ldns_key *k)
970 return k->_pubkey_owner;
975 ldns_key_list_set_use(ldns_key_list *keys, bool v)
979 for (i = 0; i < ldns_key_list_key_count(keys); i++) {
980 ldns_key_set_use(ldns_key_list_key(keys, i), v);
985 ldns_key_list_set_key_count(ldns_key_list *key, size_t count)
987 key->_key_count = count;
991 ldns_key_list_push_key(ldns_key_list *key_list, ldns_key *key)
996 key_count = ldns_key_list_key_count(key_list);
997 keys = key_list->_keys;
1000 keys = LDNS_XREALLOC(
1001 key_list->_keys, ldns_key *, key_count + 1);
1006 /* add the new member */
1007 key_list->_keys = keys;
1008 key_list->_keys[key_count] = key;
1010 ldns_key_list_set_key_count(key_list, key_count + 1);
1015 ldns_key_list_pop_key(ldns_key_list *key_list)
1024 key_count = ldns_key_list_key_count(key_list);
1025 if (key_count == 0) {
1029 pop = ldns_key_list_key(key_list, key_count);
1031 /* shrink the array */
1032 key_list->_keys = LDNS_XREALLOC(
1033 key_list->_keys, ldns_key *, key_count - 1);
1035 ldns_key_list_set_key_count(key_list, key_count - 1);
1042 ldns_key_rsa2bin(unsigned char *data, RSA *k, uint16_t *size)
1050 if (BN_num_bytes(k->e) <= 256) {
1051 /* normally only this path is executed (small factors are
1054 data[0] = (unsigned char) BN_num_bytes(k->e);
1055 i = BN_bn2bin(k->e, data + 1);
1056 j = BN_bn2bin(k->n, data + i + 1);
1057 *size = (uint16_t) i + j;
1058 } else if (BN_num_bytes(k->e) <= 65536) {
1060 /* BN_bn2bin does bigendian, _uint16 also */
1061 ldns_write_uint16(data + 1, (uint16_t) BN_num_bytes(k->e));
1063 BN_bn2bin(k->e, data + 3);
1064 BN_bn2bin(k->n, data + 4 + BN_num_bytes(k->e));
1065 *size = (uint16_t) BN_num_bytes(k->n) + 6;
1073 ldns_key_dsa2bin(unsigned char *data, DSA *k, uint16_t *size)
1082 *size = (uint16_t)BN_num_bytes(k->g);
1083 T = (*size - 64) / 8;
1084 memcpy(data, &T, 1);
1087 fprintf(stderr, "DSA key with T > 8 (ie. > 1024 bits)");
1088 fprintf(stderr, " not implemented\n");
1092 /* size = 64 + (T * 8); */
1093 data[0] = (unsigned char)T;
1094 BN_bn2bin(k->q, data + 1 ); /* 20 octects */
1095 BN_bn2bin(k->p, data + 21 ); /* offset octects */
1096 BN_bn2bin(k->g, data + 21 + *size); /* offset octets */
1097 BN_bn2bin(k->pub_key, data + 21 + *size + *size); /* offset octets */
1098 *size = 21 + (*size * 3);
1104 ldns_key_gost2bin(unsigned char* data, EVP_PKEY* k, uint16_t* size)
1107 unsigned char* pp = NULL;
1108 if(i2d_PUBKEY(k, &pp) != 37 + 64) {
1109 /* expect 37 byte(ASN header) and 64 byte(X and Y) */
1113 /* omit ASN header */
1114 /* insert parameters */
1118 data[i+2] = pp[i+37];
1123 #endif /* USE_GOST */
1124 #endif /* HAVE_SSL */
1127 ldns_key2rr(const ldns_key *k)
1129 /* this function will convert a the keydata contained in
1130 * rsa/dsa pointers to a DNSKEY rr. It will fill in as
1131 * much as it can, but it does not know about key-flags
1136 unsigned char *bin = NULL;
1141 #endif /* HAVE_SSL */
1142 int internal_data = 0;
1144 pubkey = ldns_rr_new();
1149 switch (ldns_key_algorithm(k)) {
1150 case LDNS_SIGN_HMACMD5:
1151 case LDNS_SIGN_HMACSHA1:
1152 case LDNS_SIGN_HMACSHA256:
1153 ldns_rr_set_type(pubkey, LDNS_RR_TYPE_KEY);
1156 ldns_rr_set_type(pubkey, LDNS_RR_TYPE_DNSKEY);
1159 /* zero-th rdf - flags */
1160 ldns_rr_push_rdf(pubkey,
1161 ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16,
1162 ldns_key_flags(k)));
1164 ldns_rr_push_rdf(pubkey,
1165 ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8, LDNS_DNSSEC_KEYPROTO));
1167 if (ldns_key_pubkey_owner(k)) {
1168 ldns_rr_set_owner(pubkey, ldns_rdf_clone(ldns_key_pubkey_owner(k)));
1171 /* third - da algorithm */
1172 switch(ldns_key_algorithm(k)) {
1175 case LDNS_RSASHA1_NSEC3:
1176 case LDNS_RSASHA256:
1177 case LDNS_RSASHA512:
1178 ldns_rr_push_rdf(pubkey,
1179 ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG, ldns_key_algorithm(k)));
1181 rsa = ldns_key_rsa_key(k);
1183 bin = LDNS_XMALLOC(unsigned char, LDNS_MAX_KEYLEN);
1187 if (!ldns_key_rsa2bin(bin, rsa, &size)) {
1197 ldns_rr_push_rdf(pubkey,
1198 ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG, LDNS_DSA));
1200 dsa = ldns_key_dsa_key(k);
1202 bin = LDNS_XMALLOC(unsigned char, LDNS_MAX_KEYLEN);
1206 if (!ldns_key_dsa2bin(bin, dsa, &size)) {
1212 #endif /* HAVE_SSL */
1214 case LDNS_DSA_NSEC3:
1215 ldns_rr_push_rdf(pubkey,
1216 ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG, LDNS_DSA_NSEC3));
1218 dsa = ldns_key_dsa_key(k);
1220 bin = LDNS_XMALLOC(unsigned char, LDNS_MAX_KEYLEN);
1224 if (!ldns_key_dsa2bin(bin, dsa, &size)) {
1230 #endif /* HAVE_SSL */
1232 case LDNS_SIGN_GOST:
1233 ldns_rr_push_rdf(pubkey, ldns_native2rdf_int8(
1234 LDNS_RDF_TYPE_ALG, ldns_key_algorithm(k)));
1235 #if defined(HAVE_SSL) && defined(USE_GOST)
1236 bin = LDNS_XMALLOC(unsigned char, LDNS_MAX_KEYLEN);
1239 if (!ldns_key_gost2bin(bin, k->_key.key, &size)) {
1244 #endif /* HAVE_SSL and USE_GOST */
1245 case LDNS_SIGN_HMACMD5:
1246 case LDNS_SIGN_HMACSHA1:
1247 case LDNS_SIGN_HMACSHA256:
1248 bin = LDNS_XMALLOC(unsigned char, ldns_key_hmac_size(k));
1252 ldns_rr_push_rdf(pubkey,
1253 ldns_native2rdf_int8(LDNS_RDF_TYPE_ALG,
1254 ldns_key_algorithm(k)));
1255 size = ldns_key_hmac_size(k);
1256 memcpy(bin, ldns_key_hmac_key(k), size);
1260 /* fourth the key bin material */
1261 if (internal_data) {
1262 keybin = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, size, bin);
1264 ldns_rr_push_rdf(pubkey, keybin);
1270 ldns_key_free(ldns_key *key)
1276 ldns_key_deep_free(ldns_key *key)
1278 if (ldns_key_pubkey_owner(key)) {
1279 ldns_rdf_deep_free(ldns_key_pubkey_owner(key));
1282 if (ldns_key_evp_key(key)) {
1283 EVP_PKEY_free(ldns_key_evp_key(key));
1285 #endif /* HAVE_SSL */
1286 if (ldns_key_hmac_key(key)) {
1287 free(ldns_key_hmac_key(key));
1293 ldns_key_list_free(ldns_key_list *key_list)
1296 for (i = 0; i < ldns_key_list_key_count(key_list); i++) {
1297 ldns_key_deep_free(ldns_key_list_key(key_list, i));
1299 LDNS_FREE(key_list->_keys);
1300 LDNS_FREE(key_list);
1304 ldns_read_anchor_file(const char *filename)
1307 /*char line[LDNS_MAX_PACKETLEN];*/
1308 char *line = LDNS_XMALLOC(char, LDNS_MAX_PACKETLEN);
1314 fp = fopen(filename, "r");
1316 fprintf(stderr, "Unable to open %s: %s\n", filename, strerror(errno));
1321 while ((c = fgetc(fp)) && i < LDNS_MAX_PACKETLEN && c != EOF) {
1330 fprintf(stderr, "nothing read from %s", filename);
1334 status = ldns_rr_new_frm_str(&r, line, 0, NULL, NULL);
1335 if (status == LDNS_STATUS_OK && (ldns_rr_get_type(r) == LDNS_RR_TYPE_DNSKEY || ldns_rr_get_type(r) == LDNS_RR_TYPE_DS)) {
1339 fprintf(stderr, "Error creating DNSKEY or DS rr from %s: %s\n", filename, ldns_get_errorstr_by_id(status));
1347 ldns_key_get_file_base_name(ldns_key *key)
1349 ldns_buffer *buffer;
1350 char *file_base_name;
1352 buffer = ldns_buffer_new(255);
1353 ldns_buffer_printf(buffer, "K");
1354 (void)ldns_rdf2buffer_str_dname(buffer, ldns_key_pubkey_owner(key));
1355 ldns_buffer_printf(buffer,
1357 ldns_key_algorithm(key),
1358 ldns_key_keytag(key));
1359 file_base_name = strdup(ldns_buffer_export(buffer));
1360 ldns_buffer_free(buffer);
1361 return file_base_name;
1364 int ldns_key_algo_supported(int algo)
1366 ldns_lookup_table *lt = ldns_signing_algorithms;