7 * a Net::DNS like library for C
9 * (c) NLnet Labs, 2005-2006
11 * See the file LICENSE for the license
17 * Addendum to \ref dnssec.h, this module contains key and algorithm definitions and functions.
24 #include <ldns/common.h>
25 #if LDNS_BUILD_CONFIG_HAVE_SSL
26 #include <openssl/ssl.h>
27 #endif /* LDNS_BUILD_CONFIG_HAVE_SSL */
28 #include <ldns/dnssec.h>
29 #include <ldns/util.h>
36 extern ldns_lookup_table ldns_signing_algorithms[];
38 #define LDNS_KEY_ZONE_KEY 0x0100 /* rfc 4034 */
39 #define LDNS_KEY_SEP_KEY 0x0001 /* rfc 4034 */
40 #define LDNS_KEY_REVOKE_KEY 0x0080 /* rfc 5011 */
43 * Algorithms used in dns
45 enum ldns_enum_algorithm
47 LDNS_RSAMD5 = 1, /* RFC 4034,4035 */
53 LDNS_RSASHA1_NSEC3 = 7,
54 LDNS_RSASHA256 = 8, /* RFC 5702 */
55 LDNS_RSASHA512 = 10, /* RFC 5702 */
56 LDNS_ECC_GOST = 12, /* RFC 5933 */
57 #if LDNS_BUILD_CONFIG_USE_ECDSA
58 /* this ifdef has to be removed once it is no longer experimental,
59 * to be able to use these values outside of the ldns library itself */
60 LDNS_ECDSAP256SHA256 = 13, /* draft-hoffman-dnssec-ecdsa */
61 LDNS_ECDSAP384SHA384 = 14, /* EXPERIMENTAL */
64 LDNS_PRIVATEDNS = 253,
67 typedef enum ldns_enum_algorithm ldns_algorithm;
70 * Hashing algorithms used in the DS record
74 LDNS_SHA1 = 1, /* RFC 4034 */
75 LDNS_SHA256 = 2, /* RFC 4509 */
76 LDNS_HASH_GOST = 3 /* RFC 5933 */
77 #if LDNS_BUILD_CONFIG_USE_ECDSA
78 /* this ifdef has to be removed once it is no longer experimental,
79 * to be able to use these values outside of the ldns library itself */
80 ,LDNS_SHA384 = 4 /* draft-hoffman-dnssec-ecdsa EXPERIMENTAL */
83 typedef enum ldns_enum_hash ldns_hash;
86 * Algorithms used in dns for signing
88 enum ldns_enum_signing_algorithm
90 LDNS_SIGN_RSAMD5 = LDNS_RSAMD5,
91 LDNS_SIGN_RSASHA1 = LDNS_RSASHA1,
92 LDNS_SIGN_DSA = LDNS_DSA,
93 LDNS_SIGN_RSASHA1_NSEC3 = LDNS_RSASHA1_NSEC3,
94 LDNS_SIGN_RSASHA256 = LDNS_RSASHA256,
95 LDNS_SIGN_RSASHA512 = LDNS_RSASHA512,
96 LDNS_SIGN_DSA_NSEC3 = LDNS_DSA_NSEC3,
97 LDNS_SIGN_ECC_GOST = LDNS_ECC_GOST,
98 #if LDNS_BUILD_CONFIG_USE_ECDSA
99 /* this ifdef has to be removed once it is no longer experimental,
100 * to be able to use these values outside of the ldns library itself */
101 LDNS_SIGN_ECDSAP256SHA256 = LDNS_ECDSAP256SHA256,
102 LDNS_SIGN_ECDSAP384SHA384 = LDNS_ECDSAP384SHA384,
104 LDNS_SIGN_HMACMD5 = 157, /* not official! This type is for TSIG, not DNSSEC */
105 LDNS_SIGN_HMACSHA1 = 158, /* not official! This type is for TSIG, not DNSSEC */
106 LDNS_SIGN_HMACSHA256 = 159 /* ditto */
108 typedef enum ldns_enum_signing_algorithm ldns_signing_algorithm;
111 * General key structure, can contain all types of keys that
112 * are used in DNSSEC. Mostly used to store private keys, since
113 * public keys can also be stored in a \ref ldns_rr with type
114 * \ref LDNS_RR_TYPE_DNSKEY.
116 * This structure can also store some variables that influence the
117 * signatures generated by signing with this key, for instance the
120 struct ldns_struct_key {
121 ldns_signing_algorithm _alg;
122 /** Whether to use this key when signing */
124 /** Storage pointers for the types of keys supported */
125 /* TODO remove unions? */
127 #if LDNS_BUILD_CONFIG_HAVE_SSL
129 /* The key can be an OpenSSL EVP Key
133 #endif /* LDNS_BUILD_CONFIG_HAVE_SSL */
135 * The key can be an HMAC key
141 /** the key structure can also just point to some external
146 /** Depending on the key we can have extra data */
148 /** Some values that influence generated signatures */
150 /** The TTL of the rrset that is currently signed */
152 /** The inception date of signatures made with this key. */
154 /** The expiration date of signatures made with this key. */
156 /** The keytag of this key. */
158 /** The dnssec key flags as specified in RFC4035, like ZSK and KSK */
162 /** Owner name of the key */
163 ldns_rdf *_pubkey_owner;
165 typedef struct ldns_struct_key ldns_key;
168 * Same as rr_list, but now for keys
170 struct ldns_struct_key_list
175 typedef struct ldns_struct_key_list ldns_key_list;
179 * Creates a new empty key list
180 * \return a new ldns_key_list structure pointer
182 ldns_key_list *ldns_key_list_new();
185 * Creates a new empty key structure
186 * \return a new ldns_key * structure
188 ldns_key *ldns_key_new();
191 * Creates a new key based on the algorithm
193 * \param[in] a The algorithm to use
194 * \param[in] size the number of bytes for the keysize
195 * \return a new ldns_key structure with the key
197 ldns_key *ldns_key_new_frm_algorithm(ldns_signing_algorithm a, uint16_t size);
200 * Creates a new priv key based on the
201 * contents of the file pointed by fp.
203 * The file should be in Private-key-format v1.2.
205 * \param[out] k the new ldns_key structure
206 * \param[in] fp the file pointer to use
207 * \return an error or LDNS_STATUS_OK
209 ldns_status ldns_key_new_frm_fp(ldns_key **k, FILE *fp);
212 * Creates a new private key based on the
213 * contents of the file pointed by fp
215 * The file should be in Private-key-format v1.2.
217 * \param[out] k the new ldns_key structure
218 * \param[in] fp the file pointer to use
219 * \param[in] line_nr pointer to an integer containing the current line number (for debugging purposes)
220 * \return an error or LDNS_STATUS_OK
222 ldns_status ldns_key_new_frm_fp_l(ldns_key **k, FILE *fp, int *line_nr);
224 #if LDNS_BUILD_CONFIG_HAVE_SSL
226 * Read the key with the given id from the given engine and store it
227 * in the given ldns_key structure. The algorithm type is set
229 ldns_status ldns_key_new_frm_engine(ldns_key **key, ENGINE *e, char *key_id, ldns_algorithm);
233 * frm_fp helper function. This function parses the
234 * remainder of the (RSA) priv. key file generated from bind9
235 * \param[in] fp the file to parse
236 * \return NULL on failure otherwise a RSA structure
238 RSA *ldns_key_new_frm_fp_rsa(FILE *fp);
239 #endif /* LDNS_BUILD_CONFIG_HAVE_SSL */
241 #if LDNS_BUILD_CONFIG_HAVE_SSL
243 * frm_fp helper function. This function parses the
244 * remainder of the (RSA) priv. key file generated from bind9
245 * \param[in] fp the file to parse
246 * \param[in] line_nr pointer to an integer containing the current line number (for debugging purposes)
247 * \return NULL on failure otherwise a RSA structure
249 RSA *ldns_key_new_frm_fp_rsa_l(FILE *fp, int *line_nr);
250 #endif /* LDNS_BUILD_CONFIG_HAVE_SSL */
252 #if LDNS_BUILD_CONFIG_HAVE_SSL
254 * frm_fp helper function. This function parses the
255 * remainder of the (DSA) priv. key file
256 * \param[in] fp the file to parse
257 * \return NULL on failure otherwise a RSA structure
259 DSA *ldns_key_new_frm_fp_dsa(FILE *fp);
260 #endif /* LDNS_BUILD_CONFIG_HAVE_SSL */
262 #if LDNS_BUILD_CONFIG_HAVE_SSL
264 * frm_fp helper function. This function parses the
265 * remainder of the (DSA) priv. key file
266 * \param[in] fp the file to parse
267 * \param[in] line_nr pointer to an integer containing the current line number (for debugging purposes)
268 * \return NULL on failure otherwise a RSA structure
270 DSA *ldns_key_new_frm_fp_dsa_l(FILE *fp, int *line_nr);
271 #endif /* LDNS_BUILD_CONFIG_HAVE_SSL */
273 #if LDNS_BUILD_CONFIG_HAVE_SSL
275 * frm_fp helper function. This function parses the
276 * remainder of the (HMAC-MD5) key file
277 * This function allocated a buffer that needs to be freed
278 * \param[in] fp the file to parse
279 * \param[out] hmac_size the number of bits in the resulting buffer
280 * \return NULL on failure otherwise a newly allocated char buffer
282 unsigned char *ldns_key_new_frm_fp_hmac(FILE *fp, size_t *hmac_size);
285 #if LDNS_BUILD_CONFIG_HAVE_SSL
287 * frm_fp helper function. This function parses the
288 * remainder of the (HMAC-MD5) key file
289 * This function allocated a buffer that needs to be freed
290 * \param[in] fp the file to parse
291 * \param[in] line_nr pointer to an integer containing the current line number (for error reporting purposes)
292 * \param[out] hmac_size the number of bits in the resulting buffer
293 * \return NULL on failure otherwise a newly allocated char buffer
295 unsigned char *ldns_key_new_frm_fp_hmac_l(FILE *fp, int *line_nr, size_t *hmac_size);
296 #endif /* LDNS_BUILD_CONFIG_HAVE_SSL */
298 /* acces write functions */
300 * Set the key's algorithm
301 * \param[in] k the key
302 * \param[in] l the algorithm
304 void ldns_key_set_algorithm(ldns_key *k, ldns_signing_algorithm l);
305 #if LDNS_BUILD_CONFIG_HAVE_SSL
307 * Set the key's evp key
308 * \param[in] k the key
309 * \param[in] e the evp key
311 void ldns_key_set_evp_key(ldns_key *k, EVP_PKEY *e);
314 * Set the key's rsa data
315 * \param[in] k the key
316 * \param[in] r the rsa data
318 void ldns_key_set_rsa_key(ldns_key *k, RSA *r);
320 * Set the key's dsa data
321 * \param[in] k the key
322 * \param[in] d the dsa data
324 void ldns_key_set_dsa_key(ldns_key *k, DSA *d);
327 * Get the PKEY id for GOST, loads GOST into openssl as a side effect.
328 * Only available if GOST is compiled into the library and openssl.
329 * \return the gost id for EVP_CTX creation.
331 int ldns_key_EVP_load_gost_id(void);
333 /** Release the engine reference held for the GOST engine. */
334 void ldns_key_EVP_unload_gost(void);
335 #endif /* LDNS_BUILD_CONFIG_HAVE_SSL */
338 * Set the key's hmac data
339 * \param[in] k the key
340 * \param[in] hmac the raw key data
342 void ldns_key_set_hmac_key(ldns_key *k, unsigned char *hmac);
345 * Set the key id data. This is used if the key points to
346 * some externally stored key data
348 * Only the pointer is set, the data there is not copied,
349 * and must be freed manually; ldns_key_deep_free() does
350 * *not* free this data
351 * \param[in] key the key
352 * \param[in] external_key key id data
354 void ldns_key_set_external_key(ldns_key *key, void *external_key);
357 * Set the key's hmac size
358 * \param[in] k the key
359 * \param[in] hmac_size the size of the hmac data
361 void ldns_key_set_hmac_size(ldns_key *k, size_t hmac_size);
363 * Set the key's original ttl
364 * \param[in] k the key
365 * \param[in] t the ttl
367 void ldns_key_set_origttl(ldns_key *k, uint32_t t);
369 * Set the key's inception date (seconds after epoch)
370 * \param[in] k the key
371 * \param[in] i the inception
373 void ldns_key_set_inception(ldns_key *k, uint32_t i);
375 * Set the key's expiration date (seconds after epoch)
376 * \param[in] k the key
377 * \param[in] e the expiration
379 void ldns_key_set_expiration(ldns_key *k, uint32_t e);
381 * Set the key's pubkey owner
382 * \param[in] k the key
383 * \param[in] r the owner
385 void ldns_key_set_pubkey_owner(ldns_key *k, ldns_rdf *r);
387 * Set the key's key tag
388 * \param[in] k the key
389 * \param[in] tag the keytag
391 void ldns_key_set_keytag(ldns_key *k, uint16_t tag);
393 * Set the key's flags
394 * \param[in] k the key
395 * \param[in] flags the flags
397 void ldns_key_set_flags(ldns_key *k, uint16_t flags);
399 * Set the keylist's key count to count
400 * \param[in] key the key
401 * \param[in] count the cuont
403 void ldns_key_list_set_key_count(ldns_key_list *key, size_t count);
406 * pushes a key to a keylist
407 * \param[in] key_list the key_list to push to
408 * \param[in] key the key to push
409 * \return false on error, otherwise true
411 bool ldns_key_list_push_key(ldns_key_list *key_list, ldns_key *key);
414 * returns the number of keys in the key list
415 * \param[in] key_list the key_list
416 * \return the numbers of keys in the list
418 size_t ldns_key_list_key_count(const ldns_key_list *key_list);
421 * returns a pointer to the key in the list at the given position
422 * \param[in] key the key
423 * \param[in] nr the position in the list
426 ldns_key *ldns_key_list_key(const ldns_key_list *key, size_t nr);
428 #if LDNS_BUILD_CONFIG_HAVE_SSL
430 * returns the (openssl) RSA struct contained in the key
431 * \param[in] k the key to look in
432 * \return the RSA * structure in the key
434 RSA *ldns_key_rsa_key(const ldns_key *k);
436 * returns the (openssl) EVP struct contained in the key
437 * \param[in] k the key to look in
438 * \return the RSA * structure in the key
440 EVP_PKEY *ldns_key_evp_key(const ldns_key *k);
441 #endif /* LDNS_BUILD_CONFIG_HAVE_SSL */
444 * returns the (openssl) DSA struct contained in the key
446 #if LDNS_BUILD_CONFIG_HAVE_SSL
447 DSA *ldns_key_dsa_key(const ldns_key *k);
448 #endif /* LDNS_BUILD_CONFIG_HAVE_SSL */
451 * return the signing alg of the key
452 * \param[in] k the key
453 * \return the algorithm
455 ldns_signing_algorithm ldns_key_algorithm(const ldns_key *k);
458 * \param[in] k the key
459 * \param[in] v the boolean value to set the _use field to
461 void ldns_key_set_use(ldns_key *k, bool v);
463 * return the use flag
464 * \param[in] k the key
465 * \return the boolean value of the _use field
467 bool ldns_key_use(const ldns_key *k);
469 * return the hmac key data
470 * \param[in] k the key
471 * \return the hmac key data
473 unsigned char *ldns_key_hmac_key(const ldns_key *k);
475 * return the key id key data
476 * \param[in] k the key
477 * \return the key id data
479 void *ldns_key_external_key(const ldns_key *k);
481 * return the hmac key size
482 * \param[in] k the key
483 * \return the hmac key size
485 size_t ldns_key_hmac_size(const ldns_key *k);
487 * return the original ttl of the key
488 * \param[in] k the key
489 * \return the original ttl
491 uint32_t ldns_key_origttl(const ldns_key *k);
493 * return the key's inception date
494 * \param[in] k the key
495 * \return the inception date
497 uint32_t ldns_key_inception(const ldns_key *k);
499 * return the key's expiration date
500 * \param[in] k the key
501 * \return the experiration date
503 uint32_t ldns_key_expiration(const ldns_key *k);
506 * \param[in] k the key
509 uint16_t ldns_key_keytag(const ldns_key *k);
511 * return the public key's owner
512 * \param[in] k the key
515 ldns_rdf *ldns_key_pubkey_owner(const ldns_key *k);
517 * Set the 'use' flag for all keys in the list
518 * \param[in] keys The key_list
519 * \param[in] v The value to set the use flags to
522 ldns_key_list_set_use(ldns_key_list *keys, bool v);
525 * return the flag of the key
526 * \param[in] k the key
529 uint16_t ldns_key_flags(const ldns_key *k);
532 * pops the last rr from a keylist
533 * \param[in] key_list the rr_list to pop from
534 * \return NULL if nothing to pop. Otherwise the popped RR
536 ldns_key *ldns_key_list_pop_key(ldns_key_list *key_list);
539 * converts a ldns_key to a public key rr
540 * If the key data exists at an external point, the corresponding
541 * rdata field must still be added with ldns_rr_rdf_push() to the
542 * result rr of this function
544 * \param[in] k the ldns_key to convert
545 * \return ldns_rr representation of the key
547 ldns_rr *ldns_key2rr(const ldns_key *k);
550 * print a private key to the file ouput
552 * \param[in] output the FILE descriptor where to print to
553 * \param[in] k the ldns_key to print
555 void ldns_key_print(FILE *output, const ldns_key *k);
558 * frees a key structure, but not its internal data structures
560 * \param[in] key the key object to free
562 void ldns_key_free(ldns_key *key);
565 * frees a key structure and all its internal data structures, except
566 * the data set by ldns_key_set_external_key()
568 * \param[in] key the key object to free
570 void ldns_key_deep_free(ldns_key *key);
573 * Frees a key list structure
574 * \param[in] key_list the key list object to free
576 void ldns_key_list_free(ldns_key_list *key_list);
579 * Instantiates a DNSKEY or DS RR from file.
580 * \param[in] filename the file to read the record from
581 * \return the corresponding RR, or NULL if the parsing failed
583 ldns_rr * ldns_read_anchor_file(const char *filename);
586 * Returns the 'default base name' for key files;
587 * IE. K\<zone\>+\<alg\>+\<keytag\>
588 * (without the .key or .private)
589 * The memory for this is allocated by this function,
590 * and should be freed by the caller
592 * \param[in] key the key to get the file name from
593 * \returns A string containing the file base name
595 char *ldns_key_get_file_base_name(ldns_key *key);
598 * See if a key algorithm is supported
599 * \param[in] algo the signing algorithm number.
600 * \returns true if supported.
602 int ldns_key_algo_supported(int algo);
605 * Get signing algorithm by name. Comparison is case insensitive.
606 * \param[in] name string with the name.
607 * \returns 0 on parse failure or the algorithm number.
609 ldns_signing_algorithm ldns_get_signing_algorithm_by_name(const char* name);
615 #endif /* LDNS_KEYS_H */